poster

One Thing Leads to Another: Credential Based Privilege Escalation

Authors:

Peter Snyder,

Chris KanichAuthors Info & Claims

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

Pages 135 - 137

https://doi.org/10.1145/2699026.2699127

Published: 02 March 2015 Publication History

Get Access

Abstract

A user's primary email account, in addition to being an easy point of contact in our online world, is increasingly being used as a single point of failure for all web security. Features like unlimited message storage, numerous weak password reset features and economically enticing spoils (in the form of financial accounts or personal photos) all add up to an environment where overthrowing someone's life via their primary email account is increasingly likely and damaging. We describe an attack we call credential based privilege escalation, and a methodology to evaluate this attack's potential for user harm at web scale. In a study of over 9,000 users we find that, unsurprisingly, access to a vast number of online accounts can be gained by breaking into a user's primary email account (even without knowing the email account's password), but even then the monetizable value in a typical account is relatively low. We also describe future directions in understanding both the technical and human aspects of credential based privilege escalation.

References

[1]

Anderson, R., Barton, C., Böhme, R., Clayton, R., van Eeten, M., Levi, M., Moore, T., and Savage, S. Measuring the cost of cybercrime. In WEIS (2012).

Google Scholar

[2]

Danchev, D. Hacked origin, uplay, hulu plus, netix, spotify, skype, twitter, instagram, tumblr, freelancer accounts offered for sale. http://www.webroot.com/blog/2013/06/07/hacked-origin-uplay-hulu-plus-netflix-spotify-skype-twitter-instagram-tumblr-freelancer-accounts-offered-for-sale/, 2013.

Google Scholar

[3]

Federal Bureau of Investigation. International cooperation disrupts multi-country cyber theft ring. http://www.fbi.gov/news/pressrel/press-releases/international-cooperation-disrupts-multi-country-cyber-theft-ring, October 2010.

Google Scholar

[4]

Florencio, D., and Herley, C. Is everything we know about password stealing wrong? Security & Privacy, IEEE 10, 6 (2012), 63--69.

Digital Library

Google Scholar

[5]

Franklin, J., Perrig, A., Paxson, V., and Savage, S. An inquiry into the nature and causes of the wealth of internet miscreants. In ACM conference on Computer and communications security (2007), pp. 375--388.

Digital Library

Google Scholar

[6]

Holz, T., Engelberth, M., and Freiling, F. Learning more about the underground economy: A case-study of keyloggers and dropzones. Springer, 2009.

Google Scholar

[7]

Honan, M. How apple and amazon security aws led to my epic hacking. http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/, Aug 2012.

Google Scholar

[8]

Krebs, B. The scrap value of a hacked pc. http://voices.washingtonpost.com/securityfix/ 2009/05/the_scrap_value_of_a_hacked_pc.html, May 2009.

Google Scholar

[9]

Moore, T., and Clayton, R. Examining the impact of website take-down on phishing. In Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit (2007), ACM, pp. 1--13.

Digital Library

Google Scholar

[10]

van Kloeten, O., and Tabachnik, I. Plain text offenders. http://plaintextoffenders.com/, 2012

Google Scholar

Cited By

View all

Pöhn DGruschka NZiegler LBüttner A(2023)A framework for analyzing authentication risks in account networksComputers and Security10.1016/j.cose.2023.103515135:COnline publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103515
Kavak HPadilla JVernon-Bido DDiallo SGore RShetty S(2021)Simulation for cybersecurity: state of the art and future directionsJournal of Cybersecurity10.1093/cybsec/tyab0057:1Online publication date: 14-Mar-2021
https://doi.org/10.1093/cybsec/tyab005

Index Terms

One Thing Leads to Another: Credential Based Privilege Escalation

Recommendations

Using one-time passwords to prevent password phishing attacks

Phishing is now a serious threat to the security of Internet users' confidential information. Basically, an attacker (phisher) tricks people into divulging sensitive information by sending fake messages to a large number of users at random. Unsuspecting ...
A phishing analysis of web based systems
ICCCS '11: Proceedings of the 2011 International Conference on Communication, Computing & Security

Phishing is form of identity theft that uses the social engineering techniques and sophisticated attack vectors to harvest financial information from unsuspecting consumers. It is a kind of attack in which phishers use spoofed emails and fraudulent web ...
Phishing Vs. Legit: Comparative Analysis of Client-Side Resources of Phishing and Target Brand Websites
WWW '24: Proceedings of the ACM Web Conference 2024

Phishing attacks have persistently remained a prevalent and widespread cybersecurity threat for several years. This leads to numerous endeavors aimed at comprehensively understanding the phishing attack ecosystem, with a specific focus on presenting new ...

Comments

Information & Contributors

Information

Published In

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

March 2015

362 pages

ISBN:9781450331913

DOI:10.1145/2699026

General Chair:
Jaehong Park
University of Texas at San Antonio, USA
,
Program Chair:
Anna Squicciarini
The Pennsylvania State University, USA

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 March 2015

Check for updates

Author Tags

Qualifiers

Poster

Funding Sources

National Science Foundation

Conference

CODASPY'15

Sponsor:

SIGSAC

CODASPY'15: Fifth ACM Conference on Data and Application Security and Privacy

March 2 - 4, 2015

Texas, San Antonio, USA

Acceptance Rates

CODASPY '15 Paper Acceptance Rate 19 of 91 submissions, 21%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
198
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)2

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Pöhn DGruschka NZiegler LBüttner A(2023)A framework for analyzing authentication risks in account networksComputers and Security10.1016/j.cose.2023.103515135:COnline publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103515
Kavak HPadilla JVernon-Bido DDiallo SGore RShetty S(2021)Simulation for cybersecurity: state of the art and future directionsJournal of Cybersecurity10.1093/cybsec/tyab0057:1Online publication date: 14-Mar-2021
https://doi.org/10.1093/cybsec/tyab005

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Using one-time passwords to prevent password phishing attacks

A phishing analysis of web based systems

Phishing Vs. Legit: Comparative Analysis of Client-Side Resources of Phishing and Target Brand Websites

Comments

Published In

Sponsors

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Using one-time passwords to prevent password phishing attacks

A phishing analysis of web based systems

Phishing Vs. Legit: Comparative Analysis of Client-Side Resources of Phishing and Target Brand Websites

Comments

Information

Published In

Sponsors

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations