Leaky web sites provide trail of clues about corporate executives

Page 2 of 3

“It doesn’t surprise me,” said Jeremiah Grossman, the Chief Technology Officer at Web security firm WhiteHat Security. “I’m an executive, and I use my corporate e-mail to sign into some of these kinds of services.”

Some findings were surprising, though. Seventy six executive e-mails were linked to accounts at cloud-based storage firm Dropbox.com and 38 to accounts to the web sites nikeplus.com and garmin.com, which sell GPS-enabled athletic watches and gear.

The research does not prove, conclusively, that corporate executives use their corporate e-mail addresses to access the sites -- just that accounts linked to those email addresses exist, Cerrudo notes. Still, it’s safe to assume that most are legitimate. The executives named in this story declined to comment or did not respond to requests for comment prior to publication.

Executives at technology and Internet based firms, like Hsieh at Zappos, were found to be among those who used their corporate e-mail address most freely online. Craig Newmark, the founder of the online bulletin board Craigslist.org, has accounts at DropBox, Google, Facebook, Twitter, Netflix, Plaxo, the hotel chain Starwood as well as media sites like The New York Times and Washington Post all linked to his

craig@craigslist.org
e-mail.

The research by Cerrudo underscores the extent to which e-mail addresses have become the lynchpin of online identity. In recent years, popular web sites - Facebook chief among them - have dispensed with unique logins in favor of using the customer’s e-mail address as an account identifier. Those sites then 'over share' information as part of the login process: disclosing whether an e-mail address already exists in their systems when users attempt to log in, or use password recovery features, says Grossman of WhiteHat Security.

Social networking and e-commerce sites are often designed to help users who are having trouble logging in – for example, by indicating whether an account exists, but the password is wrong, or whether no such account exists, said Grossman, an expert on Web security. Attackers can use automated tools to “brute force” those features, gaining access to the accounts. Security features that limit logins from a specific IP address or use CAPTCHA-style challenge and response technology to prevent automated attacks aren’t effective at stopping these attacks, Grossman said. Data from WhiteHat suggests that around 16% of all sites are vulnerable to that type of brute force attack.

“There’s really no effective way to rate-limit logins,” Grossman said. And social networking sites are caught between competing desires: securing account access and providing a quality user experience for customers who may have innocently forgot their password. “You can’t have your cake and eat it, too,” Grossman said.

leak600.jpgSource: This was part of a presentation by Cesar Cerrudo, CTO, IOActive Labs, during IOAsis, at DefCon, July 2012.
Most web sites will share whether an email exists or not during authentication which could lead to leaked information
| 1 2 3 Page 2
ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon