Leaky web sites provide trail of clues about corporate executives

By , ITworld |  IT Management

Clue

flickr/Pets4Dawn

You can read about Zappos’ CEO Tony Hsieh on the company’s Web site-- about how he sold his first company, LinkExchange to Microsoft in 1999, at the age of 24, and joined Zappos as an advisor and investor, eventually rising to the company’s top post. What you might not learn is that Tony is an exercise enthusiast who gets his gear from Nikeplus.com, watches his favorite shows on the Internet streaming site Hulu, keeps up with his friends on Facebook and checks the value of his Amazon.com stock (Amazon bought Zappos in 2009) at Marketwatch.com. That lesser known information about Hsieh – a treasure trove for hackers -- is public, all the same: leaked from e-commerce and social networking sites linked to the CEO’s @zappos.com e-mail address.

Hsieh is hardly alone. A newly released analysis by security researcher Cesar Cerrudo found that executives like Hsieh, including many at Fortune 500 firms, frequently use their business e-mail addresses to access a wide range of prominent social media web sites. The practice, while not a security breach, leaves a potentially damaging trail of clues for sophisticated hackers and cyber criminal’s intent on gaining access to the executives’ computers and corporate accounts.

[ Rogues gallery: 9 infamous social engineers ]

Cerrudo, the Chief Technology Officer of security firm IOActive Labs, scanned 30 prominent Web sites, uncovering 840 unique e-mail addresses of C-level corporate executives linked to 930 online accounts. They include 42 Facebook accounts linked to e-mail accounts for executives of firms such as oil giant Chevron, blue chip firm GE and financial services firms Chase.com and Morgan Stanley. Robert Iger, the CEO of Disney, uses his corporate e-mail to log in and watch movies on Netflix. Denise Morrison of Campbell’s Soup used hers to connect with friends on Facebook and make travel plans with United Airlines. Despite their deep rivalry, Steve Ballmer of Microsoft and Tim Cook of Apple both have accounts at the cloud-based file sharing service Dropbox.com linked to their corporate e-mail address, Cerrudo’s data suggests.

[ Check out Cesar Cerrudo's Black Hat presentation, "The leaky web: Owning your favorite CEOs" ]

The Experiment

IOActive Security scanned 30 prominent web sites uncovering 840 unique email addresses of C-level executives linked to 930 online accounts. Here's the breakdown by site category and linked accounts.

Site /category Number of online accounts that were linked to Prominent sites scanned included:
News 241 WSJ, Washington Post, Gartner, Economist, NYT, MarketWatch, Bloomberg
Social networks 250 Facebook, MySpace, LinkedIn, Naymz, Plaxo, Twitter
Google 176
Dropbox 76
Entertainment 43 Hulu, Netflix, Sony
Airlines & Travel 52 ua2go, Orbitz
Hotels 43 Accor Hotels, Starwood Hotels
Sports Gear 38 NikePlus, Garmin
Skype 11

Source: Cesar Cerrudo, CTO, IOActive Labs, presented this information at IOAsis during Black Hat, July 2012.

For his survey, Cerrudo chose C-level executives from Fortune 500 companies, and other prominent firms. He used an automated crawler to check the Web sites for accounts linked to the executives' e-mails. Active accounts at the sites could be “silently enumerated,” Cerrudo found – leaked in response to an automated login attempt or through password recovery features.

Some of the online watering holes he checked were, predictably, popular with the board room set. They include the web sites of The Wall Street Journal, Bloomberg News, MarketWatch.com and The New York Times. Accounts at web sites for hotels and airlines such as United and Starwood Hotels were frequently linked to the accounts of travel heavy senior executives, as well.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question
randomness