Leaky web sites provide trail of clues about corporate executives

By , ITworld |  IT Management

“It doesn’t surprise me,” said Jeremiah Grossman, the Chief Technology Officer at Web security firm WhiteHat Security. “I’m an executive, and I use my corporate e-mail to sign into some of these kinds of services.”

Some findings were surprising, though. Seventy six executive e-mails were linked to accounts at cloud-based storage firm Dropbox.com and 38 to accounts to the web sites nikeplus.com and garmin.com, which sell GPS-enabled athletic watches and gear.

The research does not prove, conclusively, that corporate executives use their corporate e-mail addresses to access the sites -- just that accounts linked to those email addresses exist, Cerrudo notes. Still, it’s safe to assume that most are legitimate. The executives named in this story declined to comment or did not respond to requests for comment prior to publication.

Executives at technology and Internet based firms, like Hsieh at Zappos, were found to be among those who used their corporate e-mail address most freely online. Craig Newmark, the founder of the online bulletin board Craigslist.org, has accounts at DropBox, Google, Facebook, Twitter, Netflix, Plaxo, the hotel chain Starwood as well as media sites like The New York Times and Washington Post all linked to his craig@craigslist.org e-mail.

Social networking and e-commerce sites are often designed to help users who are having trouble logging in – for example, by indicating whether an account exists, but the password is wrong, or whether no such account exists, said Grossman, an expert on Web security. Attackers can use automated tools to “brute force” those features, gaining access to the accounts. Security features that limit logins from a specific IP address or use CAPTCHA-style challenge and response technology to prevent automated attacks aren’t effective at stopping these attacks, Grossman said. Data from WhiteHat suggests that around 16% of all sites are vulnerable to that type of brute force attack.

“There’s really no effective way to rate-limit logins,” Grossman said. And social networking sites are caught between competing desires: securing account access and providing a quality user experience for customers who may have innocently forgot their password. “You can’t have your cake and eat it, too,” Grossman said.

Most web sites will share whether an email exists or not during authentication which could lead to leaked information

Source: This was part of a presentation by Cesar Cerrudo, CTO, IOActive Labs, during IOAsis, at DefCon, July 2012.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question