“It doesn’t surprise me,” said Jeremiah Grossman, the Chief Technology Officer at Web security firm WhiteHat Security. “I’m an executive, and I use my corporate e-mail to sign into some of these kinds of services.”
Some findings were surprising, though. Seventy six executive e-mails were linked to accounts at cloud-based storage firm Dropbox.com and 38 to accounts to the web sites nikeplus.com and garmin.com, which sell GPS-enabled athletic watches and gear.
The research does not prove, conclusively, that corporate executives use their corporate e-mail addresses to access the sites -- just that accounts linked to those email addresses exist, Cerrudo notes. Still, it’s safe to assume that most are legitimate. The executives named in this story declined to comment or did not respond to requests for comment prior to publication.
Executives at technology and Internet based firms, like Hsieh at Zappos, were found to be among those who used their corporate e-mail address most freely online. Craig Newmark, the founder of the online bulletin board Craigslist.org, has accounts at DropBox, Google, Facebook, Twitter, Netflix, Plaxo, the hotel chain Starwood as well as media sites like The New York Times and Washington Post all linked to his
Social networking and e-commerce sites are often designed to help users who are having trouble logging in – for example, by indicating whether an account exists, but the password is wrong, or whether no such account exists, said Grossman, an expert on Web security. Attackers can use automated tools to “brute force” those features, gaining access to the accounts. Security features that limit logins from a specific IP address or use CAPTCHA-style challenge and response technology to prevent automated attacks aren’t effective at stopping these attacks, Grossman said. Data from WhiteHat suggests that around 16% of all sites are vulnerable to that type of brute force attack.
“There’s really no effective way to rate-limit logins,” Grossman said. And social networking sites are caught between competing desires: securing account access and providing a quality user experience for customers who may have innocently forgot their password. “You can’t have your cake and eat it, too,” Grossman said.
Source: This was part of a presentation by Cesar Cerrudo, CTO, IOActive Labs, during IOAsis, at DefCon, July 2012.