Leaky web sites provide trail of clues about corporate executives
You can read about Zappos’ CEO Tony Hsieh on the company’s Web site-- about how he sold his first company, LinkExchange to Microsoft in 1999, at the age of 24, and joined Zappos as an advisor and investor, eventually rising to the company’s top post. What you might not learn is that Tony is an exercise enthusiast who gets his gear from Nikeplus.com, watches his favorite shows on the Internet streaming site Hulu, keeps up with his friends on Facebook and checks the value of his Amazon.com stock (Amazon bought Zappos in 2009) at Marketwatch.com. That lesser known information about Hsieh – a treasure trove for hackers -- is public, all the same: leaked from e-commerce and social networking sites linked to the CEO’s @zappos.com e-mail address.
Hsieh is hardly alone. A newly released analysis by security researcher Cesar Cerrudo found that executives like Hsieh, including many at Fortune 500 firms, frequently use their business e-mail addresses to access a wide range of prominent social media web sites. The practice, while not a security breach, leaves a potentially damaging trail of clues for sophisticated hackers and cyber criminal’s intent on gaining access to the executives’ computers and corporate accounts.
Cerrudo, the Chief Technology Officer of security firm IOActive Labs, scanned 30 prominent Web sites, uncovering 840 unique e-mail addresses of C-level corporate executives linked to 930 online accounts. They include 42 Facebook accounts linked to e-mail accounts for executives of firms such as oil giant Chevron, blue chip firm GE and financial services firms Chase.com and Morgan Stanley. Robert Iger, the CEO of Disney, uses his corporate e-mail to log in and watch movies on Netflix. Denise Morrison of Campbell’s Soup used hers to connect with friends on Facebook and make travel plans with United Airlines. Despite their deep rivalry, Steve Ballmer of Microsoft and Tim Cook of Apple both have accounts at the cloud-based file sharing service Dropbox.com linked to their corporate e-mail address, Cerrudo’s data suggests.
[ Check out Cesar Cerrudo's Black Hat presentation, "The leaky web: Owning your favorite CEOs" ]
IOActive Security scanned 30 prominent web sites uncovering 840 unique email addresses of C-level executives linked to 930 online accounts. Here's the breakdown by site category and linked accounts.
|Site /category||Number of online accounts that were linked to||Prominent sites scanned included:|
|News||241||WSJ, Washington Post, Gartner, Economist, NYT, MarketWatch, Bloomberg|
|Social networks||250||Facebook, MySpace, LinkedIn, Naymz, Plaxo, Twitter|
|Entertainment||43||Hulu, Netflix, Sony|
|Airlines & Travel||52||ua2go, Orbitz|
|Hotels||43||Accor Hotels, Starwood Hotels|
|Sports Gear||38||NikePlus, Garmin|
For his survey, Cerrudo chose C-level executives from Fortune 500 companies, and other prominent firms. He used an automated crawler to check the Web sites for accounts linked to the executives' e-mails. Active accounts at the sites could be “silently enumerated,” Cerrudo found – leaked in response to an automated login attempt or through password recovery features.
Some of the online watering holes he checked were, predictably, popular with the board room set. They include the web sites of The Wall Street Journal, Bloomberg News, MarketWatch.com and The New York Times. Accounts at web sites for hotels and airlines such as United and Starwood Hotels were frequently linked to the accounts of travel heavy senior executives, as well.
“It doesn’t surprise me,” said Jeremiah Grossman, the Chief Technology Officer at Web security firm WhiteHat Security. “I’m an executive, and I use my corporate e-mail to sign into some of these kinds of services.”
Some findings were surprising, though. Seventy six executive e-mails were linked to accounts at cloud-based storage firm Dropbox.com and 38 to accounts to the web sites nikeplus.com and garmin.com, which sell GPS-enabled athletic watches and gear.
The research does not prove, conclusively, that corporate executives use their corporate e-mail addresses to access the sites -- just that accounts linked to those email addresses exist, Cerrudo notes. Still, it’s safe to assume that most are legitimate. The executives named in this story declined to comment or did not respond to requests for comment prior to publication.
Executives at technology and Internet based firms, like Hsieh at Zappos, were found to be among those who used their corporate e-mail address most freely online. Craig Newmark, the founder of the online bulletin board Craigslist.org, has accounts at DropBox, Google, Facebook, Twitter, Netflix, Plaxo, the hotel chain Starwood as well as media sites like The New York Times and Washington Post all linked to his
Social networking and e-commerce sites are often designed to help users who are having trouble logging in – for example, by indicating whether an account exists, but the password is wrong, or whether no such account exists, said Grossman, an expert on Web security. Attackers can use automated tools to “brute force” those features, gaining access to the accounts. Security features that limit logins from a specific IP address or use CAPTCHA-style challenge and response technology to prevent automated attacks aren’t effective at stopping these attacks, Grossman said. Data from WhiteHat suggests that around 16% of all sites are vulnerable to that type of brute force attack.
“There’s really no effective way to rate-limit logins,” Grossman said. And social networking sites are caught between competing desires: securing account access and providing a quality user experience for customers who may have innocently forgot their password. “You can’t have your cake and eat it, too,” Grossman said.
Source: This was part of a presentation by Cesar Cerrudo, CTO, IOActive Labs, during IOAsis, at DefCon, July 2012.
Still, he acknowledged that the practice isn’t without risks. Clever (and even not-so-clever) attackers could use knowledge of the link between the executives’ e-mail accounts and the online service to assemble a profile of an executive, then craft a convincing phishing attack containing a malicious attachment. Attackers could also use the web sites' password recovery features and knowledge gleaned from publicly accessible sources to gain access to- and control of the executives’ accounts. Things being as they are that same e-mail and password combination might provide access to other web sites and corporate resources, as well.
Chris Hadnagy, author, Social Engineering: The Art of Human Hacking
The problem is magnified by cloud services such as Apple’s iCloud and Amazon.com’s Amazon Web Services (AWS). In just the most recent example of this, an article on Wired.com by writer Matt Honan described how malicious hackers were able to use knowledge of his e-mail address and some social engineering to take over that account and, then, use connected services to remotely erase both his computer hard drive and mobile phone. Knowing that high value targets like Microsoft CEO Steve Ballmer and Apple CEO Tim Cook use DropBox and what their account ID is, puts attackers just a couple of challenge-response questions away from taking over their account. That doesn’t mean that those accounts hold any sensitive corporate documents, Grossman noted. But most malicious hackers or sophisticated attackers would at least have a go at hacking them in the off chance that the CEOs got sloppy, storing a document with high impact, he said.
An expert in the art of social engineering agrees that social media accounts like those scanned by Cerrudo are a gold mine.
“When I get hired to do a social engineering penetration test for a client the first thing we do is start gathering as much intel(ligence) as possible,” said Chris Hadnagy, author of the book Social Engineering: The Art of Human Hacking. “For calls and phishing emails nothing helps me more than finding social media accounts with lots of information on them.”
Tools like the free and open source forensics tool Maltego allow anyone to link e-mail addresses with Twitter and other social networking accounts. Some tweaking and Googling turn up Facebook, LinkedIn and other accounts that divulge a wealth of information that can fuel attacks, Hadnagy said.
“I basically just look for schools, jobs, family, hobbies (and) personal interests and use that to craft my attacks,” he said. ”To date the success ratios for this method are very high.”
Social engineering – the art of human trickery – is increasingly recognized as a key element in almost all successful cyber attacks. Hadnagy’s firm, Social-Engineer.org, now sponsors social engineering "Capture The Flag" contests at Black Hat and other security shows, pitting contestants against prominent global corporations in search of "flags" - sensitive, but non-proprietary information.
Past social engineering Capture the Flag competitions have targeted iconic firms like McDonald's, WalMart, Microsoft, Google, Ford and Pepsi. The results suggest that even wealthy, sophisticated companies are ill-equipped to fend off sophisticated social attacks that use publicly available information to help gain the trust of intended targets. Companies should make their employees aware of the risks of using their corporate e-mail on social networking and other consumer sites, said Grossman. “They need to know what the trade-offs are, and make a decision based on their tolerance for risk.”
As for the web site owners, attention to account security varies. Many large consumer banks have abandoned the use of e-mail addresses as account identifiers, Grossman said. But social networking and other sites value convenience and ease of access more highly.
Security conscious firms should think about treating the user ID like a separate password – unique and difficult to guess, and separate from other corporate identifiers like an e-mail address, Grossman said. That makes it all the harder for attackers to know which account to focus their attention on.