Risk
6/11/2012
06:38 PM
Connect Directly
RSS
E-Mail
50%
50%

Attackers Turn Password Recovery Into Backdoor

The assault on CloudFlare shows that companies have to pay attention to how their security services are locked down and how the credentials for those services can be recovered

Matthew Prince thought he had done everything right to secure his business e-mail account.

The CEO of CloudFlare, a Web site protection company, had used a complex and unique password, as well as two-factor authentication, to lock down access to his account on the company's Google-hosted e-mail service. Yet attackers found a different way to get in: The account recovery process used Prince's personal e-mail address, which -- while it had a complex password -- did not have other security protections. By social engineering his mobile-phone provider, AT&T, and exploiting Google's process for resetting passwords over the phone, the malicious group gained access to his personal e-mail and then leveraged that to recover the credentials for CloudFlare's e-mail system.

"I was aware that they were in my personal e-mail account the instant that it happened because I got a notice that my e-mail account had been changed," Prince says. "Once they were in that account, they were able to go to CloudFlare's Google Apps account ... and do an account recovery request."

It was June 1, a Friday. And for about two hours, administrators at CloudFlare faced off against a hacking group to take back the company's e-mail accounts. While the attackers repeatedly gained access to the company's accounts hosted on Google, they never kept it for more than a few minutes, Prince says.

The lesson for any company using cloud services, especially ones on which a business's security relies, is that the firm needs to take stock of every way that a password account could be recovered. The weak links for CloudFlare were the phone representative who allowed the hackers to assign a new voicemail box to Prince's number, the CEO's lack of two-factor authentication on his personal e-mail account, and a flaw in Google's password reset system that allowed its two-factor authentication to be bypassed for an account reset.

[ A litany of attacks against three major online consumer services that resulted in leaked passwords should remind companies to take another look at managing and monitoring the access to their systems. See Keep Watch On Accounts For Stolen Passwords. ]

CloudFlare is not alone: Last year, LulzSec hackers broke into and stole messages from the e-mail accounts of three executives at security firm HBGary and its sister company, HBGary Federal. Businesses need to take these lesson to heart, says HD Moore, chief security officer for vulnerability assessment firm Rapid7.

"Companies are halfway to inverting their networks so that all these internal systems are becoming external, in the cloud," he says. "They need to look at defending their external systems and service just as much as they would their internals systems."

Here's what they should consider:

1. Lock down e-mail
Companies should make sure their account recovery mechanisms never go to a personal e-mail account. Better yet, the account recovery procedure for important pieces of infrastructure should not rely on e-mail at all, CloudFlare's Prince says. The company has turned off all e-mail account recovery for its Google App accounts and found alternative methods of recovering and securing access, he says.

Moreover, because other cloud services use an e-mail address to recover accounts, the business e-mail service needs to be locked down tight, Prince says.

"The problem is your e-mail account because it's the skeleton key for all of your accounts," he says. "Your e-mail is at the root of almost everything, so it should be the most secure system you have."

2. Two-factor, out-of-band, authentication
For CloudFlare, the lack of two-factor authentication on a personal e-mail account paired with failures of other factors -- such as the customer service representative and Google's security check -- left the company vulnerable.

Companies should review their security process and place a second type of authentication on any account that manages a security control, Prince says. In addition, the additional security should be out-of-band. The company now uses a one-time key authenticator app and password to control access to its domain-name account.

"Now, even if my AT&T account is compromised, my security is not weakened," he says. "It would take a compromise of the physical device of my phone to gain access to the account."

3. Always ask for more security
Prince and CloudFlare have learned to always ask their vendors for more security.

When they asked their registrar for a more secure account option, they were able to get two-factor authentication and restrictions on what Internet addresses are able to access the company account. When they asked AT&T for more security, they learned of an additional passcode that can be placed on an account.

And they learned that they can remove the option to recover accounts from their Google Apps account, making the service harder to compromise.

In the end, how far a company needs to go to secure external cloud service depends on the threats each firm faces, Prince says.

"For each company, the answer is going to be different," he says. "But everyone should make sure that, wherever account recovery information is going to be sent, that those accounts are reviewed to make sure they are secure."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Eric_Brown
50%
50%
Eric_Brown,
User Rank: Apprentice
6/12/2012 | 3:04:36 PM
re: Attackers Turn Password Recovery Into Backdoor


This article
touches a lot of the points of password security, but the one thing is of great
importance is taking advantage of two-factor authentication. Strong passwords do not replace the need for
other effective security controls. One of the things I always do when
setting up my account is activate the 2FA (two-factor authentication) where I
can telesign into my account. If they donG«÷t offer it I also have contacted some
of the organizations to see if they plan on providing 2FA. This gives me the
confidence that my account won't get hacked and my personal information isn't
vulnerable. But thanks for the great article!
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.