Attackers Turn Password Recovery Into Backdoor

Matthew Prince thought he had done everything right to secure his business e-mail account.

The CEO of CloudFlare, a Web site protection company, had used a complex and unique password, as well as two-factor authentication, to lock down access to his account on the company's Google-hosted e-mail service. Yet attackers found a different way to get in: The account recovery process used Prince's personal e-mail address, which -- while it had a complex password -- did not have other security protections. By social engineering his mobile-phone provider, AT&T, and exploiting Google's process for resetting passwords over the phone, the malicious group gained access to his personal e-mail and then leveraged that to recover the credentials for CloudFlare's e-mail system.

"I was aware that they were in my personal e-mail account the instant that it happened because I got a notice that my e-mail account had been changed," Prince says. "Once they were in that account, they were able to go to CloudFlare's Google Apps account ... and do an account recovery request."

It was June 1, a Friday. And for about two hours, administrators at CloudFlare faced off against a hacking group to take back the company's e-mail accounts. While the attackers repeatedly gained access to the company's accounts hosted on Google, they never kept it for more than a few minutes, Prince says.

The lesson for any company using cloud services, especially ones on which a business's security relies, is that the firm needs to take stock of every way that a password account could be recovered. The weak links for CloudFlare were the phone representative who allowed the hackers to assign a new voicemail box to Prince's number, the CEO's lack of two-factor authentication on his personal e-mail account, and a flaw in Google's password reset system that allowed its two-factor authentication to be bypassed for an account reset.

[ A litany of attacks against three major online consumer services that resulted in leaked passwords should remind companies to take another look at managing and monitoring the access to their systems. See Keep Watch On Accounts For Stolen Passwords. ]

CloudFlare is not alone: Last year, LulzSec hackers broke into and stole messages from the e-mail accounts of three executives at security firm HBGary and its sister company, HBGary Federal. Businesses need to take these lesson to heart, says HD Moore, chief security officer for vulnerability assessment firm Rapid7.

"Companies are halfway to inverting their networks so that all these internal systems are becoming external, in the cloud," he says. "They need to look at defending their external systems and service just as much as they would their internals systems."

Here's what they should consider:

1. Lock down e-mail
Companies should make sure their account recovery mechanisms never go to a personal e-mail account. Better yet, the account recovery procedure for important pieces of infrastructure should not rely on e-mail at all, CloudFlare's Prince says. The company has turned off all e-mail account recovery for its Google App accounts and found alternative methods of recovering and securing access, he says.

Moreover, because other cloud services use an e-mail address to recover accounts, the business e-mail service needs to be locked down tight, Prince says.

"The problem is your e-mail account because it's the skeleton key for all of your accounts," he says. "Your e-mail is at the root of almost everything, so it should be the most secure system you have."

2. Two-factor, out-of-band, authentication
For CloudFlare, the lack of two-factor authentication on a personal e-mail account paired with failures of other factors -- such as the customer service representative and Google's security check -- left the company vulnerable.

Companies should review their security process and place a second type of authentication on any account that manages a security control, Prince says. In addition, the additional security should be out-of-band. The company now uses a one-time key authenticator app and password to control access to its domain-name account.

"Now, even if my AT&T account is compromised, my security is not weakened," he says. "It would take a compromise of the physical device of my phone to gain access to the account."

3. Always ask for more security
Prince and CloudFlare have learned to always ask their vendors for more security.

When they asked their registrar for a more secure account option, they were able to get two-factor authentication and restrictions on what Internet addresses are able to access the company account. When they asked AT&T for more security, they learned of an additional passcode that can be placed on an account.

And they learned that they can remove the option to recover accounts from their Google Apps account, making the service harder to compromise.

In the end, how far a company needs to go to secure external cloud service depends on the threats each firm faces, Prince says.

"For each company, the answer is going to be different," he says. "But everyone should make sure that, wherever account recovery information is going to be sent, that those accounts are reviewed to make sure they are secure."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.