Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/11/2012
06:38 PM
50%
50%

Attackers Turn Password Recovery Into Backdoor

The assault on CloudFlare shows that companies have to pay attention to how their security services are locked down and how the credentials for those services can be recovered

Matthew Prince thought he had done everything right to secure his business e-mail account.

The CEO of CloudFlare, a Web site protection company, had used a complex and unique password, as well as two-factor authentication, to lock down access to his account on the company's Google-hosted e-mail service. Yet attackers found a different way to get in: The account recovery process used Prince's personal e-mail address, which -- while it had a complex password -- did not have other security protections. By social engineering his mobile-phone provider, AT&T, and exploiting Google's process for resetting passwords over the phone, the malicious group gained access to his personal e-mail and then leveraged that to recover the credentials for CloudFlare's e-mail system.

"I was aware that they were in my personal e-mail account the instant that it happened because I got a notice that my e-mail account had been changed," Prince says. "Once they were in that account, they were able to go to CloudFlare's Google Apps account ... and do an account recovery request."

It was June 1, a Friday. And for about two hours, administrators at CloudFlare faced off against a hacking group to take back the company's e-mail accounts. While the attackers repeatedly gained access to the company's accounts hosted on Google, they never kept it for more than a few minutes, Prince says.

The lesson for any company using cloud services, especially ones on which a business's security relies, is that the firm needs to take stock of every way that a password account could be recovered. The weak links for CloudFlare were the phone representative who allowed the hackers to assign a new voicemail box to Prince's number, the CEO's lack of two-factor authentication on his personal e-mail account, and a flaw in Google's password reset system that allowed its two-factor authentication to be bypassed for an account reset.

[ A litany of attacks against three major online consumer services that resulted in leaked passwords should remind companies to take another look at managing and monitoring the access to their systems. See Keep Watch On Accounts For Stolen Passwords. ]

CloudFlare is not alone: Last year, LulzSec hackers broke into and stole messages from the e-mail accounts of three executives at security firm HBGary and its sister company, HBGary Federal. Businesses need to take these lesson to heart, says HD Moore, chief security officer for vulnerability assessment firm Rapid7.

"Companies are halfway to inverting their networks so that all these internal systems are becoming external, in the cloud," he says. "They need to look at defending their external systems and service just as much as they would their internals systems."

Here's what they should consider:

1. Lock down e-mail
Companies should make sure their account recovery mechanisms never go to a personal e-mail account. Better yet, the account recovery procedure for important pieces of infrastructure should not rely on e-mail at all, CloudFlare's Prince says. The company has turned off all e-mail account recovery for its Google App accounts and found alternative methods of recovering and securing access, he says.

Moreover, because other cloud services use an e-mail address to recover accounts, the business e-mail service needs to be locked down tight, Prince says.

"The problem is your e-mail account because it's the skeleton key for all of your accounts," he says. "Your e-mail is at the root of almost everything, so it should be the most secure system you have."

2. Two-factor, out-of-band, authentication
For CloudFlare, the lack of two-factor authentication on a personal e-mail account paired with failures of other factors -- such as the customer service representative and Google's security check -- left the company vulnerable.

Companies should review their security process and place a second type of authentication on any account that manages a security control, Prince says. In addition, the additional security should be out-of-band. The company now uses a one-time key authenticator app and password to control access to its domain-name account.

"Now, even if my AT&T account is compromised, my security is not weakened," he says. "It would take a compromise of the physical device of my phone to gain access to the account."

3. Always ask for more security
Prince and CloudFlare have learned to always ask their vendors for more security.

When they asked their registrar for a more secure account option, they were able to get two-factor authentication and restrictions on what Internet addresses are able to access the company account. When they asked AT&T for more security, they learned of an additional passcode that can be placed on an account.

And they learned that they can remove the option to recover accounts from their Google Apps account, making the service harder to compromise.

In the end, how far a company needs to go to secure external cloud service depends on the threats each firm faces, Prince says.

"For each company, the answer is going to be different," he says. "But everyone should make sure that, wherever account recovery information is going to be sent, that those accounts are reviewed to make sure they are secure."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Eric_Brown
50%
50%
Eric_Brown,
User Rank: Apprentice
6/12/2012 | 3:04:36 PM
re: Attackers Turn Password Recovery Into Backdoor


This article
touches a lot of the points of password security, but the one thing is of great
importance is taking advantage of two-factor authentication. Strong passwords do not replace the need for
other effective security controls. One of the things I always do when
setting up my account is activate the 2FA (two-factor authentication) where I
can telesign into my account. If they donGt offer it I also have contacted some
of the organizations to see if they plan on providing 2FA. This gives me the
confidence that my account won't get hacked and my personal information isn't
vulnerable. But thanks for the great article!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...