Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/11/2012
06:38 PM
50%
50%

Attackers Turn Password Recovery Into Backdoor

The assault on CloudFlare shows that companies have to pay attention to how their security services are locked down and how the credentials for those services can be recovered

Matthew Prince thought he had done everything right to secure his business e-mail account.

The CEO of CloudFlare, a Web site protection company, had used a complex and unique password, as well as two-factor authentication, to lock down access to his account on the company's Google-hosted e-mail service. Yet attackers found a different way to get in: The account recovery process used Prince's personal e-mail address, which -- while it had a complex password -- did not have other security protections. By social engineering his mobile-phone provider, AT&T, and exploiting Google's process for resetting passwords over the phone, the malicious group gained access to his personal e-mail and then leveraged that to recover the credentials for CloudFlare's e-mail system.

"I was aware that they were in my personal e-mail account the instant that it happened because I got a notice that my e-mail account had been changed," Prince says. "Once they were in that account, they were able to go to CloudFlare's Google Apps account ... and do an account recovery request."

It was June 1, a Friday. And for about two hours, administrators at CloudFlare faced off against a hacking group to take back the company's e-mail accounts. While the attackers repeatedly gained access to the company's accounts hosted on Google, they never kept it for more than a few minutes, Prince says.

The lesson for any company using cloud services, especially ones on which a business's security relies, is that the firm needs to take stock of every way that a password account could be recovered. The weak links for CloudFlare were the phone representative who allowed the hackers to assign a new voicemail box to Prince's number, the CEO's lack of two-factor authentication on his personal e-mail account, and a flaw in Google's password reset system that allowed its two-factor authentication to be bypassed for an account reset.

[ A litany of attacks against three major online consumer services that resulted in leaked passwords should remind companies to take another look at managing and monitoring the access to their systems. See Keep Watch On Accounts For Stolen Passwords. ]

CloudFlare is not alone: Last year, LulzSec hackers broke into and stole messages from the e-mail accounts of three executives at security firm HBGary and its sister company, HBGary Federal. Businesses need to take these lesson to heart, says HD Moore, chief security officer for vulnerability assessment firm Rapid7.

"Companies are halfway to inverting their networks so that all these internal systems are becoming external, in the cloud," he says. "They need to look at defending their external systems and service just as much as they would their internals systems."

Here's what they should consider:

1. Lock down e-mail
Companies should make sure their account recovery mechanisms never go to a personal e-mail account. Better yet, the account recovery procedure for important pieces of infrastructure should not rely on e-mail at all, CloudFlare's Prince says. The company has turned off all e-mail account recovery for its Google App accounts and found alternative methods of recovering and securing access, he says.

Moreover, because other cloud services use an e-mail address to recover accounts, the business e-mail service needs to be locked down tight, Prince says.

"The problem is your e-mail account because it's the skeleton key for all of your accounts," he says. "Your e-mail is at the root of almost everything, so it should be the most secure system you have."

2. Two-factor, out-of-band, authentication
For CloudFlare, the lack of two-factor authentication on a personal e-mail account paired with failures of other factors -- such as the customer service representative and Google's security check -- left the company vulnerable.

Companies should review their security process and place a second type of authentication on any account that manages a security control, Prince says. In addition, the additional security should be out-of-band. The company now uses a one-time key authenticator app and password to control access to its domain-name account.

"Now, even if my AT&T account is compromised, my security is not weakened," he says. "It would take a compromise of the physical device of my phone to gain access to the account."

3. Always ask for more security
Prince and CloudFlare have learned to always ask their vendors for more security.

When they asked their registrar for a more secure account option, they were able to get two-factor authentication and restrictions on what Internet addresses are able to access the company account. When they asked AT&T for more security, they learned of an additional passcode that can be placed on an account.

And they learned that they can remove the option to recover accounts from their Google Apps account, making the service harder to compromise.

In the end, how far a company needs to go to secure external cloud service depends on the threats each firm faces, Prince says.

"For each company, the answer is going to be different," he says. "But everyone should make sure that, wherever account recovery information is going to be sent, that those accounts are reviewed to make sure they are secure."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Eric_Brown
50%
50%
Eric_Brown,
User Rank: Apprentice
6/12/2012 | 3:04:36 PM
re: Attackers Turn Password Recovery Into Backdoor


This article
touches a lot of the points of password security, but the one thing is of great
importance is taking advantage of two-factor authentication. Strong passwords do not replace the need for
other effective security controls. One of the things I always do when
setting up my account is activate the 2FA (two-factor authentication) where I
can telesign into my account. If they donGt offer it I also have contacted some
of the organizations to see if they plan on providing 2FA. This gives me the
confidence that my account won't get hacked and my personal information isn't
vulnerable. But thanks for the great article!
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3166
PUBLISHED: 2021-01-18
An issue was discovered on ASUS DSL-N14U-B1 1.1.2.3_805 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, r...
CVE-2020-29446
PUBLISHED: 2021-01-18
Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...