Attackers Turn Password Recovery Into Backdoor

The assault on CloudFlare shows that companies have to pay attention to how their security services are locked down and how the credentials for those services can be recovered

Matthew Prince thought he had done everything right to secure his business e-mail account.
The CEO of CloudFlare, a Web site protection company, had used a complex and unique password, as well as two-factor authentication, to lock down access to his account on the companys Google-hosted e-mail service. Yet attackers found a different way to get in: The account recovery process used Princes personal e-mail address, which -- while it had a complex password -- did not have other security protections. By social engineering his mobile-phone provider, AT&T, and exploiting Googles process for resetting passwords over the phone, the malicious group gained access to his personal e-mail and then leveraged that to recover the credentials for CloudFlares e-mail system.
I was aware that they were in my personal e-mail account the instant that it happened because I got a notice that my e-mail account had been changed, Prince says. Once they were in that account, they were able to go to CloudFlares Google Apps account ... and do an account recovery request.
It was June 1, a Friday. And for about two hours, administrators at CloudFlare faced off against a hacking group to take back the companys e-mail accounts. While the attackers repeatedly gained access to the companys accounts hosted on Google, they never kept it for more than a few minutes, Prince says.
The lesson for any company using cloud services, especially ones on which a businesss security relies, is that the firm needs to take stock of every way that a password account could be recovered. The weak links for CloudFlare were the phone representative who allowed the hackers to assign a new voicemail box to Princes number, the CEOs lack of two-factor authentication on his personal e-mail account, and a flaw in Googles password reset system that allowed its two-factor authentication to be bypassed for an account reset.
[ A litany of attacks against three major online consumer services that resulted in leaked passwords should remind companies to take another look at managing and monitoring the access to their systems. See
Keep Watch On Accounts For Stolen Passwords
. ]
CloudFlare is not alone: Last year, LulzSec hackers broke into and stole messages from the e-mail accounts of three executives at security firm HBGary and its sister company, HBGary Federal. Businesses need to take these lesson to heart, says HD Moore, chief security officer for vulnerability assessment firm Rapid7.
Companies are halfway to inverting their networks so that all these internal systems are becoming external, in the cloud, he says. They need to look at defending their external systems and service just as much as they would their internals systems.
Heres what they should consider:
1. Lock down e-mail
Companies should make sure their account recovery mechanisms never go to a personal e-mail account. Better yet, the account recovery procedure for important pieces of infrastructure should not rely on e-mail at all, CloudFlares Prince says. The company has turned off all e-mail account recovery for its Google App accounts and found alternative methods of recovering and securing access, he says.
Moreover, because other cloud services use an e-mail address to recover accounts, the business e-mail service needs to be locked down tight, Prince says.
The problem is your e-mail account because its the skeleton key for all of your accounts, he says. Your e-mail is at the root of almost everything, so it should be the most secure system you have.
2. Two-factor, out-of-band, authentication
For CloudFlare, the lack of two-factor authentication on a personal e-mail account paired with failures of other factors -- such as the customer service representative and Googles security check -- left the company vulnerable.
Companies should review their security process and place a second type of authentication on any account that manages a security control, Prince says. In addition, the additional security should be out-of-band. The company now uses a one-time key authenticator app and password to control access to its domain-name account.
Now, even if my AT&T account is compromised, my security is not weakened, he says. It would take a compromise of the physical device of my phone to gain access to the account.
3. Always ask for more security
Prince and CloudFlare have learned to always ask their vendors for more security.
When they asked their registrar for a more secure account option, they were able to get two-factor authentication and restrictions on what Internet addresses are able to access the company account. When they asked AT&T for more security, they learned of an additional passcode that can be placed on an account.
And they learned that they can remove the option to recover accounts from their Google Apps account, making the service harder to compromise.
In the end, how far a company needs to go to secure external cloud service depends on the threats each firm faces, Prince says.
For each company, the answer is going to be different, he says. But everyone should make sure that, wherever account recovery information is going to be sent, that those accounts are reviewed to make sure they are secure.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Attackers Turn Password Recovery Into Backdoor