A compliance and IT security management firm has warned businesses to improve password security and to be alert to social engineering attacks that use information gleaned from social networking sites. The warning comes from RandomStorm in the wake of three high profile hacks that came to light.
The CEO of CloudFlare detailed a hack perpetrated against his mobile voicemail and personal and enterprise email accounts, which was then used to target a customer’s email account. The attack demonstrated the meticulous preparation undertaken by hackers.
CloudFlare has been praised for its transparency, which helped to close a flaw in Google Apps two-factor authentication (2FA). According to CloudFlare’s CEO, hackers first compromised his personal Gmail account, used for receiving password reset messages. They also used social engineering to gain the pin for his mobile voicemail. This information enabled hackers to bypass 2FA and capture password reset information for his Google Apps account. When the password was reset, an email was sent to his personal Gmail account and reset information was sent to his mobile voicemail, both of which were intercepted by the hackers. Once they had administrator access to Google Apps, the hackers proceeded to lock CloudFlare administrators out of their accounts and changed the password on a customer’s account. Information security experts have suggested that the customer account was the real target of the attack.
News emerged that LinkedIn had been hacked and 6.5 million passwords leaked online. Users were warned to change their LinkedIn password and to ensure that it was never reused for any other applications.
In a third incident, US presidential candidate, Mitt Romney, has allegedly had his Dropbox account accessed after someone correctly guessed the name of his pet and gained access to an old Hotmail account. The same password had been reused for Dropbox.
Gavin Watson, senior security engineer and head of RandomStorm’s Social Engineering Team says: “Security professionals are well aware how much information can be gathered on a person from online applications. What is not so widely appreciated is how this information can be used by hackers to target not only the individual but all the businesses that individual deals with. It is imperative that LinkedIn users change their passwords immediately and that people avoid reusing passwords for different web applications. This is not only to protect your personal accounts, but also those of your colleagues and customers. As the CloudFlare example showed, even when you have good 2FA security and strong passwords in place, hackers can be quite meticulous in their preparations to gain access to a high value target. It is the responsibility of everyone in the chain to make it as difficult as possible for them to succeed.”
Last month Gavin Watson appeared on a Channel 4 Dispatches programme, commenting on how “blaggers” gain access to confidential records by using social engineering in order to gain crucial pieces of information on target individuals.
RandomStorm adds that it provides vulnerability scanning and intrusion detection services to companies in the retail, hospitality, financial, public sector and utility industries. The company is a CESG CHECK security consultancy.
