Even My Mom Could Hack These Sites

Frequent Slashdot Contributor Bennett Haselton's latest story is ready for your consumption. He starts "Recently, as an experiment, I wrote from my Hotmail account to ten different hosting companies that were each hosting some of my Web sites, asking for logins to change the domain settings. Even though I never provided any proof that the messages from the Hotmail account were really coming from me (the address they all had on file for me was a different one), half of them replied back and gave me the logins that I needed."

I figured that if I wrote to them saying "I forgot my password, please mail it to me," that would be too obvious. Instead, at the time I had set up shop with these hosting companies, I entered a domain name at the time of creating my account, and asked them to register it on my behalf (long before I had this experiment in mind). Then when I wrote to them recently from my Hotmail address, I sent each of them a message saying: I need to transfer this domain somewhere else, can you give me the login at the registrar where you registered the domain, so I can change the domain settings. Five of the ten companies either (a) gave me the registrar login, (b) transferred the domain to my registrar account on request (even though I never provided any proof that the owner of that registrar account was really me, either), or (c) changed the domain to point to a new IP address that I specified -- all of which, of course, would allow an attacker to take over a site temporarily or even permanently, if it hadn't really been me writing from the Hotmail address.

But slow down before you go off to try this out on Yahoo, eBay or Google hoping to get the same 50% success rate. First, these were all low-budget hosting companies, so the people handling my queries were likely not highly trained professionals who would have developed all the right habits about when to get suspicious. Second, this ruse only worked because the hosting companies registered the domains on my behalf. Most sites that are really worth taking over, are hosted on dedicated servers, and this trick wouldn't work on a dedicated hosting company because they usually don't register domains on behalf of customers; they assume that anybody buying an expensive dedicated server, knows enough to buy the domain and point it at the server that the company gives them.

But even for small-time hosting, a 50% success rate for a trick like this is uncomfortably high. So what can we do about it? Well, every problem has a non-solution that requires changing human nature ("People should just stop buying from spammers and they'd go out of business!") and a non-solution that ignores the economics of the situation ("ISPs should devote more resources to stopping spammers on their own network!"). In this case, the corresponding non-solutions would be (a) "People who work for hosting companies should be less gullible" and (b) "ISPs should hire smarter people, without charging more to their hosting customers".

The solution that doesn't require any cheating, though, is to have procedures in place for anything remotely security-related, and drum into employees' heads that they have to follow those procedures. Here's some good news: Of the five companies that fell for the ruse asking for my registrar login information, when I followed up with them saying "Hey, I forgot my account password, can you mail it to me", only two of them actually sent my password to the Hotmail account. To those two, I replied with some terse words about having a six-inch-thick steel door while leaving the window wide open. But at least it was only two out of ten that fell for that ruse, compared to five out of ten that fell for the registrar trick. The difference is that hosting companies have procedures in place to deal with password resets -- a script that sends the existing password, or sends a reset-password link, only to the customer's e-mail address on file.

Similarly, any hosting company that registers domains on behalf of users, should have procedures in place for transferring the domains to users or letting them change domain settings. In fact, of the five companies that didn't fall for the ruse, most of them said "Go to the customer control panel here and log in" -- it wasn't that their guard went up because I was writing from a Hotmail account, it was that they already had procedures in place for a customer wanting to change domain settings, and what's what the idiot-proof book told them to do. Kevin Mitnick always said that the weakest link in any security chain was people. Sometimes the way for ISPs to tighten security is to make the people in the chain act more like machines.

Until then, there are probably many sites out there that are this easy to "hack", using a method that could charitably be called low-tech. After seeing which hosting companies fell for the trick, I pointed out that they had sent the login information to an unverified address and admonished them to be more careful in the future, but I didn't storm out vowing to take all of my business elsewhere -- after all, if 50% of all low-budget hosting companies out there fall for this, what would be the point?

I try this everywhere

[daeg]

I try this with every new company we utilize through work. I call from a variety of numbers, including the one registered, my cell phone, and my home phone. I call, giving them only the company name and claim to be "new". If they get suspicious, I tell them the entire IT staff was fired and I'm their replacement and the old staff wouldn't give anyone details about accounts. The social engineering aspects are insanely easy. A few want a fax sent on company letterhead. Any idea how easy it is to fake letterhead through fax? Even a postal letter is easily faked. I remove our liability, or at least reduce it, with companies like this. It takes maybe 10-15 minutes for each company -- give a try sometime.

For more fun, forge your from: and reply-to: headers. Attach an empty file called signature.asc. Or make it appear to have been sent from a Blackberry, with a fake tag line "Sent via BlackBerry(r)" at the end. You could even go so far as to forge a "conversation" between 2 people which you are forwarding to make it look like the officers of the company authorized you dealing with the company.

I think part of the failure is that many IT workers have faced a similar situation: new job duties include trying to recover accounts/information from a disgruntled former employee.

What I've done with a few companies that we work with is given them a secret key to store in the account notes. I am the only one that knows the key. The other members of the board know the location to get the key, but not the key itself. Major account changes require the key. Along with the stored key there are detailed instructions about each and every external IT account in case something happens to me, or they wish to fire me. It's not flawless, but it's better than nothing.

Re:passwords should be hashed

[kebes]

Agreed. I once dealt with a small-time hosting company (not the cheapest around, mind you, but not the most expensive). When I initially setup the account, I was surprised and annoyed to see that in the admin control panel, among the various update options, there was a "change password" that listed my password, in plaintext, right on screen. I emailed them telling them that it was ridiculous to:
a) Store a password as plaintext instead of hashing. (And, obviously, they were not salting the passwords.)
b) To display the password on screen, where anyone shoulder-surfing could take a look.

A few months later, I was running into some problems, and emailed them for support. Somewhere along the interchange (they didn't believe that the option I needed was missing from the control panel), they actually asked me for my password (over email) so that they could go and change it themselves. This baffled me, and I sent them a very long letter explaining in detail why it is a bad idea for a company to ask its own customers for their passwords, and why email should never be used to exchange password data. Moreover the idea that they didn't have the admin privileges to go check for themselves struck me as odd.

Anyways, I never gave them my password, and told them to fix it from their end, which they eventually did. Needless to say, at the end of the contract, I didn't renew. So I guess I have to agree with the article's point: many small or medium hosting companies are not bothering to implement basic security protocols (like hashing). But, more importantly, somehow the employees are not being trained with even the minimum skills regarding security.

Re:HAPPY news, Reverend Falwell dead at 73

[JeanPaulBob]

I agree with you, but wasn't it Jerry Falwell that picketed Matthew Shepherd's funeral?

Absolutely not.

The people who picket funerals are the "Westboro Baptist Church", headed by Fred Phelps. He is beyond the pale, and should no more be associated with the American religious right in general than Stalin should be associated with socialist politics.

Seriously, check out the "religious beliefs" section of his Wikipedia article. He seems to be simply filled with hate, and uses a veneer of religion as the excuse. He believes salvation and damnation are obtained by aligned with or opposing him. His children who have left his church consider him a cult leader, and say that his actual religious beliefs are virtually non-existent.

Yes, Falwell said some stupid things--things that frustrated, embarrassed, and angered me as a theologically-conservative Christian. But please, do not associate Phelps' actions with anyone other than Fred Phelps.