Gaining Info On Tech Execs With Just Their Email

jfruh writes "Did you know that Craigslist founder Craig Newmark has a loyalty points account with the Starwood hotel chain? Did you know that both Tim Cook and Steve Ballmer have Dropbox accounts? All this information — and much more — can be found out because so many prominent executives use their corporate email address for their account logins, and most sites make it possible to see if an email address is associated with an account even if you don't have the account password. Just knowing that such an account exists can lead to technical and social engineering attempts to crack it, as happened in the case of Wired's Mat Honan."

Any way around this?

[jbuk]

Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?

Re:Any way around this?

[jeffmeden]

Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?

Sure, flag the account for extra auditing in the following x number of hours. Or, start any registration with an email call-back and let anyone "start" the registration even if it exists, and in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly". Since you shouldn't be registering with an email that isn't yours and the web page will just be a "please check your email for registration info" this will not tell the illegitimate user anything useful.

Re:Any way around this?

[omnichad]

Sending the verification email at this step before letting them pick a password or complete their profile. The web site acts like it's a new account registration. The contents of the email sent will tell you whether it's already been registered or if it's a new account - and the link would either be to reset the password or to continue creating the account.

That seems to do it. It's not terribly convenient for some, but it shouldn't be that much worse than the already existing email verification you see every day - just at an earlier step.

Re:Any way around this?

[vlm]

Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?

Unfortunately yes, and its called "login with your facebook account"

The other alternative since no one uses email anymore except old people, spammers, and presumably old people spammers, is to use something equally trendy. Require twitter handle. Or /. nickname. Or that MS live gamer-tag gamer-handle whatever its called (you can tell the only thing I've ever used it for is GTA4 on a PC)

Re:Any way around this?

[vlm]

in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly"

And if you're trying to attack an enemy on that site, its something of a three sided coin flip if you're better off freaking them out by re-registering them exactly once, or once per day psuedo-stalking, or a thousand times per hour mailbomb.

Re:Any way around this?

[chill]

Yes, display a "registration confirmation e-mail sent" and do it early on in the process. Require a confirming click before continuing.

Send the e-mail. In the e-mail have a statement like "you already have an account -- would you like a reminder? If you didn't try and register here, just ignore this."

The person looking for active accounts by rejection on the web site gets no feedback. Problem solved.

Re:Any way around this?

[jeffmeden]

in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly"

And if you're trying to attack an enemy on that site, its something of a three sided coin flip if you're better off freaking them out by re-registering them exactly once, or once per day psuedo-stalking, or a thousand times per hour mailbomb.

You could cap it at one message per day, week, etc. The message doesn't really have to be sent ever since it's for a registration that will not take place, except for the case where the user forgot they had an account altogether and are trying to create a new one, so you want some kind of personalized notification of such an incident. Once a week is probably enough to avoid having someone forget about it before they do it again. Also, you could give the option to turn the notification off entirely if you are indeed being "e-Stalked" by some masked marauder.

Re:Any way around this?

[vlm]

So basically these sites are stealing the abuse-prevention system of another site instead of implementing their own.

Only stealing if they don't have permission. They are collecting all kinds of tasty data mining information in exchange for hosting a login service. So FB knows when and where and who is logging into my local newspaper to post inane comments to their newswire stories. Because 99% of the newspaper site comments are repetitive political sloganeering spam that means FB knows exactly who are not-too-bright active proselytizer political "true believers", on one side or another anyway. That's monetizable information when you sell a mailing list to political parties. Title of the spamlist is probably something like "recently active political activists in zip code 12345" Some database JOINs can fine tune the list to your specific target audience.

Re:Any way around this?

[fast+turtle]

Yes and the answer is damn simple realy. Block access to any/all cloud storage providers, external smtp servers, email accounts and such at the network edge. If you're going to provide any access to outside services like that, it needs to be on systems that are completely locked down, isolated to their own network and with removable media completely disabled.

Why any company would allow access to these kinds of services w/o a contract is beyond me since it makes it so damn easy for someone to simply copy any important docs and give them to someone who shouldn't have them. Basic Security 101 covers this. If you don't own the system, then it's not authorized and various rules/regs/laws will nail your ass to the wall for violating them.

Re:Any way around this?

[ColdWetDog]

Because people need to get work done and not every company can provide every thing for every employee. Security is always a balance.

If you locked out Dropbox, then I could 'steal' documents using my USB Flash drive. Or just photograph screens with my iPhone. In fact, my iPhone has this nifty 'scanner' app that takes pictures of documents, does OCR and converts them to PDFs. Just the thing for industrial espionage (as if the 8MP camera wasn't enough).

Just you go and try to block USB ports from a typical business. Maybe if you're military or do high end research - it might be warranted and doable at that point. But for a social media company? Right.

Re:Any way around this?

[rodrigoandrade]

its something of a three sided coin flip

Wow, a d3 coin!! My AD&D group would kill to own one!!

Re:Any way around this?

[GonzoPhysicist]

Roll a D12 modulo 3 add one, no killing necessary.

Re:Any way around this?

[camperdave]

its something of a three sided coin flip

Wow, a d3 coin!! My AD&D group would kill to own one!!

Grab any standard coin: Obverse, Reverse, Edge.

Re:Any way around this?

[KhabaLox]

"real" companies like the world's largest retailer (guess who) does exactly what you are proposing. No files come or go by HTTP or email. No thumb drives are available on any workstation attached to the LAN. Services like Dropbox are completely off the table.

I'm guess you're talking about a company like Wal-Mart. Are you saying that the Procurement department there can't receive any PDFs, spreadsheets, word docs or any other file from a prospective supplier via email? I'm pretty sure that's not correct. I used to work for a food company that did business with both Wal-Mart and Sam's Club, and I don't ever recall getting a request for help sending files to them (and trust me, my users would not have been able to follow whatever instructions they were given for alternative delivery methods).

I currently work for a large post-production company in the entertainment industry, where security is a big deal. But they don't impose the draconian security measures that are required for the production areas/networks on the rest of the business. The HR and Finance department have their own security needs (physical and electronic) that are different from Operations, and it wouldn't make sense to apply one rule to all areas.

Re:Any way around this?

[nedlohs]

And for those the fact that some address is already registered tells you exactly nothing since anyone could have done that. So that doesn't matter in the slightest.

Re:Any way around this?

[Tanktalus]

Roll a D12 modulo 3 add one, no killing necessary.

Wow, that's way more obtuse than we ever did. We took a d6, divided the result by two, round up. And even that is an obtuse explanation for simple groupings: 1-2 = 1, 3-4 = 2, 5-6 = 3.

Rolling d12s were annoying - of all the dice, they were the most likely to accidentally roll off the table because they often just didn't stop. Even the d20s didn't have that problem. (d100's did, too, but I only ever knew one guy who was so pathetic in his attempt to fit in with us social rejects in high school that he bought a d100 and tried to show it off.)

A counter to this...?

[tomknight]

So could a counter to this be to create accounts on as many systems as possible using your corporate account just to create noise?

Maybe an early task for the IT department could be to create such accounts on the executive's behalf, and release them as required? Obviously this will be borderline (or plain beyond) the standard T&Cs for these sites, but at least they'd be able to claim another valued user (advertising viewer).

Clearly you'd need to use a list of sites that won't get the corporation into trouble, but which encompasses all the sorts of sites its employees are likely to log in to with such credentials. Playboy might or might not be on such a white list, but should an exec need such...relief... (s)he could ask to have that site added to the list.

Re:A counter to this...?

[ameen.ross]

Why would it be a problem to just use one's personal email address? It seems to me that using your corporate email for anything else than just plain email and P2P communication is a bad idea.

Re:A counter to this...?

[KhabaLox]

Well, at the mid-management level, I know that I had accounts on vendor/customer websites (e.g. newegg, Dell, Costco) because I had to do business with them for my job. In some cases, like Newegg, I had my on personal account as well.

I can easily see the need for an account on Dropbox or Twitter or FB or some other service that was tied expressly to your job, and not for you personally. I don't see as much of a case for C level positions, but I guess if you want to easily share files across computers it makes sense.

And re security, if you can't trust your CEO not to steal files, then you have bigger problems.

Re:A counter to this...?

[mickey.moose]

Having a business need was covered with...

"If it's for business use then have a separate email set up for use with the site."

Re:A counter to this...?

[KhabaLox]

So if the user has accounts on 15 different sites, you would have them set up 15 different email address?

Hate using my Email address as log in

[Nyder]

Always thought it was a bad idea. I was helping a buddy of mine get some online game going, and the place (EA Games) wants your email address as your log in ID. But my buddy, is like, "why do they want my email's password?" I try to explain, "They don't. They want you to use your email as your log in info, but make a new password." I'm pretty sure he used the same password as his email password. And honestly, that is way too easy to do like that.

Re:Hate using my Email address as log in

[Minwee]

Always thought it was a bad idea [...] (EA Games)

You were right. Anything to do with EA Games is a bad idea.

Re:Hate using my Email address as log in

[Trepidity]

I agree, but I think they used it because it sweeps under the rug the other problem that usernames traditionally have, that people get frustrated that they can't find a username that's not taken. Your site can spend time building username-suggestion generators to try to help people find an unused one. But email addresses as usernames are guaranteed not to be taken by someone who can't access that email account. Also, it's one less thing the person has to make up on the spot, which means one less potential barrier to them bothering to register.

Re:Hate using my Email address as log in

[jeffmeden]

Always thought it was a bad idea. I was helping a buddy of mine get some online game going, and the place (EA Games) wants your email address as your log in ID. But my buddy, is like, "why do they want my email's password?" I try to explain, "They don't. They want you to use your email as your log in info, but make a new password." I'm pretty sure he used the same password as his email password. And honestly, that is way too easy to do like that.

What is needed is a check process during setup of the new account, wherein the server will attempt to log into the appropriate site (Yahoo, Gmail, or whatever) with the same password. If it succeeds, a message appears chiding the user for being such a dolt. It would take some work to have a flexible and comprehensive list of such check procedures for different email services (a list of valid pop3 servers, web site login pages, etc) but it would be worth it in the long run so that sites could advertise (and deliver) above-average account security. I smell a start-up.

Re:Hate using my Email address as log in

[PPH]

Some want your e-mail address. They send a verification URL to that account prior to activating it. To make sure that you are a real person and that you aren't signing up for GoatLovers.com in someone else's name.

Better designed sites will allow you to select an alternate ID and keep your e-mail (still required) private.

And then there are those who make their money mining e-mail addresses for spammers.

Re:Hate using my Email address as log in

[Leif_Bloomquist]

This is where services like Mailinator are invaluable. Just create a throwaway email address for each of all these stupid logins.

I take it a step, further, though: I own my own domain and have made it a practice of using a custom email address for each site I need to log in to, i.e. sitename@mydomain.com . This way, each login is unique *and* I can track who is giving out my email address as spam.

Yet the emails all go to one central inbox, so it's not inconvenient to get/search the confirmation messages.

Re:Hate using my Email address as log in

This is why my EA Games login is steveb@microsoft.com

Re:Hate using my Email address as log in

[History's+Coming+To]

They've got very good security - when I tried to contact them regarding something they refused to talk to me because I "gave the wrong date of birth". I used the Data Protection Act (UK) to get all the information they hold on me, and the date of birth was correct. So they wouldn't talk to me even though I had the right details, now that's what I call social engineering secure.

Re:Hate using my Email address as log in

[icebraining]

Of course, that's a crime in most jurisdictions, so any startup would get their website shutdown and their asses in court.

Re:Hate using my Email address as log in

[jeffmeden]

Of course, that's a crime in most jurisdictions, so any startup would get their website shutdown and their asses in court.

lolwat. Not familiar with Mint.com, are you? Just build the appropriate text into the EULA and the "Accept" checkbox before you do it and you are golden. You are doing it with the user's explicit permission.

Re:Hate using my Email address as log in

[element-o.p.]

Yep, I used to do the same thing. Unfortunately, I let my domain name expire a few years ago and haven't bothered to renew it, but it probably wouldn't be difficult to create a couple of Google/Yahoo/whatever throwaway addresses for login credentials and still have a separate e-mail address that you actually use to communicate with friends, peers, or other contacts.

Re:Hate using my Email address as log in

[TCM]

Don't use sitename@... use sitename-$rnd@... with $rnd being 4+- random chars.

Makes guessing adresses harder in case some rogue forum admin tries to defame a competitor's forum or somesuch.

Re:Hate using my Email address as log in

[KhabaLox]

You don't have to create extra email address with Gmail. You can use periods or '+' to create custom email address that still get delivered to your inbox. Then you can set up filters or rules to treat them accordingly. For example, you could sign up with a site with "yourname+sitename@gmail.com" and the email will go to "yourname@gmail.com". So you can track address leaks/sales, or auto-delete/auto-star/auto-file emails from certain sites.

Re:Hate using my Email address as log in

[element-o.p.]

Very cool -- I didn't know Google would let you do that. Thanks for sharing!

Re:Hate using my Email address as log in

[Cormacus]

Unfortunately a lot of the same sites where you would want to use this kind of information gathering (adding the "+thisSite" to your email address) refuse to validate email addresses with the '+' character. I've run into this in more than a few places.

Re:Hate using my Email address as log in

[Bourdain]

I do the same thing (re: custom email addresses) though since I use gmail to manage the domain, I also use subdomains as well to sort them (i.e., in order of importance of general class of address)

note that the free gmail version using a "+" both exposes your address and doesn't work with a lot of sites whereas subdomains work just fine (if you host a domain w/gmail)

Re:Hate using my Email address as log in

[Eil]

I take it a step, further, though: I own my own domain and have made it a practice of using a custom email address for each site I need to log in to, i.e. sitename@mydomain.com

This is what I liked about using gmail: you can append a +whatever to the username part of the address to let you know when a company sells or misuses your address. The downside is that in 2012, a good 50% of websites still don't understand that "+" is a valid character in an email address.

When I set up my personal email server, I added this line to /etc/postfix/main.cf:

recipient_delimiter = .

Which does the same thing as the gmail "+" delimiter, but is accepted by every website I've come across. (Since firstname.lastname@example.com is a very common address format.)

Re:Hate using my Email address as log in

[KhabaLox]

You could add a dot/period before the last character of your user name and filter that way too, though it makes it more difficult to keep track of a wide variety of sites that way.

Re:Hate using my Email address as log in

[flonker]

You're using it wrong. You want to download an attachment from some forum post, but the site only allows logged in users to download attachments. So, you register an account. You make up an email address@mailinator.com on the spot, and only check it after the sign up. (You check on the website itself, not via POP3.) You get the email to confirm your address, and click the link. Then you forget about the email address and never think about it again.

It is not intended for any site where you need security. Rather, it's intended for those millions of stupid accounts others expect you to create.

boring, I can do better

[vlm]

Starwood hotel chain... Dropbox accounts ...

Boring. Next thing you know we'll have a breathless account of how the secret leaked that they have facebook accounts too.

A much more entertaining social hack would be to sign up for "exotic" hard core pr0n services, then change the sock puppet account email address to these famous execs addresses, then "leak" to journalists. Oh, look, a certain well known patent troll has an account on sheeplovers.com and NORML, whoever would have guessed?

Or how about signing up prominent Republicans (Even better, Democrats!) for Pravda and Russia Today and CPUSA type-of accounts.

Re:boring, I can do better

[OzPeter]

Oh, look, a certain well known patent troll has an account on sheeplovers.com and NORML, whoever would have guessed?

NORML? How quaint. In this day and age of witch hunts I would have thought NAMBLA would be a better choice.

Re:boring, I can do better

[icebraining]

Most websites nowadays require you to validate any email address, even if it wasn't the one you used when registering.

Re:boring, I can do better

[real+gumby]

Boring. Next thing you know we'll have a breathless account of how the secret leaked that they have facebook accounts too.

Much more clever. More interesting (on a nerd basis, not the social basis) would be a covert channel constructed entirely of fake registration addresses.

Not surprising

[bsDaemon]

I don't think many people, if any, here should be surprised by this. However, if you really want to see just what the extent of OSINT that you can acquire on people starting with something as simple and common as an email address, check out Maltgeo (http://paterva.com/web5/). That thing is great for building OSINT-based profiles on individuals and organizations.

Security through obscurity doesn't work

[metrometro]

If your service can be cracked using no other information than knowing that your target uses it, your security is not good.

That reminds me...

[Minwee]

It's time to sign up a few more fake accounts on random social networks and porn sites using the email addresses of famous people. We have to keep the writers at Wired employed somehow.

This time I think I will add "mhonan@gmail.com" to the mix...

Re:That reminds me...

[vlm]

using the email addresses of famous people

Don't forget their friends and family. Via the magic of social networking this is pretty trivial to figure out.

So... republican medium level state politician with enemies Appears to have a wife who's got memberships on all the major abortion rights discussion websites. Insta-scandal! Or vice versa. You can play the race card, orientation card...

Hell it might even be true without planting evidence... I remember some major federal level candidate a few years back who endlessly spouted off about his hatred of gays who had an out of the closet daughter. Finding this sort of family situation just got a whole lot simpler.

Re:No matter how much we worship them...

[vlm]

Oh, and to avoid double posting, has anyone done some type of cross-check? Does Steve B. have an iTunes account? Does Cook use Hotmail?

Boring examples. Which upper level DEA executive leadership email accounts have NORML / 420 discussion site type of accounts? Which "family values" politicians have "frequent visitor" accounts at Nevada brothels (well, probably easier to ask which don't)?

Better question is if anyone is signing those email addresses up for those "services" right now. There should be a dirty tricks wiki out there with a list of fun places to give accounts to fun people.

Which "fun" account creation sites have poor input sanitation so an enterprising Bobby Tables could try to sign up *@fbi.gov and see if there are any accounts from that domain at all? You can probably Create-a-scandal (TM) just by proving there exists at least one on the job pr0n surfer at the us post office, or whatever.

Re:No matter how much we worship them...

[vlm]

could try to sign up *@fbi.gov

Good lord its early in the morning here. %@fbi.gov obviously.

Use a virtual email address

[Hillgiant]

Gmail will let you set up virtual email addresses. So you can register as MrBig+Facebook@gmail.com instead of MrBig@gmail.com. All the email still goes to MrBig@gmail.com, but tricks like the one in TFA do not work.

Re:Use a virtual email address

+notation is not a virtual email address. It's good that gmail follows the RFC.

Re:Use a virtual email address

[jader3rd]

Gmail will let you set up virtual email addresses. So you can register as MrBig+Facebook@gmail.com instead of MrBig@gmail.com.

Sadly, I've run into plenty of services which won't let me sign up because they claim that my email address contains invalid characters when my email address contains the '+' character.

Excellent, excellent.

[fuzzyfuzzyfungus]

If we all get to live in a banner-ad-riddled panopticon, it seems only fair that some of the same vulnerabilities should afflict the great and small alike.

Many sites vulnerable to timing attacks

[defcon-11]

Even if they they take steps to avoid exposing usernames, most sites are still vulnerable to timing attacks. Try logging in to a page repeatedly with a script. Most unprotected sites will take longer to return a response when the username is valid. when the username is not valid, the response returns immediately, while if the username is valid the system usually has to hash and compare the passwords, plus log data about login attempts.

Re:No matter how much we worship them...

[CastrTroy]

You could just go the extra mile and create a whole website that your target wouldn't want to be affiliated with. Then go create "accounts" for those people you are targeting.