Gaining Info On Tech Execs With Just Their Email 75
jfruh writes "Did you know that Craigslist founder Craig Newmark has a loyalty points account with the Starwood hotel chain? Did you know that both Tim Cook and Steve Ballmer have Dropbox accounts? All this information — and much more — can be found out because so many prominent executives use their corporate email address for their account logins, and most sites make it possible to see if an email address is associated with an account even if you don't have the account password. Just knowing that such an account exists can lead to technical and social engineering attempts to crack it, as happened in the case of Wired's Mat Honan."
Any way around this? (Score:5, Interesting)
Re:Any way around this? (Score:5, Insightful)
Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?
Sure, flag the account for extra auditing in the following x number of hours. Or, start any registration with an email call-back and let anyone "start" the registration even if it exists, and in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly". Since you shouldn't be registering with an email that isn't yours and the web page will just be a "please check your email for registration info" this will not tell the illegitimate user anything useful.
Re: (Score:2)
And for those the fact that some address is already registered tells you exactly nothing since anyone could have done that. So that doesn't matter in the slightest.
Re: (Score:3)
in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly"
And if you're trying to attack an enemy on that site, its something of a three sided coin flip if you're better off freaking them out by re-registering them exactly once, or once per day psuedo-stalking, or a thousand times per hour mailbomb.
Re: (Score:3)
in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly"
And if you're trying to attack an enemy on that site, its something of a three sided coin flip if you're better off freaking them out by re-registering them exactly once, or once per day psuedo-stalking, or a thousand times per hour mailbomb.
You could cap it at one message per day, week, etc. The message doesn't really have to be sent ever since it's for a registration that will not take place, except for the case where the user forgot they had an account altogether and are trying to create a new one, so you want some kind of personalized notification of such an incident. Once a week is probably enough to avoid having someone forget about it before they do it again. Also, you could give the option to turn the notification off entirely if yo
Re: (Score:2)
its something of a three sided coin flip
Wow, a d3 coin!! My AD&D group would kill to own one!!
Re: (Score:1)
Re: (Score:2)
Roll a D12 modulo 3 add one, no killing necessary.
Wow, that's way more obtuse than we ever did. We took a d6, divided the result by two, round up. And even that is an obtuse explanation for simple groupings: 1-2 = 1, 3-4 = 2, 5-6 = 3.
Rolling d12s were annoying - of all the dice, they were the most likely to accidentally roll off the table because they often just didn't stop. Even the d20s didn't have that problem. (d100's did, too, but I only ever knew one guy who was so pathetic in his attempt to fit in with us social rejects in high school that he bo
Re: (Score:2)
its something of a three sided coin flip
Wow, a d3 coin!! My AD&D group would kill to own one!!
Grab any standard coin: Obverse, Reverse, Edge.
Re:Any way around this? (Score:5, Insightful)
Sending the verification email at this step before letting them pick a password or complete their profile. The web site acts like it's a new account registration. The contents of the email sent will tell you whether it's already been registered or if it's a new account - and the link would either be to reset the password or to continue creating the account.
That seems to do it. It's not terribly convenient for some, but it shouldn't be that much worse than the already existing email verification you see every day - just at an earlier step.
Re: (Score:2)
Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?
Unfortunately yes, and its called "login with your facebook account"
The other alternative since no one uses email anymore except old people, spammers, and presumably old people spammers, is to use something equally trendy. Require twitter handle. Or /. nickname. Or that MS live gamer-tag gamer-handle whatever its called (you can tell the only thing I've ever used it for is GTA4 on a PC)
Re: (Score:3)
So basically these sites are stealing the abuse-prevention system of another site instead of implementing their own.
Only stealing if they don't have permission. They are collecting all kinds of tasty data mining information in exchange for hosting a login service. So FB knows when and where and who is logging into my local newspaper to post inane comments to their newswire stories. Because 99% of the newspaper site comments are repetitive political sloganeering spam that means FB knows exactly who are not-too-bright active proselytizer political "true believers", on one side or another anyway. That's monetizable info
Re: (Score:3)
Yes, display a "registration confirmation e-mail sent" and do it early on in the process. Require a confirming click before continuing.
Send the e-mail. In the e-mail have a statement like "you already have an account -- would you like a reminder? If you didn't try and register here, just ignore this."
The person looking for active accounts by rejection on the web site gets no feedback. Problem solved.
Re: (Score:2)
Yes and the answer is damn simple realy. Block access to any/all cloud storage providers, external smtp servers, email accounts and such at the network edge. If you're going to provide any access to outside services like that, it needs to be on systems that are completely locked down, isolated to their own network and with removable media completely disabled.
Why any company would allow access to these kinds of services w/o a contract is beyond me since it makes it so damn easy for someone to simply copy any
Re: (Score:2)
Because people need to get work done and not every company can provide every thing for every employee. Security is always a balance.
If you locked out Dropbox, then I could 'steal' documents using my USB Flash drive. Or just photograph screens with my iPhone. In fact, my iPhone has this nifty 'scanner' app that takes pictures of documents, does OCR and converts them to PDFs. Just the thing for industrial espionage (as if the 8MP camera wasn't enough).
Just you go and try to block USB ports from a typical
Re: (Score:3)
"real" companies like the world's largest retailer (guess who) does exactly what you are proposing. No files come or go by HTTP or email. No thumb drives are available on any workstation attached to the LAN. Services like Dropbox are completely off the table.
I'm guess you're talking about a company like Wal-Mart. Are you saying that the Procurement department there can't receive any PDFs, spreadsheets, word docs or any other file from a prospective supplier via email? I'm pretty sure that's not correct. I used to work for a food company that did business with both Wal-Mart and Sam's Club, and I don't ever recall getting a request for help sending files to them (and trust me, my users would not have been able to follow whatever instructions they were given fo
A counter to this...? (Score:2)
Maybe an early task for the IT department could be to create such accounts on the executive's behalf, and release them as required? Obviously this will be borderline (or plain beyond) the standard T&Cs for these sites, but at least they'd be able to claim another valued user (advertising viewer).
Clearly you'd need to use a list of sites that won't get the corporation into
Re: (Score:1)
Why would it be a problem to just use one's personal email address? It seems to me that using your corporate email for anything else than just plain email and P2P communication is a bad idea.
Re: (Score:3)
Well, at the mid-management level, I know that I had accounts on vendor/customer websites (e.g. newegg, Dell, Costco) because I had to do business with them for my job. In some cases, like Newegg, I had my on personal account as well.
I can easily see the need for an account on Dropbox or Twitter or FB or some other service that was tied expressly to your job, and not for you personally. I don't see as much of a case for C level positions, but I guess if you want to easily share files across computers it m
Re: (Score:1)
Having a business need was covered with...
"If it's for business use then have a separate email set up for use with the site."
Re: (Score:2)
So if the user has accounts on 15 different sites, you would have them set up 15 different email address?
Hate using my Email address as log in (Score:5, Interesting)
Always thought it was a bad idea. I was helping a buddy of mine get some online game going, and the place (EA Games) wants your email address as your log in ID. But my buddy, is like, "why do they want my email's password?" I try to explain, "They don't. They want you to use your email as your log in info, but make a new password." I'm pretty sure he used the same password as his email password. And honestly, that is way too easy to do like that.
Re: (Score:3)
Always thought it was a bad idea [...] (EA Games)
You were right. Anything to do with EA Games is a bad idea.
Re: (Score:3, Funny)
Re: (Score:3)
I agree, but I think they used it because it sweeps under the rug the other problem that usernames traditionally have, that people get frustrated that they can't find a username that's not taken. Your site can spend time building username-suggestion generators to try to help people find an unused one. But email addresses as usernames are guaranteed not to be taken by someone who can't access that email account. Also, it's one less thing the person has to make up on the spot, which means one less potential b
Re: (Score:2)
Always thought it was a bad idea. I was helping a buddy of mine get some online game going, and the place (EA Games) wants your email address as your log in ID. But my buddy, is like, "why do they want my email's password?" I try to explain, "They don't. They want you to use your email as your log in info, but make a new password." I'm pretty sure he used the same password as his email password. And honestly, that is way too easy to do like that.
What is needed is a check process during setup of the new account, wherein the server will attempt to log into the appropriate site (Yahoo, Gmail, or whatever) with the same password. If it succeeds, a message appears chiding the user for being such a dolt. It would take some work to have a flexible and comprehensive list of such check procedures for different email services (a list of valid pop3 servers, web site login pages, etc) but it would be worth it in the long run so that sites could advertise (an
Re: (Score:2)
Of course, that's a crime in most jurisdictions, so any startup would get their website shutdown and their asses in court.
Re: (Score:2)
Of course, that's a crime in most jurisdictions, so any startup would get their website shutdown and their asses in court.
lolwat. Not familiar with Mint.com, are you? Just build the appropriate text into the EULA and the "Accept" checkbox before you do it and you are golden. You are doing it with the user's explicit permission.
Re: (Score:2)
Some want your e-mail address. They send a verification URL to that account prior to activating it. To make sure that you are a real person and that you aren't signing up for GoatLovers.com in someone else's name.
Better designed sites will allow you to select an alternate ID and keep your e-mail (still required) private.
And then there are those who make their money mining e-mail addresses for spammers.
Re:Hate using my Email address as log in (Score:5, Informative)
This is where services like Mailinator [mailinator.com] are invaluable. Just create a throwaway email address for each of all these stupid logins.
I take it a step, further, though: I own my own domain and have made it a practice of using a custom email address for each site I need to log in to, i.e. sitename@mydomain.com . This way, each login is unique *and* I can track who is giving out my email address as spam.
Yet the emails all go to one central inbox, so it's not inconvenient to get/search the confirmation messages.
Re: (Score:2)
Re:Hate using my Email address as log in (Score:4, Insightful)
You don't have to create extra email address with Gmail. You can use periods or '+' to create custom email address [blogspot.com] that still get delivered to your inbox. Then you can set up filters or rules to treat them accordingly. For example, you could sign up with a site with "yourname+sitename@gmail.com" and the email will go to "yourname@gmail.com". So you can track address leaks/sales, or auto-delete/auto-star/auto-file emails from certain sites.
Re: (Score:2)
Re:Hate using my Email address as log in (Score:5, Interesting)
Re: (Score:2)
You could add a dot/period before the last character of your user name and filter that way too, though it makes it more difficult to keep track of a wide variety of sites that way.
Re: (Score:2)
You're using it wrong. You want to download an attachment from some forum post, but the site only allows logged in users to download attachments. So, you register an account. You make up an email address@mailinator.com on the spot, and only check it after the sign up. (You check on the website itself, not via POP3.) You get the email to confirm your address, and click the link. Then you forget about the email address and never think about it again.
It is not intended for any site where you need securit
Re: (Score:2)
Don't use sitename@... use sitename-$rnd@... with $rnd being 4+- random chars.
Makes guessing adresses harder in case some rogue forum admin tries to defame a competitor's forum or somesuch.
Re: (Score:3)
note that the free gmail version using a "+" both exposes your address and doesn't work with a lot of sites whereas subdomains work just fine (if you host a domain w/gmail)
Re: (Score:3)
This is what I liked about using gmail: you can append a +whatever to the username part of the address to let you know when a company sells or misuses your address. The downside is that in 2012, a good 50% of websites still don't understand that "+" is a valid character in an email address.
When I set up my personal email server, I ad
Re: (Score:1)
boring, I can do better (Score:3)
Starwood hotel chain... Dropbox accounts ...
Boring. Next thing you know we'll have a breathless account of how the secret leaked that they have facebook accounts too.
A much more entertaining social hack would be to sign up for "exotic" hard core pr0n services, then change the sock puppet account email address to these famous execs addresses, then "leak" to journalists. Oh, look, a certain well known patent troll has an account on sheeplovers.com and NORML, whoever would have guessed?
Or how about signing up prominent Republicans (Even better, Democrats!) for Pravda and Russia Today and CPUSA type-of accounts.
Re: (Score:3)
Oh, look, a certain well known patent troll has an account on sheeplovers.com and NORML, whoever would have guessed?
NORML? How quaint. In this day and age of witch hunts I would have thought NAMBLA would be a better choice.
Re: (Score:3)
Most websites nowadays require you to validate any email address, even if it wasn't the one you used when registering.
Re: (Score:2)
Boring. Next thing you know we'll have a breathless account of how the secret leaked that they have facebook accounts too.
Much more clever. More interesting (on a nerd basis, not the social basis) would be a covert channel constructed entirely of fake registration addresses.
Not surprising (Score:2)
I don't think many people, if any, here should be surprised by this. However, if you really want to see just what the extent of OSINT that you can acquire on people starting with something as simple and common as an email address, check out Maltgeo (http://paterva.com/web5/). That thing is great for building OSINT-based profiles on individuals and organizations.
Re: (Score:2)
Oh, and to avoid double posting, has anyone done some type of cross-check? Does Steve B. have an iTunes account? Does Cook use Hotmail?
Boring examples. Which upper level DEA executive leadership email accounts have NORML / 420 discussion site type of accounts? Which "family values" politicians have "frequent visitor" accounts at Nevada brothels (well, probably easier to ask which don't)?
Better question is if anyone is signing those email addresses up for those "services" right now. There should be a dirty tricks wiki out there with a list of fun places to give accounts to fun people.
Which "fun" account creation sites have poor input san
Re: (Score:2)
could try to sign up *@fbi.gov
Good lord its early in the morning here. %@fbi.gov obviously.
Re: (Score:2)
Security through obscurity doesn't work (Score:2)
If your service can be cracked using no other information than knowing that your target uses it, your security is not good.
That reminds me... (Score:2)
It's time to sign up a few more fake accounts on random social networks and porn sites using the email addresses of famous people. We have to keep the writers at Wired employed somehow.
This time I think I will add "mhonan@gmail.com" to the mix...
Re: (Score:2)
using the email addresses of famous people
Don't forget their friends and family. Via the magic of social networking this is pretty trivial to figure out.
So... republican medium level state politician with enemies Appears to have a wife who's got memberships on all the major abortion rights discussion websites. Insta-scandal! Or vice versa. You can play the race card, orientation card...
Hell it might even be true without planting evidence... I remember some major federal level candidate a few years back who endlessly spouted off about his hatred
Use a virtual email address (Score:3)
Gmail will let you set up virtual email addresses. So you can register as MrBig+Facebook@gmail.com instead of MrBig@gmail.com. All the email still goes to MrBig@gmail.com, but tricks like the one in TFA do not work.
Re: (Score:3, Informative)
+notation is not a virtual email address. It's good that gmail follows the RFC.
Re: (Score:3)
Gmail will let you set up virtual email addresses. So you can register as MrBig+Facebook@gmail.com instead of MrBig@gmail.com.
Sadly, I've run into plenty of services which won't let me sign up because they claim that my email address contains invalid characters when my email address contains the '+' character.
Excellent, excellent. (Score:2)
If we all get to live in a banner-ad-riddled panopticon, it seems only fair that some of the same vulnerabilities should afflict the great and small alike.
Many sites vulnerable to timing attacks (Score:1)