Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security Your Rights Online

Gaining Info On Tech Execs With Just Their Email 75

jfruh writes "Did you know that Craigslist founder Craig Newmark has a loyalty points account with the Starwood hotel chain? Did you know that both Tim Cook and Steve Ballmer have Dropbox accounts? All this information — and much more — can be found out because so many prominent executives use their corporate email address for their account logins, and most sites make it possible to see if an email address is associated with an account even if you don't have the account password. Just knowing that such an account exists can lead to technical and social engineering attempts to crack it, as happened in the case of Wired's Mat Honan."
This discussion has been archived. No new comments can be posted.

Gaining Info On Tech Execs With Just Their Email

Comments Filter:
  • Any way around this? (Score:5, Interesting)

    by jbuk ( 1581659 ) on Wednesday August 15, 2012 @10:00AM (#40996951)
    Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?
    • by jeffmeden ( 135043 ) on Wednesday August 15, 2012 @10:10AM (#40997065) Homepage Journal

      Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?

      Sure, flag the account for extra auditing in the following x number of hours. Or, start any registration with an email call-back and let anyone "start" the registration even if it exists, and in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly". Since you shouldn't be registering with an email that isn't yours and the web page will just be a "please check your email for registration info" this will not tell the illegitimate user anything useful.

      • by vlm ( 69642 )

        in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly"

        And if you're trying to attack an enemy on that site, its something of a three sided coin flip if you're better off freaking them out by re-registering them exactly once, or once per day psuedo-stalking, or a thousand times per hour mailbomb.

        • in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly"

          And if you're trying to attack an enemy on that site, its something of a three sided coin flip if you're better off freaking them out by re-registering them exactly once, or once per day psuedo-stalking, or a thousand times per hour mailbomb.

          You could cap it at one message per day, week, etc. The message doesn't really have to be sent ever since it's for a registration that will not take place, except for the case where the user forgot they had an account altogether and are trying to create a new one, so you want some kind of personalized notification of such an incident. Once a week is probably enough to avoid having someone forget about it before they do it again. Also, you could give the option to turn the notification off entirely if yo

        • its something of a three sided coin flip

          Wow, a d3 coin!! My AD&D group would kill to own one!!

          • Roll a D12 modulo 3 add one, no killing necessary.
            • Roll a D12 modulo 3 add one, no killing necessary.

              Wow, that's way more obtuse than we ever did. We took a d6, divided the result by two, round up. And even that is an obtuse explanation for simple groupings: 1-2 = 1, 3-4 = 2, 5-6 = 3.

              Rolling d12s were annoying - of all the dice, they were the most likely to accidentally roll off the table because they often just didn't stop. Even the d20s didn't have that problem. (d100's did, too, but I only ever knew one guy who was so pathetic in his attempt to fit in with us social rejects in high school that he bo

          • its something of a three sided coin flip

            Wow, a d3 coin!! My AD&D group would kill to own one!!

            Grab any standard coin: Obverse, Reverse, Edge.

    • by omnichad ( 1198475 ) on Wednesday August 15, 2012 @10:10AM (#40997075) Homepage

      Sending the verification email at this step before letting them pick a password or complete their profile. The web site acts like it's a new account registration. The contents of the email sent will tell you whether it's already been registered or if it's a new account - and the link would either be to reset the password or to continue creating the account.

      That seems to do it. It's not terribly convenient for some, but it shouldn't be that much worse than the already existing email verification you see every day - just at an earlier step.

    • by vlm ( 69642 )

      Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?

      Unfortunately yes, and its called "login with your facebook account"

      The other alternative since no one uses email anymore except old people, spammers, and presumably old people spammers, is to use something equally trendy. Require twitter handle. Or /. nickname. Or that MS live gamer-tag gamer-handle whatever its called (you can tell the only thing I've ever used it for is GTA4 on a PC)

    • by chill ( 34294 )

      Yes, display a "registration confirmation e-mail sent" and do it early on in the process. Require a confirming click before continuing.

      Send the e-mail. In the e-mail have a statement like "you already have an account -- would you like a reminder? If you didn't try and register here, just ignore this."

      The person looking for active accounts by rejection on the web site gets no feedback. Problem solved.

    • Yes and the answer is damn simple realy. Block access to any/all cloud storage providers, external smtp servers, email accounts and such at the network edge. If you're going to provide any access to outside services like that, it needs to be on systems that are completely locked down, isolated to their own network and with removable media completely disabled.

      Why any company would allow access to these kinds of services w/o a contract is beyond me since it makes it so damn easy for someone to simply copy any

      • Because people need to get work done and not every company can provide every thing for every employee. Security is always a balance.

        If you locked out Dropbox, then I could 'steal' documents using my USB Flash drive. Or just photograph screens with my iPhone. In fact, my iPhone has this nifty 'scanner' app that takes pictures of documents, does OCR and converts them to PDFs. Just the thing for industrial espionage (as if the 8MP camera wasn't enough).

        Just you go and try to block USB ports from a typical

  • So could a counter to this be to create accounts on as many systems as possible using your corporate account just to create noise?

    Maybe an early task for the IT department could be to create such accounts on the executive's behalf, and release them as required? Obviously this will be borderline (or plain beyond) the standard T&Cs for these sites, but at least they'd be able to claim another valued user (advertising viewer).

    Clearly you'd need to use a list of sites that won't get the corporation into

    • Why would it be a problem to just use one's personal email address? It seems to me that using your corporate email for anything else than just plain email and P2P communication is a bad idea.

      • Well, at the mid-management level, I know that I had accounts on vendor/customer websites (e.g. newegg, Dell, Costco) because I had to do business with them for my job. In some cases, like Newegg, I had my on personal account as well.

        I can easily see the need for an account on Dropbox or Twitter or FB or some other service that was tied expressly to your job, and not for you personally. I don't see as much of a case for C level positions, but I guess if you want to easily share files across computers it m

        • Having a business need was covered with...

          "If it's for business use then have a separate email set up for use with the site."

          • So if the user has accounts on 15 different sites, you would have them set up 15 different email address?

  • by Nyder ( 754090 ) on Wednesday August 15, 2012 @10:05AM (#40997005) Journal

    Always thought it was a bad idea. I was helping a buddy of mine get some online game going, and the place (EA Games) wants your email address as your log in ID. But my buddy, is like, "why do they want my email's password?" I try to explain, "They don't. They want you to use your email as your log in info, but make a new password." I'm pretty sure he used the same password as his email password. And honestly, that is way too easy to do like that.

    • by Minwee ( 522556 )

      Always thought it was a bad idea [...] (EA Games)

      You were right. Anything to do with EA Games is a bad idea.

      • They've got very good security - when I tried to contact them regarding something they refused to talk to me because I "gave the wrong date of birth". I used the Data Protection Act (UK) to get all the information they hold on me, and the date of birth was correct. So they wouldn't talk to me even though I had the right details, now that's what I call social engineering secure.
    • by Trepidity ( 597 )

      I agree, but I think they used it because it sweeps under the rug the other problem that usernames traditionally have, that people get frustrated that they can't find a username that's not taken. Your site can spend time building username-suggestion generators to try to help people find an unused one. But email addresses as usernames are guaranteed not to be taken by someone who can't access that email account. Also, it's one less thing the person has to make up on the spot, which means one less potential b

    • Always thought it was a bad idea. I was helping a buddy of mine get some online game going, and the place (EA Games) wants your email address as your log in ID. But my buddy, is like, "why do they want my email's password?" I try to explain, "They don't. They want you to use your email as your log in info, but make a new password." I'm pretty sure he used the same password as his email password. And honestly, that is way too easy to do like that.

      What is needed is a check process during setup of the new account, wherein the server will attempt to log into the appropriate site (Yahoo, Gmail, or whatever) with the same password. If it succeeds, a message appears chiding the user for being such a dolt. It would take some work to have a flexible and comprehensive list of such check procedures for different email services (a list of valid pop3 servers, web site login pages, etc) but it would be worth it in the long run so that sites could advertise (an

      • Of course, that's a crime in most jurisdictions, so any startup would get their website shutdown and their asses in court.

        • Of course, that's a crime in most jurisdictions, so any startup would get their website shutdown and their asses in court.

          lolwat. Not familiar with Mint.com, are you? Just build the appropriate text into the EULA and the "Accept" checkbox before you do it and you are golden. You are doing it with the user's explicit permission.

    • by PPH ( 736903 )

      Some want your e-mail address. They send a verification URL to that account prior to activating it. To make sure that you are a real person and that you aren't signing up for GoatLovers.com in someone else's name.

      Better designed sites will allow you to select an alternate ID and keep your e-mail (still required) private.

      And then there are those who make their money mining e-mail addresses for spammers.

    • by Leif_Bloomquist ( 311286 ) on Wednesday August 15, 2012 @10:49AM (#40997613) Homepage

      This is where services like Mailinator [mailinator.com] are invaluable. Just create a throwaway email address for each of all these stupid logins.

      I take it a step, further, though: I own my own domain and have made it a practice of using a custom email address for each site I need to log in to, i.e. sitename@mydomain.com . This way, each login is unique *and* I can track who is giving out my email address as spam.

      Yet the emails all go to one central inbox, so it's not inconvenient to get/search the confirmation messages.

      • Yep, I used to do the same thing. Unfortunately, I let my domain name expire a few years ago and haven't bothered to renew it, but it probably wouldn't be difficult to create a couple of Google/Yahoo/whatever throwaway addresses for login credentials and still have a separate e-mail address that you actually use to communicate with friends, peers, or other contacts.
      • by TCM ( 130219 )

        Don't use sitename@... use sitename-$rnd@... with $rnd being 4+- random chars.

        Makes guessing adresses harder in case some rogue forum admin tries to defame a competitor's forum or somesuch.

      • I do the same thing (re: custom email addresses) though since I use gmail to manage the domain, I also use subdomains as well to sort them (i.e., in order of importance of general class of address)

        note that the free gmail version using a "+" both exposes your address and doesn't work with a lot of sites whereas subdomains work just fine (if you host a domain w/gmail)
      • by Eil ( 82413 )

        I take it a step, further, though: I own my own domain and have made it a practice of using a custom email address for each site I need to log in to, i.e. sitename@mydomain.com

        This is what I liked about using gmail: you can append a +whatever to the username part of the address to let you know when a company sells or misuses your address. The downside is that in 2012, a good 50% of websites still don't understand that "+" is a valid character in an email address.

        When I set up my personal email server, I ad

    • by Anonymous Coward
      This is why my EA Games login is steveb@microsoft.com
  • by vlm ( 69642 ) on Wednesday August 15, 2012 @10:05AM (#40997013)

    Starwood hotel chain... Dropbox accounts ...

    Boring. Next thing you know we'll have a breathless account of how the secret leaked that they have facebook accounts too.

    A much more entertaining social hack would be to sign up for "exotic" hard core pr0n services, then change the sock puppet account email address to these famous execs addresses, then "leak" to journalists. Oh, look, a certain well known patent troll has an account on sheeplovers.com and NORML, whoever would have guessed?

    Or how about signing up prominent Republicans (Even better, Democrats!) for Pravda and Russia Today and CPUSA type-of accounts.

    • by OzPeter ( 195038 )

      Oh, look, a certain well known patent troll has an account on sheeplovers.com and NORML, whoever would have guessed?

      NORML? How quaint. In this day and age of witch hunts I would have thought NAMBLA would be a better choice.

    • Most websites nowadays require you to validate any email address, even if it wasn't the one you used when registering.

    • Boring. Next thing you know we'll have a breathless account of how the secret leaked that they have facebook accounts too.

      Much more clever. More interesting (on a nerd basis, not the social basis) would be a covert channel constructed entirely of fake registration addresses.

  • I don't think many people, if any, here should be surprised by this. However, if you really want to see just what the extent of OSINT that you can acquire on people starting with something as simple and common as an email address, check out Maltgeo (http://paterva.com/web5/). That thing is great for building OSINT-based profiles on individuals and organizations.

  • If your service can be cracked using no other information than knowing that your target uses it, your security is not good.

  • It's time to sign up a few more fake accounts on random social networks and porn sites using the email addresses of famous people. We have to keep the writers at Wired employed somehow.

    This time I think I will add "mhonan@gmail.com" to the mix...

    • by vlm ( 69642 )

      using the email addresses of famous people

      Don't forget their friends and family. Via the magic of social networking this is pretty trivial to figure out.

      So... republican medium level state politician with enemies Appears to have a wife who's got memberships on all the major abortion rights discussion websites. Insta-scandal! Or vice versa. You can play the race card, orientation card...

      Hell it might even be true without planting evidence... I remember some major federal level candidate a few years back who endlessly spouted off about his hatred

  • by Hillgiant ( 916436 ) on Wednesday August 15, 2012 @10:35AM (#40997403)

    Gmail will let you set up virtual email addresses. So you can register as MrBig+Facebook@gmail.com instead of MrBig@gmail.com. All the email still goes to MrBig@gmail.com, but tricks like the one in TFA do not work.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      +notation is not a virtual email address. It's good that gmail follows the RFC.

    • Gmail will let you set up virtual email addresses. So you can register as MrBig+Facebook@gmail.com instead of MrBig@gmail.com.

      Sadly, I've run into plenty of services which won't let me sign up because they claim that my email address contains invalid characters when my email address contains the '+' character.

  • If we all get to live in a banner-ad-riddled panopticon, it seems only fair that some of the same vulnerabilities should afflict the great and small alike.

  • Even if they they take steps to avoid exposing usernames, most sites are still vulnerable to timing attacks. Try logging in to a page repeatedly with a script. Most unprotected sites will take longer to return a response when the username is valid. when the username is not valid, the response returns immediately, while if the username is valid the system usually has to hash and compare the passwords, plus log data about login attempts.

Your password is pitifully obvious.

Working...