CEO EXPOSURE: PASSWORDS AND PWNAGE

Transcription

1 CEO EXPOSURE: PASSWORDS AND PWNAGE

2 Introduction Passwords have become the bane of our digital existence. We use so many different accounts and services that attempting to keep track of them all is an intimidating feat. In the workplace, the situation is hardly simpler to conduct tasks and keep business moving, we re obligated to sign in to various services. Regular headlines announcing data breaches serve as reminders that these accounts are all too vulnerable. It s safe to assume that a fair number of services one is registered to have already been compromised leaking our identities, user credentials, and maybe even secrets. F-Secure recently conducted a study of CEO s to find out which breached services top executives are linking with their company address. We used known addresses for over 200 CEOs at the largest companies in 10 countries, who had been employed by the same company in some capacity for at least five years. We then checked those s against our database of leaked credentials. Among our findings: Nearly one in three (30%) of CEOs have used their company address to register for a service that was later breached, exposing their password and other details. The most common breached services for CEOs to link their company with are LinkedIn and Dropbox. 81% of CEOs have had their address and other personal information exposed online in the form of spam lists or leaked marketing databases. Just 18% of CEOs have no leaks associated with their address. Our findings underscore the importance of using a unique, strong password for each online account. The passwords hacked from these services are floating around on the internet, waiting to be wielded by attackers in targeting their victims. Re-using a password to log in to a work-related account that has also been used for a breached service is a scenario that could be potentially exploited by a motivated attacker. Pwn (verb): To own or dominate an opponent; to compromise, control or illegally gain access to a device, server or application. 2

3 Overall results 30 % 81 % 18 % Associated with breached service, password leaked On leaked spam / marketing lists No leakage found CEO exposure Overall, 30% of CEOs have had their passwords exposed on breached sites. This percentage will obviously be higher where adoption of online services is higher. One might expect CEOs of information technology companies, for example, to adopt these services more readily. Our findings support this expectation of tech CEOs, 63% are registered with breached services. The top breached service for CEOs to link their company address with is, predictably, the professional networking site LinkedIn, followed by Dropbox, Adobe and Myspace. 53 % 18 % 3 % 3 % 3 % 2 % 2 % 2 % 12 % LinkedIn Dropbox Adobe Myspace AstroPID Disqus Eroticy NetEase Other* * 1 % each: Ashley Madison, Boxee, Dodonew, Emodo, Forbes, GTA Gaming Leet, mspy, Stratfor, VK, 000Webhost Breakdown of breached services CEOs link with their company When considering these results we should also state the disclaimer that it is of course possible for someone to attempt to register on a website using someone else s address. Whether or not this information is stored in the service s database, however, depends on whether or not the database stores unverified registrations (which is likely, since in order to verify an address it must be stored somewhere). 3

4 Results by Country Out of ten countries, the CEOs most likely to link their to these breached services are in Denmark, at 62%, followed by the Netherlands at 43%. Those least likely are in Japan, at only 9%. 62 % 40 % 27 % 43 % 27 % 38 % 13 % 10 % 9 % 14 % Denmark Finland France Germany Italy Japan Netherlands Sweden UK USA CEOs using breached services, by country Aside from accounts on breached services, CEOs are highly likely to have their s and other details such as physical addresses, birthdates and phone numbers exposed in the form of spam lists and leaked marketing databases. 81% have had their information leaked in this manner, with CEOs in the UK, USA, Netherlands and France topping the list. Italy and Japan had the lowest numbers of CEOs appearing on these lists. 86% 91 % 81 % 95 % 77 % 95 % 95 % 65 % 50 % 45 % Denmark Finland France Germany Italy Japan Netherlands Sweden UK USA CEO details leaked on spam and other lists, by country 4

5 Just 18% of CEO addresses are not associated with any leak or hack. The greatest number in this category are in Japan, at 55%, and Italy, at 41%. Only 4% of CEOs in France have addresses that are unassociated with any hack, and only 5% in the UK, the USA and the Netherlands. 55 % 35 % 41 % 14 % 4 % 19 % 23 % 5 % 5 % 5 % Denmark Finland France Germany Italy Japan Netherlands Sweden UK USA CEO s not associated with leaks, by country 5

6 Conclusions Should CEOs connect services such as LinkedIn and Dropbox to their company address? F-Secure Chief Information Security Officer Erka Koivunen points out that from a security standpoint, there are legitimate reasons to do so, but only when one is using the service to represent the company in a spokesperson role or when the service is being used for business purposes. Using a private address that s not known to a larger audience could be seen as a tactical advance in terms of the earliest stage of the cyber kill chain; namely, the reconnaissance, Koivunen says. Opportunistic attackers may skip targeting someone if they haven t bothered to check against their private personas. But there are drawbacks in terms of defense in the later stages of the kill chain. When using a private , a personal phone number or a home address to register for a service that the CEO uses to conduct official business, the CEO effectively denies the company s IT, communications, IPR, legal, and security teams a chance to protect the credentials, monitor their misuse or attempts to compromise them and makes it nearly impossible to recover them later, Koivunen says. To an attacker, a CEO who uses private to register for a service they use in an official capacity, spells a loner - someone who goes it alone and doesn t bother to rely on his/her staff to provide protection. Should a CEO lose control over their LinkedIn and Twitter accounts due to compromise, for example, the attacker would immediately change the passwords and lock the CEO out of his or her own accounts. If the CEO has registered for those accounts using a private Gmail address, it may be difficult to try to convice LinkedIn, Twitter or Google that he or she really is the rightful owner of those accounts, Koivunen says. In contrast, if the CEO needs to reset their company password, they simply ask IT support to reset it. When exploited by a motivated attacker, these seemingly small details can become big stories, as evidenced by the hack of former US secretary of state Colin Powell s Gmail account last year. The hack divulged Powell s candid thoughts on a range of highly charged political issues and prominent people, making waves during the 2016 US presidential campaign. Researchers say the hack may have been caused by Powell s use of the same password to protect his Gmail account that he used for his Dropbox account. The Dropbox list of 68 million accounts compromised in 2012 was made public in August 2016, just a few weeks before Powell s s were published online. 6

7 Password advice from a white hat hacker Tom Van de Wiele, Principal Security Consultant at F-Secure, is an expert at breaking into accounts in his work as an ethical hacker. Here are his tips for keeping your accounts safe: Use a unique and strong password for each online account. Length always wins, and a minimum of 14 characters is recommended. Don t invent password logic that can be used against you. Attackers are not psychic, but after cappuccino16 and macchiato17 as passwords, it doesn t take an AI cluster to figure out the next one, Van de Wiele says. Use two-factor authentication if the service offers it, but avoid the use of SMS passcodes if you can. Offline authenticators or hardware-based tokens are always preferred. Know the lockout or recovery scenario for each service you use, as this is the step an attacker will likely target. And don t let the recovery of your accounts be dependent on knowing a pet s name, alternative address or your first car. (The targeted attacker already knows these things about you.) Be careful about using social login, a form of single sign-on (SSO) which lets you log into a third party service using credentials from a social media site (e.g., log in with LinkedIn ). SSO is great for certain scenarios, but not when you have a lot of online services for which you get . One will be a phishing and if you fall for it, the attacker will have your password for all your services that support SSO, says Van de Wiele. Use a password manager, preferably one for which only you (not the company behind it) know your master password. Be wary of cloud-based password managers that don t require access to the device in order to log into them these can be exploited remotely by attackers to gain access to all your passwords. 7