Embed Size (px)
Citation preview
CEO EMAIL EXPOSURE:
PASSWORDS AND PWNAGE
2CEO EMAIL EXPOSURE: PASSWORDS AND PWNAGE
IntroductionPasswords have become the bane of our digital existence. We use so many different accounts and services that
attempting to keep track of them all is an intimidating feat. In the workplace, the situation is hardly simpler – to conduct
tasks and keep business moving, we’re obligated to sign in to various services.
Regular headlines announcing data breaches serve as reminders that these accounts are all too vulnerable. It’s safe to
assume that a fair number of services one is registered to have already been compromised – leaking our identities, user
credentials, and maybe even secrets.
F-Secure recently conducted a study of CEO emails to find out which breached services top executives are linking
with their company email address. We used known email addresses for over 200 CEOs at the largest companies in 10
countries, who had been employed by the same company in some capacity for at least five years. We then checked those
emails against our database of leaked credentials.
Among our findings:
Nearly one in three (30%) of CEOs have used their company
email address to register for a service that was later breached,
exposing their password and other details.
The most common breached services for CEOs to
link their company email with are LinkedIn and Dropbox.
81% of CEOs have had their email address and other personal
information exposed online in the form of spam lists or leaked
marketing databases.
Just 18% of CEOs have no leaks associated with their email address.
Our findings underscore the importance of using a unique, strong password for each online account. The passwords
hacked from these services are floating around on the internet, waiting to be wielded by attackers in targeting their
victims. Re-using a password to log in to a work-related account that has also been used for a breached service is a
scenario that could be potentially exploited by a motivated attacker.
Pwn (verb): To own or dominate an opponent; to compromise, control or illegally gain access to a device,
server or application.
LinkedIn Dropbox Adobe Myspace AstroPID Disqus Eroticy NetEase Other*
53 %
3 % 2 %12 %18
%
3 % 3 % 2 % 2 %
Breakdown of breached services CEOs link with their company email
CEO email exposure
* 1 % each: Ashley Madison, Boxee, Dodonew, Emodo, Forbes, GTA Gaming Leet, mSpy, Stratfor, VK, 000Webhost
30 %
81 %
18 %
Associated with breached service, password leaked
On leaked spam / marketing lists
No leakage found
3CEO EMAIL EXPOSURE: PASSWORDS AND PWNAGE
Overall results
Overall, 30% of CEOs have had their passwords exposed on breached sites. This percentage will obviously be higher
where adoption of online services is higher. One might expect CEOs of information technology companies, for example,
to adopt these services more readily. Our findings support this expectation – of tech CEOs, 63% are registered with
breached services.
The top breached service for CEOs to link their company email address with is, predictably, the professional networking
site LinkedIn, followed by Dropbox, Adobe and Myspace.
When considering these results we should also state the disclaimer that it is of course possible for someone to attempt to register on a website using someone else’s email address. Whether or not this information is stored in the service’s database, however, depends on whether or not the database stores unverified registrations (which is likely, since in order to verify an email address it must be stored somewhere).
Denmark Finland France Germany Italy Japan Netherlands Sweden UK USA
62 %
40 %
13 % 10 %
27 %
9 %
43 %
27 %
14 %
38 %
CEOs using breached services, by country
86%
65 %
91 %81 %
50 %45 %
95 %
77 %
95 % 95 %
CEO details leaked on spam and other lists, by country
Denmark Finland France Germany Italy Japan Netherlands Sweden UK USA
4CEO EMAIL EXPOSURE: PASSWORDS AND PWNAGE
Results by CountryOut of ten countries, the CEOs most likely to link their email to these breached services are in Denmark, at 62%, followed by the Netherlands at 43%. Those least likely are in Japan, at only 9%.
Aside from accounts on breached services, CEOs are highly likely to have their emails and other details such as physical addresses, birthdates and phone numbers exposed in the form of spam lists and leaked marketing databases. 81% have had their information leaked in this manner, with CEOs in the UK, USA, Netherlands and France topping the list. Italy and Japan had the lowest numbers of CEOs appearing on these lists.
14 %
35 %
4 %
19 %
41 %
55 %
5 % 5 % 5 %
23 %
CEO emails not associated with leaks, by country
Denmark Finland France Germany Italy Japan Netherlands Sweden UK USA
5CEO EMAIL EXPOSURE: PASSWORDS AND PWNAGE
Just 18% of CEO email addresses are not associated with any leak or hack. The greatest number in this category are in Japan, at 55%, and Italy, at 41%. Only 4% of CEOs in France have email addresses that are unassociated with any hack, and only 5% in the UK , the USA and the Netherlands.
6CEO EMAIL EXPOSURE: PASSWORDS AND PWNAGE
ConclusionsShould CEOs connect services such as LinkedIn and Dropbox to their company email address? F-Secure Chief Information Security Officer Erka Koivunen points out that from a security standpoint, there are legitimate reasons to do so, but only when one is using the service to represent the company in a spokesperson role or when the service is being used for business purposes.
Using a private email address that’s not known to a larger audience could be seen as a tactical advance in terms of the earliest stage of the cyber kill chain; namely, the reconnaissance, Koivunen says. Opportunistic attackers may skip targeting someone if they haven’t bothered to check against their private personas. But there are drawbacks in terms of defense in the later stages of the kill chain.
“When using a private email, a personal phone number or a home address to register for a service that the CEO uses to conduct official business, the CEO effectively denies the company’s IT, communications, IPR, legal, and security teams a chance to protect the credentials, monitor their misuse or attempts to compromise them and makes it nearly impossible to recover them later,” Koivunen says. “To an attacker, a CEO who uses private email to register for a service they use in an official capacity, spells a loner - someone who goes it alone and doesn’t bother to rely on his/her staff to provide protection.”
Should a CEO lose control over their LinkedIn and Twitter accounts due to compromise, for example, the attacker would immediately change the passwords and lock the CEO out of his or her own accounts.
“If the CEO has registered for those accounts using a private Gmail address, it may be difficult to try to convice LinkedIn, Twitter or Google that he or she really is the rightful owner of those accounts,” Koivunen says. “In contrast, if the CEO needs to reset their company e-mail password, they simply ask IT support to reset it.”
When exploited by a motivated attacker, these seemingly small details can become big stories, as evidenced by the hack of former US secretary of state Colin Powell’s Gmail account last year. The hack divulged Powell’s candid thoughts on a range of highly charged political issues and prominent people, making waves during the 2016 US presidential campaign. Researchers say the hack may have been caused by Powell’s use of the same password to protect his Gmail account that he used for his Dropbox account. The Dropbox list of 68 million accounts compromised in 2012 was made public in August 2016, just a few weeks before Powell’s emails were published online.
7CEO EMAIL EXPOSURE: PASSWORDS AND PWNAGE
Password advice from a white hat hackerTom Van de Wiele, Principal Security Consultant at F-Secure, is an expert at breaking into accounts in his work as an ethical hacker. Here are his tips for keeping your accounts safe:
Use a unique and strong password for each online account. Length always wins, and a minimum of 14 characters is recommended.
Don’t invent password logic that can be used against you. “Attackers are not psychic, but after ‘cappuccino16’ and ‘macchiato17’ as passwords, it doesn’t take an AI cluster to figure out the next one,” Van de Wiele says.
Use two-factor authentication if the service offers it, but avoid the use of SMS passcodes if you can. Offline authenticators or hardware-based tokens are always preferred.
Know the lockout or recovery scenario for each service you use, as this is the step an attacker will likely target. And don’t let the recovery of your accounts be dependent on knowing a pet’s name, alternative e-mail address or your first car. (The targeted attacker already knows these things about you.)
Be careful about using social login, a form of single sign-on (SSO) which lets you log into a third party service using credentials from a social media site (e.g., “log in with LinkedIn”). “SSO is great for certain scenarios, but not when you have a lot of online services for which you get email. One will be a phishing email and if you fall for it, the attacker will have your password for all your services that support SSO,” says Van de Wiele.
Use a password manager, preferably one for which only you (not the company behind it) know your master password. Be wary of cloud-based password managers that don’t require access to the device in order to log into them – these can be exploited remotely by attackers to gain access to all your passwords.
