Tweet This
The first step in hacking the company of your choice may be as simple as Googling “Company X webmail.”The search will in many cases lead you to the front door of a company's fortress of sensitive information and documents. (Try it with your own company.) If an attacker figures out the right knock to get in -- which in many cases is just a username/password -- that company may wind up with a huge and potentially expensive data breach on their hands.
That's what happened to us at Forbes. The Syrian Electronic Army's attack on us last month started with the infiltration of our webmail system. The SEA had been able to track down our
“Email is the skeleton key for all other accounts,” says Troy Hunt, a Microsoft security expert based in Australia who created the site “HaveIBeenPwned?,” which as you might expect given the name, lets you know if you're part of any of the data breaches that the site tracks (including Forbes's). Hunt created it after three of his email addresses were among the millions that showed up in an October Adobe hack.
"Once they get into your email, they can use it to gain access to all of the other accounts linked to that email address," says Hunt. In Forbes' case, the attackers used email accounts to gain access to the online publishing platform, which let them post content and dive into the database of over one million users thanks to the administrative rights of one of the employees compromised.
Forbes's attackers knew what the webmail page looked like because it was easy to find online. It was as obvious a URL as "firstname.lastname@gmail.com" is an email address. We are not alone in that. Swapping out the "Forbes" in our obvious url for another news organization's name takes me to their webmail log-in system, meaning an attacker would know how to mimic it as they did ours. We should have had a more obscure entry point to our browser-based email, but url obscurity is not enough if the webmail page shows up in a
Webmail's "ubiquitous availability... is a double-edged sword," wrote security firm
Symantec advises companies to hide their webmail page from search engine crawlers by "setting up a robots.txt in the root of your webmail server" which tells search engines such as Google,
HaveIBeenPwned's Troy Hunt says companies can set their webmail to only grant access to those on a VPN (or virtual private network) but in order to keep it simple, the best option is two-factor authentication. This requires a person to enter a code sent to them, via their phone for example, after entering a username and password. That means security is based not just on what one knows (a username/password that can be stolen) but something they have on them.
Of course, like all security measures, it’s not insurmountable. People have tricked people into handing over their “second factor,” such as the hacker who got a woman to hand over her Gmail code by contacting her via chat pretending to be her friend.
“It’s unanimously accepted in security that the weakest link is the human element,” says Troy. “It’s not about reaching a point of absolute security. It’s like the safety of a vehicle. Some are safer than others but if you drive 100 mph into a brick wall, it doesn’t matter.”
The big takeaway for Forbes and others from our hack: we need additional security measures around our email, notably two-factor authentication.
“There’s complacency out there that’s leading to these breaches,” says Hunt. “What we’ve got to understand is that you don’t necessarily have to hold data that’s valuable. The hacktivist world is very opportunistic. If they find a vulnerability with something that’s going to get them press, they’re going to take advantage of it.”
