One password cracked and your business is history

One password cracked and your business is history

Summary: Imagine that an old, nearly forgotten password is the only thing standing between a hacker and your entire business...

SHARE:
TOPICS: Security
13

One thing that always makes me feel a bit uneasy when I blog or tweet is exposing myself to spearphising vectors. One such vector I've mentioned a few times is the fact that I use Google Apps.

One thing that would make a hack attempt more difficult is that I use Google's two-factor authentication. Whenever I log in to the website a one-time code gets texted to my phone. That gives me some comfort at least.

Most people think of their email as the last stop in the security chain. Need to recover a forgotten password for a service? No problem, just get it emailed through. With a nice, tough, two-factor system in place that's a pretty secure setup, right?

Um, no.

Hackery

The problem with that arrangement is, regardless of whatever cloud setup you have, securing the email is too far down your infrastructure chain to protect against someone redirecting your email server somewhere else. "Above" your email server is your domain registrar that points people at your DNS service. The DNS service then points people at your email server.

If a hacker gets into your account at either the registrar or the DNS service level they can redirect your incoming emails from your server and into their server.

Say a hacker suspects or knows that you use a given service and they want to access it. The hacker goes into your registrar account, redirects the email and visits the target service's website. They click "forgot password", guess your username (usually not hard, or they may know it) and the forgot password email goes into their server and not yours. They can then log onto the service at their leisure. They can -- and also should if they're being properly nefarious -- also lock you out.

I'm seeing this as a particular problem for spearphishing attacks rather than general attacks, although it's plausible that you could automate this system.

This problem particular worries me because of this: imagine it's ten years ago and your boss asks you as your IT manager to "get a domain name". You go online to a domain register, and set-up a new account. Ten years ago, was your idea of a strong password the string "p4ssw0rd"? Have you been back and changed it?

Even in the process of writing this article I personally discovered the most important domain I had wasn't with the registrar I thought it was, and that the password to access the account was weak.

I'd be bold enough to say that the majority of readers reading this with a domain aged of around the 2003-era have a weak password on their registrar and are actively at risk from having their domain co-opted using this method.

It doesn't matter if your email server has two-factor security and is hardened to the n-th degree. If someone can just own your domain with a password like "p4ssw0rd" and redirect your mail server, what's the point? I've tried not to say "a chain is only as strong as its weakest link" in this article, but there, I have done now.

This situation is totally ridiculous. Domain name registars are so important in the cloud that without them there would be no cloud, yet they don't behave in the way such companies should. I went onto GoDaddy's website and tried to log into my account with the incorrect password 15 times and it kept letting me try again and again. After five attempts it presented a CAPTCHA test. You would expect any infrastructure service to simply outright lock the account way before that.

Similarly, how many registrars require minimum password strength? Forced password expiration? Two-factor authentication? Very few.

Solving the problem

The first most obvious thing to do is go back to your domain registrar and any DNS services that you use and put strong passwords on. A site I use is www.strongpasswordgenerator.com. This makes it very easy to come up with sufficiently complex passwords. You also need to manually track the need to expire and redo that password periodically, because the registrar likely won't do that for you.

The second thing to do is consider applying two-factor style security further up the chain. However services that do this might be harder to come by.

Twitter friend Luke Carrier suggested Name.com as a registrar that has a two-factor option. I tried their two-factor system and it works as advertised and was very easy to set-up. They use Symantec's VIP access system. This is the classic two-factor approach of having a device that shows a one-time use code that changes every 30 seconds or so. You can either use an app on your phone, or you can buy a physical tag from the company.

Name 2FA
Screenshot of Name.com's logon form with an overlaid screenshot of Symantec's VIP Access app. This is the minimum you want from a registrar or DNS service provider.

I had a fish around for third-party DNS services that also offer two-factor. I found DNSimple that offers a service through Authly I tried this, and it too works as advertised.

I'm not looking to recommend services in this piece, just raise awareness of the issue. Let me know if you know of any registrar, DNS, or hosting services that use two-factor (comments, contact form, or Twitter), and I'll post a footnote on this article.

However, If I were making recommendations, I would err towards choosing services that were using two-factor systems based on market leaders, such as Symantec and Vasco.

Conclusion

This realisation certainly came as a surprise to me, and the small handful of people I consulted whilst writing this piece did have weak passwords on either their registrar account and/or their DNS service. 

Stay safe.

What do you think? Post a comment, or talk to me on Twitter: @mbrit.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • Google 2 Factor + Smartphone

    Isn't that a bit of a security problem? Often you will be logging into the Google account from your smartphone, so getting the SMS sent to that device isn't any stronger than no 2 factor.

    The other problem is, in my home-office, there is no mobile signal, so every time I'd want to log in, I'd have to go hairing up stairs and wait for the SMS, before running back down to the office to type in the code.

    Something like a Yubikey would suit me better.
    wright_is
    • I second the Yubikey method

      Of course, the drawback is that you cannot sign in using a tablet or smartphone without a USB socket.
      WozNotWoz
    • Great article

      Instead of an sms, just use the google authenticator app on your phone. Dont forget to pin lock your phone too. You only need to do this once per trusted pc btw. The idea is to keep third parties from using their pc to log into your acct if they have your password.

      Anyay the chain of dns security is a great point if you have a domain.
      LarsDennert
    • google has an app for that. no need for sms

      google has an app for android, iphone, etc whereby u can get a number for 2 degree identification. you dont need to get sms.
      zanzibarblue
  • So, let me get this straight

    In order to have the "more secure" 2-factor authorization, I have to *pay* to receive a text on my phone? And no, I don't have a smartphone, nor even a non-smartphone under contract. I use pay-as-you-go (average cost for the time I buy is maybe $10/month, even including tax on the time purchases), but I'm not going to spend money every time I want to check my email.

    If that's the way they're heading, then Gmail is going to see the times I log into my account drastically drop off, quite possibly to zero...
    spdragoo@...
    • Paying to receive phone calls or texts is ridiculous!

      The only times I have to pay to receive calls (and I never pay to receive texts) is when I'm out of the UK when I pay the difference between what the call would cost were I in the UK and the total cost which is higher as it has to be routed to a different country. In the UK the cell phone numbers are all non-area-coded and all begin with "07" so anyone calling a cellphone knows that they are doing so and is prepared to pay the extra it may cost. The concept of a cellphone having an area code is weird as cellphones can be carried around the country to different areas so why have an area code in the first place? If I lived in the US, I'd start a lobby group to get the cellphone numbering system changed to something similar to what we have in the UK. Another advantage of the UK system is that when you give someone your landline number and your cellphone number, you don't have to tell them which is which as it's obvious from the numbers - no area codes begin with 07.
      JohnOfStony
      • It's not an area-code thing

        It's an airtime thing.

        With pay-as-you-go cellphones, you estimate how much time you'll need during the 90-day period, then buy prepaid minutes for your phone. Each minute of airtime gives you 1 minute to make a phone call, & my provider charges me $0.30US per text (both to send & receive), so 3 minutes of airtime gives me 10 text messages.

        The only reason I have an area code on my cell number is because it gets its phone number assigned based on where I'm at when the cellphone was activated. However, as far as making phone calls, it doesn't matter if I'm calling within my area code or calling 10 states away, it's still "1 minute on the call = 1 minute of airtime used".

        Now, granted, I'm not paying a whole lot for it (at $30-45US every 90 days, it works out to $10-15US per month)...but if I have to start paying almost $1US every time I check my email, that works out to *at least* $18-36US per month....or, in other words, I'll have to double or triple my cellphone expense per month *just to read my email*.
        spdragoo@...
    • How much is it worth ?

      Pay what the security of two factor authentication is worth. How much is that? How much might being thrifty cost?
      ka5s@...
      • Considering how little I currently use the account

        the cost of not using 2-factor authorization is pretty nil for me. The Gmail account isn't my primary email account, so if I don't use it I won't lose access to anything important.
        spdragoo@...
  • Some rules more helpful than others

    Strong, complex passwords are critical, and more should be done to encourage and educate users. But some of the other common rules are counter productive. Locking out should not happen too quickly--3 failed attempts is not enough for someone that properly uses different passwords for all their different accounts. Maybe 3 within a second, sure, lock the account, but otherwise give me at least 10 tries.

    But the worst one is the requirement to change them periodically without any reason to believe it has been compromised. If it is a strong password that has not been broken, it does not make it any more secure to change it. If you are properly using different passwords on all your accounts, constant changes just make it more difficult to remember, resulting in the completely insecure practice of post-it notes, or a single-point-of-failure password manager.
    smallbzznzz
  • thoughts

    "'Above' your email server is your domain registrar that points people at your DNS service. The DNS service then points people at your email server."

    Successful DNS redirect attacks are rare, from what I can tell. This falls under the category of "theoretically possible, but improbable." You *do* need to actually hack the registrar to make this happen - they won't do it on a whim.

    "After five attempts it presented a CAPTCHA test. You would expect any infrastructure service to simply outright lock the account way before that."

    15 attempts is only good enough to hack the top 15 passwords. And any service worth its salt should NOT be allowing you to use the top 15 passwords as a valid password.

    That being said - if they have it designed right, it *should* lock out mass login attempts, which indicate somebody's trying to perform a dictionary or brute force attack. Something like that would be indicated by hundreds to thousands of attempts, however.

    "Similarly, how many registrars require minimum password strength? Forced password expiration? Two-factor authentication? Very few."

    I don't think forced password expiration is a good idea - I have hundreds of passwords generated by KeePass, and updating them all when they expire would be a major pain. And it's not needed anyways, if they bother to require a minimum password strength.

    The other two I agree with.

    "Ten years ago, was your idea of a strong password the string 'p4ssw0rd'?"

    If it was - you were out of touch with best practices. Even back then, security experts knew better. Hopefully most people know better today. And honestly, the registrar should not be allowing weak passwords.
    CobraA1
    • Re: Successful DNS redirect attacks are rare

      Absolutely not! DNS poisoning is trivial. You don't need to hack anything and anyone. Just abuse the protocol.
      danbi
  • Interesting coincidence

    I am just back from a meeting where we discussed that same attack vector few days ago and your articles comes now, about word by word with one of the presentations :)
    To your doomsday story I could add, that a sufficiently sophisticated attacker could set up proxy for all services your domain provides, and could intercept all your communication, without you ever noticing.. including things like VoIP etc. Not a fiction, has been documented.

    Internet security is something which many, many people overlook. One of the weakest chains is DNS. We have been fighting an uphill battle with ignorance, to at least introduce DNSSEC. At least one major victory -- the DNS root is signed and more and more TLD registries begin to realise this is significant requirement for their operation. But registrars and ISPs... total ignorance!

    Without DNSSEC, even if you have very strong password, two, three etc factor authentication with the registrar, you are not very protected. DNS poisoning is trivial. Say, one wants to steal your password send in an e-mail. All they need is to poison the e-mail sender's DNS servers, that are almost guaranteed NOT verifying DNSSEC signatures, and the e-mail will be sent their way. Mail is lost, because of SPAM filtering, right? So you might not even pay attention.

    Everyone can do something to help fix this:
    - insist that your own domain is DNSSEC signed, with proper delegation up to the root. Do not accept excuses here. If one registrar/DNS hosting company cannot do it, another will.
    - insist that your ISP's resolvers (the DNS servers that you use) validate DNSSEC and never fall back to unsigned versions if DNSSEC does not work. I wouldn't personally trust Google's public DNS servers, although they claim to support DNSSEC, because both they were proven to not do it properly few times and .. Google might just serve you cooked results anyway.
    - spread the word. It is like with road traffic. Even if you are very careful, the driver running at you might be even drunk or stoned.
    danbi