Challenging Security Researchers and Coming off Second-Best
Challenging the security community to do something that you are basing a core part of your business on is always a risky move. It is something that you really need to get right the first time, or else it is going to be quite an embarrassing experience and is likely to cost reputation if news of the defeat is widespread.
A new webmail provider, which has based a core component of their service offering around offering "The most secure email accounts on the planet" might have to reconsider both their claims and their approach after a $10,000 USD challenge to break into a specified email account was defeated through a series of web based
With a big push of PR highlighting this challenge, it isn't going to go down well that the breach took place so quickly. Even if there were restrictive rules in place as to how the attack might be carried out, this isn't going to stop anyone who is attacking for real from using whatever means are at their disposal to access their victim's accounts.
From the description of the attacks carried out, the weakness is in how the user credentials and authentication is managed once the user has logged into the system (based on the described requirement for the attacker to launch it from a valid account), and relies upon the user having scripting permitted for the attack to work (from an IDG writeup, it seems that NoScript is enough to prevent the attack from being functional). This and other Cross Site Scripting flaws allow for credentials to be stolen, and for a victim's account to be taken over completely.
One of the researchers involved with the successful compromise of the targeted account has indicated that detailed information about the attack methodology will be released early next week.
Depending on the nature of the attack, this could pose problems for other service providers that rely upon physically separate channels for two-factor authentication, particularly in the case where messages sent to cell phones are used as the second authentication factor (as it is with this email provider and a number of banks which use it as a selling point of the security of their services).
7 June 2009
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.