Last week, web mail security company StrongWebmail’s $10,000 hacking challenge was defeated. Lance James who led the team of hackers agreed to make an exclusive interview with FireHost.
FireHost: Hello Lance James, thanks for the time to chat with us on FireBlog today.
Lance James: Thank you.
FireHost: Didn’t you write the book on phishing, literally?
Lance James: Yes, I wrote a book dubbed “Phishing Exposed” highlighting how phishers operate and detailing the underground economy based on the forensic research we (Secure Science) discovered through our investigations.
FireHost: So how did you get involved with the StrongWebMail hacking challenge?
Lance James: Someone presented it to me as just a humorous afterthought, and of course, upon my principle to show why XSS shouldn’t be underestimated, we took the challenge.
FireHost: Who were the others on your team?
Lance James: Two very well respected security professionals: Mike Bailey, (known for hacking McAfee ScanAlert), and Aviv Raff (known for his DLL-Injection attack on IE 7). I’ve worked with Aviv before and am familiar with Mike’s work. I used Twitter to recruit them both, and they happily volunteered.
FireHost: What challenges did you encounter while going after this hack?
Lance James: Very little on locating the actual attack vector. The exploit was the most challenging, but mainly just getting it not to be an obvious exploit. The biggest challenge was coming up with the way we would get the CEO to check his email, since we didn’t even know if they check that account.
FireHost: Do you think they were surprised they got owned?
Lance James: I think they were surprised that it happened so soon. I think they didn’t expect it, but I also figured they would be prepared for a response such as, “you didn’t break our authentication mechanism though so…”, which is what they did with their official blog response.
FireHost: Would you mind describing to our readers what the winning technique was that got in?
Lance James: We found multiple holes within the webmail system once we had an account of our own. We chose to exploit an injection vulnerability within the “subject” field. We then wrote an exploit that would poll the inbox, session cookies and task list and report it to a log file. First we emailed the CEO account claiming that we thought we won containing a XSS exploit. Finally we came up with the idea to force them to read the “CEO” email account by emailing support@strongwebmail.com that we thought we won and that details were in the CEO account. This worked and got us the task list within 2 minutes from sending those emails. I want to add that the webmail vulnerabilities were quickly patched after we performed this hack.
FireHost: What message would you like to give the security industry, specifically companies willing to make such challenges to the public?
Lance James: Expect to be woken up. Contests do and don’t work. They do if you stop and realize, wait these don’t work! The hope is to open your eyes and realize security is about an ecosystem, not just one component. You can have a steel door, and have the windows open, and attackers can still get in. Also these types of contests eliminate the reality of threats. Today’s online criminals will get in because they don’t have to abide by such rules. For example if we wrote malicious software to win, it would have been illegal, but a real attacker could easily write session-riding malware that would bypass their authentication altogether. Their solution doesn’t address these problems and the way StrongWebMail markets their products provides a false sense of security (a term I call “Secure-by-Marketing). Basically you’re saying: “Wow that padlock LOOKS strong!” Response: “Thanks, I made it out of clay!”.
FireHost: What do you think about SaaS security more generally the security of free cloud service such as Yahoo Mail, Gmail and GoogleApps?
Lance James: I think SaaS, and the buzz-word of cloud security, is no different then it ever was, it’s just now widely-used. So obviously companies such as Gmail, Yahoo and the like have to be more aware of attack vectors. I’m more concerned with social networks that have a malformed version of trust built within them. End users are finally realizing that the “cloud” is something we might not be able to trust in general, think phishing attacks. Twitter, Facebook etc, those are new paradigms with viral mechanisms, so one attack vector can target a massive set of victims all at once.
FireHost: Lance, we have worked together in the past on fighting cyber crime and I know your company Secure Science has a history of anti-phishing efforts especially for the banking industry. What is your focus these days?
Lance James: We still focus on counter-intelligence, but we’re on a mission to bring up the fact that if you can start thinking about preventing the simple attack vectors that we see daily, you could lower the amount of room the phishers have for attacking the world-wide end users. This year we are partnering up with another security firm to offer free audits to certain web services out there to initiate an understanding of just how easy it is to break these systems and more importantly, how easy it is to make sure you’re not vulnerable. Misplaced trust is the future of phishing and malware attacks, if I can be bank.com that you put your trust in, and you get attacked by bank.com, than who can you trust?
FireHost: Thanks for your time today Lance, Last question for you is what traits do you think makes an ideal secure hosting service?
Lance James: The best trait is to understand nothing is bulletproof, including you. The way you can assure your customers that you are doing the best you can when it regards to offering secure solutions is to be a part of the community, get regular security audits and always ask questions like: “What can we do to be more secure?” You want their trust, but remember trust starts with honesty.
*** Update, Lance was officially paid by StrongWebmail ***
This entry was posted on Tuesday, June 9th, 2009 at 5:00 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
