homepage Welcome to WebmasterWorld Guest from 23.20.19.131
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Learning Lessons From The "Twitter Hacker" Incident
engine




msg:3955847
 3:52 pm on Jul 20, 2009 (gmt 0)

There are some important lessons to learn from the recent Twitter Hacker Incident, and we can all benefit by looking at the way the hacker approached it.

Learning Lessons From The "Twitter Hacker" [pcworld.com] Incident
Hacker Croll started by building a profile of his target company, in this case Twitter. Basically, he assembled a list of employees, their positions within the company, and their associated e-mail addresses. After the basic information was accumulated, Croll built a small profile for each employee with their birth date, names of pets, and so on.

After Croll had created these profiles, he just went about knocking on doors until one fell down. That's exactly what happened when he did a password recovery process for a Twitter employee's personal Gmail account. Croll discovered that the secondary account attached to this person's Gmail was a Hotmail account. The problem was that Hotmail account had been deleted and recycled due to inactivity -- a longstanding policy on Hotmail. Now, all Hacker Croll had to do was reregister the Hotmail account for himself, go back and do the Gmail password recovery, and then Gmail sent the password reset information straight to the bad guy.


Earlier Story

Twitter Hacker Exposes Company Documents [webmasterworld.com]

 

bill




msg:3956322
 6:10 am on Jul 21, 2009 (gmt 0)

This is a good reason to use strong randomly generated passwords for every site you log into. You'll need a separate piece of software to keep track of them all, but it will stop this sort of thing from happening.

bhonda




msg:3956419
 8:30 am on Jul 21, 2009 (gmt 0)

You'll need a separate piece of software to keep track of them all

I guess you'd need to protect this though...mother's maiden name, anyone?

Seriously, like has been said a thousand times before, security's only as strong as the weakest link.

JS_Harris




msg:3956423
 8:36 am on Jul 21, 2009 (gmt 0)

If any employee has been divorced the ex has ALL information needed to get into anything they like including birth date, social security number etc.

What type of software would stop a more suave hacker who profiles employees to DATE one?

edit: my point being a two pronged approach is best. Protect your passwords and track anyone who tries to request lost passwords leave a trail that leads back to them (IP tracking, phone verification etc)

carguy84




msg:3956438
 9:05 am on Jul 21, 2009 (gmt 0)

That's the combination on my luggage!

maximillianos




msg:3956501
 10:57 am on Jul 21, 2009 (gmt 0)

I think one problem here worth noting is Microsofts policy to recycle email addresses. They do it often and frequently. I've had mine recycle within a year. Never realized the hole it was leaving open. How can you fix something like that? I guess you have to keep every old email account active by using it periodically. Which is an awful idea since it is human nature to forget things we don't see or use.

So how can you safely retire an old hotmail account? I guess you could try to find all the sites and systems you used with that email. But even then you are likely to forget or miss a few.

Maybe there is an obvious answer, but it is too early in the morning for me. ;-)

Rosalind




msg:3956542
 1:16 pm on Jul 21, 2009 (gmt 0)

I think one problem here worth noting is Microsofts policy to recycle email addresses. They do it often and frequently.

This would also apply to the email addresses on any domain that's been dropped and re-registered. So this security hole is already quite large.

phranque




msg:3956560
 2:04 pm on Jul 21, 2009 (gmt 0)

another obvious thing that i haven't seen discussed much yet - and it is supreme irony in a case involving a microblogging service - is oversharing in public about your private life and how that exposes yourself in the "secret question" scenario.
not just "your mother's maiden name" but also birthdays, the names of your pets, favorite vacation spots, favorite color/whatever...

J_RaD




msg:3956569
 2:32 pm on Jul 21, 2009 (gmt 0)

keep your personal life personal

that means OFFLINE

engine




msg:3956718
 5:43 pm on Jul 21, 2009 (gmt 0)

It's clear, a determined hacker will eventually build enough info to make a breakthrough.

I don't know there's an easy solution to all this, but, sharing passwords has to be one of the risky moves anyone can make.

MatthewHSE




msg:3956843
 9:33 pm on Jul 21, 2009 (gmt 0)

You'll need a separate piece of software to keep track of them all

I guess you'd need to protect this though...mother's maiden name, anyone?

I use KeePass, which is open-source and very good. It stores passwords in a well-organized encrypted file which can be protected by a separate password. In my case, I have several dozen passwords protected by a single password that meets all the basic criteria - mixed case, no dictionary words, alpha-numeric with some symbols thrown in, nearly impossible to guess, but extremely easy for me to remember.

For me, the weakest link of this system is likely physical security, as I carry the password database around on a flash drive on my keychain...

engine




msg:3957251
 11:13 am on Jul 22, 2009 (gmt 0)

For me, the weakest link of this system is likely physical security, as I carry the password database around on a flash drive on my keychain...

Two throughts. I remember a colleague finding a USB drive in a car parking lot. [webmasterworld.com]

What about reliability of the USB drive. Do you have a backup stored safely?

Brett_Tabke




msg:3957266
 12:15 pm on Jul 22, 2009 (gmt 0)

> I think one problem here worth noting
> is Microsofts policy to recycle email addresses

I think that is a perfectly fine policy.

What needs to happen here is that Google, Microsoft, Yahoo, and several other big providers need to come up with an API for each other to check if a username exists. If the username does not exist, then they don't send any email there.

IanKelley




msg:3957355
 3:09 pm on Jul 22, 2009 (gmt 0)

I'm a little late reading this thread but I noticed that most posters seem to have misread how the hacker got in.

This is a good reason to use strong randomly generated passwords for every site you log into. You'll need a separate piece of software to keep track of them all, but it will stop this sort of thing from happening.

The hacker used email password recovery to have the password sent to him. The strength and randomness of the password, as well as whether or not it was used at another site, were irrelevant.

If any employee has been divorced the ex has ALL information needed to get into anything they like including birth date, social security number etc.

Information that would be quite valuable for convincing a diligent email password recovery interface to email the password, but would not necessarily get them into the target email account in order to retrieve it. There are indeed some websites that will let you reset as password without email confirmation, but they are rare.

What needs to happen here is that Google, Microsoft, Yahoo, and several other big providers need to come up with an API for each other to check if a username exists. If the username does not exist, then they don't send any email there.

The email account/username in question did exist, the hacker (re)created it. Unless you're saying that the above should consider an account name taken if it exists at any of the three? Not gonna happen :-)

The solution for this particular vulnerability seems pretty straightforward: Don't let your employees use web email accounts as their backup email. Everyone gets an ISP email address whether they use it or not and presumably companies like Twitter don't have any employees without internet access.

bill




msg:3957799
 1:55 am on Jul 23, 2009 (gmt 0)

The hacker used email password recovery to have the password sent to him. The strength and randomness of the password, as well as whether or not it was used at another site, were irrelevant.

According to the article the same common passwords were used on multiple accounts...so if the target had separate passwords for each account, then this would have been limited to a single Gmail account being hacked.

I never retain a password that has been mailed to me. I will always go to the site and generate a new one after receiving a password recovery mail.

Prohibiting webmail seems a bit extreme. Just implement a reasonable pattern of regular password updating. You can force users to update their passwords in Google Apps. Perhaps Gmail and other webmail providers should institute a more stringent reconfirmation of a user's ID on a more frequent basis.

bill




msg:3957814
 2:15 am on Jul 23, 2009 (gmt 0)

An interesting article I just came across that outlines some more points:
Opinion: Top 11 things to learn from Twitter security [computerworld.com]

1. Don't be afraid to suspend accounts that present a risk to you and your users.

2. Doing one thing right doesn't make you good at -- does not even mean you understand -- security.

3. Single sign-on should be limited.

4. Sensitive information must be stored internally.

5. Access control must be implemented.

6. Web-based password reset schemes are not appropriate for a corporate environment.

7. Implement misuse and abuse detection.

8. Security must be proactive.

9. You must control your own forensics data.

10. Social networking can cripple an organization.

11. If an idiot can do this, what will a savvy criminal be capable of?


Brett_Tabke




msg:3957999
 11:24 am on Jul 23, 2009 (gmt 0)

The email account/username in question did exist, the hacker (re)created it. Unless you're saying that the above should consider an account name taken if it exists at any of the three? Not gonna happen :-)

Well, I am saying that the first time it was tried the hacker knew what the account was. During that step, Gmail shouldhave pinged hotmail and and hotmail said the act was doa, so Gmail should have purged that hotmail address from it's system and not allowed it to be used a 2nd time (which is when the pw reset link was sent to the freshly created hotmail act).

IanKelley




msg:3958173
 4:02 pm on Jul 23, 2009 (gmt 0)

Ah ok, I understand now. In fact that's something Google could potentially do even without an API.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved