Welcome to WebmasterWorld Guest from 54.167.102.69

Forum Moderators: phranque

Message Too Old, No Replies

Learning Lessons From The "Twitter Hacker" Incident

     
3:52 pm on Jul 20, 2009 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:22287
votes: 236


There are some important lessons to learn from the recent Twitter Hacker Incident, and we can all benefit by looking at the way the hacker approached it.

Learning Lessons From The "Twitter Hacker" [pcworld.com] Incident

Hacker Croll started by building a profile of his target company, in this case Twitter. Basically, he assembled a list of employees, their positions within the company, and their associated e-mail addresses. After the basic information was accumulated, Croll built a small profile for each employee with their birth date, names of pets, and so on.

After Croll had created these profiles, he just went about knocking on doors until one fell down. That's exactly what happened when he did a password recovery process for a Twitter employee's personal Gmail account. Croll discovered that the secondary account attached to this person's Gmail was a Hotmail account. The problem was that Hotmail account had been deleted and recycled due to inactivity -- a longstanding policy on Hotmail. Now, all Hacker Croll had to do was reregister the Hotmail account for himself, go back and do the Gmail password recovery, and then Gmail sent the password reset information straight to the bad guy.


Earlier Story

Twitter Hacker Exposes Company Documents [webmasterworld.com]

6:10 am on July 21, 2009 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts:14478
votes: 49


This is a good reason to use strong randomly generated passwords for every site you log into. You'll need a separate piece of software to keep track of them all, but it will stop this sort of thing from happening.
8:30 am on July 21, 2009 (gmt 0)

Full Member

10+ Year Member

joined:June 29, 2005
posts:216
votes: 0


You'll need a separate piece of software to keep track of them all

I guess you'd need to protect this though...mother's maiden name, anyone?

Seriously, like has been said a thousand times before, security's only as strong as the weakest link.

8:36 am on July 21, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:July 29, 2007
posts:1524
votes: 9


If any employee has been divorced the ex has ALL information needed to get into anything they like including birth date, social security number etc.

What type of software would stop a more suave hacker who profiles employees to DATE one?

edit: my point being a two pronged approach is best. Protect your passwords and track anyone who tries to request lost passwords leave a trail that leads back to them (IP tracking, phone verification etc)

9:05 am on July 21, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 13, 2005
posts:1077
votes: 0


That's the combination on my luggage!
10:57 am on July 21, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 20, 2004
posts:2377
votes: 0


I think one problem here worth noting is Microsofts policy to recycle email addresses. They do it often and frequently. I've had mine recycle within a year. Never realized the hole it was leaving open. How can you fix something like that? I guess you have to keep every old email account active by using it periodically. Which is an awful idea since it is human nature to forget things we don't see or use.

So how can you safely retire an old hotmail account? I guess you could try to find all the sites and systems you used with that email. But even then you are likely to forget or miss a few.

Maybe there is an obvious answer, but it is too early in the morning for me. ;-)

1:16 pm on July 21, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 16, 2003
posts:992
votes: 0


I think one problem here worth noting is Microsofts policy to recycle email addresses. They do it often and frequently.

This would also apply to the email addresses on any domain that's been dropped and re-registered. So this security hole is already quite large.
2:04 pm on July 21, 2009 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10542
votes: 8


another obvious thing that i haven't seen discussed much yet - and it is supreme irony in a case involving a microblogging service - is oversharing in public about your private life and how that exposes yourself in the "secret question" scenario.
not just "your mother's maiden name" but also birthdays, the names of your pets, favorite vacation spots, favorite color/whatever...
2:32 pm on July 21, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 30, 2006
posts:1599
votes: 1


keep your personal life personal

that means OFFLINE

5:43 pm on July 21, 2009 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:22287
votes: 236


It's clear, a determined hacker will eventually build enough info to make a breakthrough.

I don't know there's an easy solution to all this, but, sharing passwords has to be one of the risky moves anyone can make.

9:33 pm on July 21, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 9, 2003
posts:1908
votes: 0


You'll need a separate piece of software to keep track of them all

I guess you'd need to protect this though...mother's maiden name, anyone?

I use KeePass, which is open-source and very good. It stores passwords in a well-organized encrypted file which can be protected by a separate password. In my case, I have several dozen passwords protected by a single password that meets all the basic criteria - mixed case, no dictionary words, alpha-numeric with some symbols thrown in, nearly impossible to guess, but extremely easy for me to remember.

For me, the weakest link of this system is likely physical security, as I carry the password database around on a flash drive on my keychain...

11:13 am on July 22, 2009 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:22287
votes: 236


For me, the weakest link of this system is likely physical security, as I carry the password database around on a flash drive on my keychain...

Two throughts. I remember a colleague finding a USB drive in a car parking lot. [webmasterworld.com]

What about reliability of the USB drive. Do you have a backup stored safely?

12:15 pm on July 22, 2009 (gmt 0)

Administrator from US 

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 21, 1999
posts:38047
votes: 11


> I think one problem here worth noting
> is Microsofts policy to recycle email addresses

I think that is a perfectly fine policy.

What needs to happen here is that Google, Microsoft, Yahoo, and several other big providers need to come up with an API for each other to check if a username exists. If the username does not exist, then they don't send any email there.

3:09 pm on July 22, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 4, 2001
posts: 1259
votes: 11


I'm a little late reading this thread but I noticed that most posters seem to have misread how the hacker got in.

This is a good reason to use strong randomly generated passwords for every site you log into. You'll need a separate piece of software to keep track of them all, but it will stop this sort of thing from happening.

The hacker used email password recovery to have the password sent to him. The strength and randomness of the password, as well as whether or not it was used at another site, were irrelevant.

If any employee has been divorced the ex has ALL information needed to get into anything they like including birth date, social security number etc.

Information that would be quite valuable for convincing a diligent email password recovery interface to email the password, but would not necessarily get them into the target email account in order to retrieve it. There are indeed some websites that will let you reset as password without email confirmation, but they are rare.

What needs to happen here is that Google, Microsoft, Yahoo, and several other big providers need to come up with an API for each other to check if a username exists. If the username does not exist, then they don't send any email there.

The email account/username in question did exist, the hacker (re)created it. Unless you're saying that the above should consider an account name taken if it exists at any of the three? Not gonna happen :-)

The solution for this particular vulnerability seems pretty straightforward: Don't let your employees use web email accounts as their backup email. Everyone gets an ISP email address whether they use it or not and presumably companies like Twitter don't have any employees without internet access.

1:55 am on July 23, 2009 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts:14478
votes: 49


The hacker used email password recovery to have the password sent to him. The strength and randomness of the password, as well as whether or not it was used at another site, were irrelevant.

According to the article the same common passwords were used on multiple accounts...so if the target had separate passwords for each account, then this would have been limited to a single Gmail account being hacked.

I never retain a password that has been mailed to me. I will always go to the site and generate a new one after receiving a password recovery mail.

Prohibiting webmail seems a bit extreme. Just implement a reasonable pattern of regular password updating. You can force users to update their passwords in Google Apps. Perhaps Gmail and other webmail providers should institute a more stringent reconfirmation of a user's ID on a more frequent basis.

2:15 am on July 23, 2009 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts:14478
votes: 49


An interesting article I just came across that outlines some more points:
Opinion: Top 11 things to learn from Twitter security [computerworld.com]

1. Don't be afraid to suspend accounts that present a risk to you and your users.

2. Doing one thing right doesn't make you good at -- does not even mean you understand -- security.

3. Single sign-on should be limited.

4. Sensitive information must be stored internally.

5. Access control must be implemented.

6. Web-based password reset schemes are not appropriate for a corporate environment.

7. Implement misuse and abuse detection.

8. Security must be proactive.

9. You must control your own forensics data.

10. Social networking can cripple an organization.

11. If an idiot can do this, what will a savvy criminal be capable of?

11:24 am on July 23, 2009 (gmt 0)

Administrator from US 

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 21, 1999
posts:38047
votes: 11


The email account/username in question did exist, the hacker (re)created it. Unless you're saying that the above should consider an account name taken if it exists at any of the three? Not gonna happen :-)

Well, I am saying that the first time it was tried the hacker knew what the account was. During that step, Gmail shouldhave pinged hotmail and and hotmail said the act was doa, so Gmail should have purged that hotmail address from it's system and not allowed it to be used a 2nd time (which is when the pw reset link was sent to the freshly created hotmail act).

4:02 pm on July 23, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 4, 2001
posts: 1259
votes: 11


Ah ok, I understand now. In fact that's something Google could potentially do even without an API.