Welcome to WebmasterWorld Guest from 54.167.116.62

Forum Moderators: phranque

Message Too Old, No Replies

Learning Lessons From The "Twitter Hacker" Incident

     

engine

3:52 pm on Jul 20, 2009 (gmt 0)

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



There are some important lessons to learn from the recent Twitter Hacker Incident, and we can all benefit by looking at the way the hacker approached it.

Learning Lessons From The "Twitter Hacker" [pcworld.com] Incident

Hacker Croll started by building a profile of his target company, in this case Twitter. Basically, he assembled a list of employees, their positions within the company, and their associated e-mail addresses. After the basic information was accumulated, Croll built a small profile for each employee with their birth date, names of pets, and so on.

After Croll had created these profiles, he just went about knocking on doors until one fell down. That's exactly what happened when he did a password recovery process for a Twitter employee's personal Gmail account. Croll discovered that the secondary account attached to this person's Gmail was a Hotmail account. The problem was that Hotmail account had been deleted and recycled due to inactivity -- a longstanding policy on Hotmail. Now, all Hacker Croll had to do was reregister the Hotmail account for himself, go back and do the Gmail password recovery, and then Gmail sent the password reset information straight to the bad guy.


Earlier Story

Twitter Hacker Exposes Company Documents [webmasterworld.com]

bill

6:10 am on Jul 21, 2009 (gmt 0)

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



This is a good reason to use strong randomly generated passwords for every site you log into. You'll need a separate piece of software to keep track of them all, but it will stop this sort of thing from happening.

bhonda

8:30 am on Jul 21, 2009 (gmt 0)

10+ Year Member



You'll need a separate piece of software to keep track of them all

I guess you'd need to protect this though...mother's maiden name, anyone?

Seriously, like has been said a thousand times before, security's only as strong as the weakest link.

JS_Harris

8:36 am on Jul 21, 2009 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



If any employee has been divorced the ex has ALL information needed to get into anything they like including birth date, social security number etc.

What type of software would stop a more suave hacker who profiles employees to DATE one?

edit: my point being a two pronged approach is best. Protect your passwords and track anyone who tries to request lost passwords leave a trail that leads back to them (IP tracking, phone verification etc)

carguy84

9:05 am on Jul 21, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



That's the combination on my luggage!

maximillianos

10:57 am on Jul 21, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I think one problem here worth noting is Microsofts policy to recycle email addresses. They do it often and frequently. I've had mine recycle within a year. Never realized the hole it was leaving open. How can you fix something like that? I guess you have to keep every old email account active by using it periodically. Which is an awful idea since it is human nature to forget things we don't see or use.

So how can you safely retire an old hotmail account? I guess you could try to find all the sites and systems you used with that email. But even then you are likely to forget or miss a few.

Maybe there is an obvious answer, but it is too early in the morning for me. ;-)

Rosalind

1:16 pm on Jul 21, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I think one problem here worth noting is Microsofts policy to recycle email addresses. They do it often and frequently.

This would also apply to the email addresses on any domain that's been dropped and re-registered. So this security hole is already quite large.

phranque

2:04 pm on Jul 21, 2009 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



another obvious thing that i haven't seen discussed much yet - and it is supreme irony in a case involving a microblogging service - is oversharing in public about your private life and how that exposes yourself in the "secret question" scenario.
not just "your mother's maiden name" but also birthdays, the names of your pets, favorite vacation spots, favorite color/whatever...

J_RaD

2:32 pm on Jul 21, 2009 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



keep your personal life personal

that means OFFLINE

engine

5:43 pm on Jul 21, 2009 (gmt 0)

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



It's clear, a determined hacker will eventually build enough info to make a breakthrough.

I don't know there's an easy solution to all this, but, sharing passwords has to be one of the risky moves anyone can make.

MatthewHSE

9:33 pm on Jul 21, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



You'll need a separate piece of software to keep track of them all

I guess you'd need to protect this though...mother's maiden name, anyone?

I use KeePass, which is open-source and very good. It stores passwords in a well-organized encrypted file which can be protected by a separate password. In my case, I have several dozen passwords protected by a single password that meets all the basic criteria - mixed case, no dictionary words, alpha-numeric with some symbols thrown in, nearly impossible to guess, but extremely easy for me to remember.

For me, the weakest link of this system is likely physical security, as I carry the password database around on a flash drive on my keychain...

engine

11:13 am on Jul 22, 2009 (gmt 0)

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



For me, the weakest link of this system is likely physical security, as I carry the password database around on a flash drive on my keychain...

Two throughts. I remember a colleague finding a USB drive in a car parking lot. [webmasterworld.com]

What about reliability of the USB drive. Do you have a backup stored safely?

Brett_Tabke

12:15 pm on Jul 22, 2009 (gmt 0)

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



> I think one problem here worth noting
> is Microsofts policy to recycle email addresses

I think that is a perfectly fine policy.

What needs to happen here is that Google, Microsoft, Yahoo, and several other big providers need to come up with an API for each other to check if a username exists. If the username does not exist, then they don't send any email there.

IanKelley

3:09 pm on Jul 22, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I'm a little late reading this thread but I noticed that most posters seem to have misread how the hacker got in.

This is a good reason to use strong randomly generated passwords for every site you log into. You'll need a separate piece of software to keep track of them all, but it will stop this sort of thing from happening.

The hacker used email password recovery to have the password sent to him. The strength and randomness of the password, as well as whether or not it was used at another site, were irrelevant.

If any employee has been divorced the ex has ALL information needed to get into anything they like including birth date, social security number etc.

Information that would be quite valuable for convincing a diligent email password recovery interface to email the password, but would not necessarily get them into the target email account in order to retrieve it. There are indeed some websites that will let you reset as password without email confirmation, but they are rare.

What needs to happen here is that Google, Microsoft, Yahoo, and several other big providers need to come up with an API for each other to check if a username exists. If the username does not exist, then they don't send any email there.

The email account/username in question did exist, the hacker (re)created it. Unless you're saying that the above should consider an account name taken if it exists at any of the three? Not gonna happen :-)

The solution for this particular vulnerability seems pretty straightforward: Don't let your employees use web email accounts as their backup email. Everyone gets an ISP email address whether they use it or not and presumably companies like Twitter don't have any employees without internet access.

bill

1:55 am on Jul 23, 2009 (gmt 0)

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



The hacker used email password recovery to have the password sent to him. The strength and randomness of the password, as well as whether or not it was used at another site, were irrelevant.

According to the article the same common passwords were used on multiple accounts...so if the target had separate passwords for each account, then this would have been limited to a single Gmail account being hacked.

I never retain a password that has been mailed to me. I will always go to the site and generate a new one after receiving a password recovery mail.

Prohibiting webmail seems a bit extreme. Just implement a reasonable pattern of regular password updating. You can force users to update their passwords in Google Apps. Perhaps Gmail and other webmail providers should institute a more stringent reconfirmation of a user's ID on a more frequent basis.

bill

2:15 am on Jul 23, 2009 (gmt 0)

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



An interesting article I just came across that outlines some more points:
Opinion: Top 11 things to learn from Twitter security [computerworld.com]

1. Don't be afraid to suspend accounts that present a risk to you and your users.

2. Doing one thing right doesn't make you good at -- does not even mean you understand -- security.

3. Single sign-on should be limited.

4. Sensitive information must be stored internally.

5. Access control must be implemented.

6. Web-based password reset schemes are not appropriate for a corporate environment.

7. Implement misuse and abuse detection.

8. Security must be proactive.

9. You must control your own forensics data.

10. Social networking can cripple an organization.

11. If an idiot can do this, what will a savvy criminal be capable of?

Brett_Tabke

11:24 am on Jul 23, 2009 (gmt 0)

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



The email account/username in question did exist, the hacker (re)created it. Unless you're saying that the above should consider an account name taken if it exists at any of the three? Not gonna happen :-)

Well, I am saying that the first time it was tried the hacker knew what the account was. During that step, Gmail shouldhave pinged hotmail and and hotmail said the act was doa, so Gmail should have purged that hotmail address from it's system and not allowed it to be used a 2nd time (which is when the pw reset link was sent to the freshly created hotmail act).

IanKelley

4:02 pm on Jul 23, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Ah ok, I understand now. In fact that's something Google could potentially do even without an API.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month