Slashdot Mirror

← Back to Stories (view on slashdot.org)

Twitter Hack Details Revealed

Posted by CmdrTaco on from the my-password-is-p4ssw0rd dept.

Jack Spine writes "Twitter co-founder Biz Stone has confirmed both to ZDNet UK and Wired's Threat Level blog that a dictionary attack was used to hack Twitter. After the hacker distributed details on the Digital Gangster forum, celebrities such as Britney Spears and Barack Obama had their accounts defaced. Wired spoke to the alleged hacker, while ZDNet UK got in contact with someone who had been on the Digital Gangster forum at the time."

12 of 222 comments (clear)

  1. Lack of Hacker Ethics by alain94040 · · Score: 5, Insightful

    Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.

    Twitter is doubly at fault here. First, it's not that hard to detect rapid-fire password attacks. Even Unix (way before Linux) knew to kick you out after 3 failed attempts. Second, they should enforce better passwords for their employees (not necessarily for regular users, that's another discussion).

    He decided not to use other hacked accounts personally. Instead he posted a message to Digital Gangster offering access to any Twitter account by request.

    That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.

    When I hacked my university's computer network (Vax machines on Bitnet back in 1990), I did it with the knowledge of the sysadmin staff. And once you have made your point, you stand back.

    --
    FairSoftware.net -- geeks starting fair and open software businesses together

    1. Re:Lack of Hacker Ethics by TheCycoONE · · Score: 5, Insightful

      That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.

      Perhaps, but it's likely because this kid did a little harm that he's captured the attention of so many people. It adds a healthy dose of sensationalism to the story which convinces people to treat security seriously better than some hypothetical 'it could have been really bad if..' would"

    2. Re:Lack of Hacker Ethics by silentquasar · · Score: 5, Insightful

      That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.

      When I hacked my university's computer network (Vax machines on Bitnet back in 1990), I did it with the knowledge of the sysadmin staff. And once you have made your point, you stand back.

      Indeed. At my college a while back, some seniors found a way to hack into the school's network. They posted every user's password on a local network site. Only a handful of weeks away from graduation, they were expelled. Sure, they meant no harm, just to expose the weaknesses in the system, but they broke the rules and seriously compromised the system by posting the passwords, so they had to pay the price. Yikes!

    3. Re:Lack of Hacker Ethics by bughunter · · Score: 5, Insightful

      Um... what kind of harm can you cause by hacking Twitter? It's the internet equivalent of writing on a bathroom wall.

      (Yes, I'm aware of the recursive metaphor I'm creating here.)

      --
      I can see the fnords!
    4. Re:Lack of Hacker Ethics by girlintraining · · Score: 4, Insightful

      As much as I don't want to say it, ethics don't mean crap these days. If you hack into a system and leave a note saying "Hey, hacked your box, here's how I did it, here's how to fix it, Thanks. Signed, Good Samaritan"... It only means they will send an army of lawyers and g-men after you because you embarassed them, and because while techies like us might understand what the hacker wanted to accomplish, management will not. Frankly, given that there is no protection for people who adhere to the hacker ethos as opposed to those who don't, there is no incentive do be nice. If you get the chance, gut the bastards and don't leave anything behind except a zero'd drive and a message on the screen saying "Next time, don't use a 'password' as the root login." Is it damaging? Yes. But if you don't crap the server, all you're doing is beating the hornet's nest with a stick.

      It's sad that nobody has thought to pass a law to protect digital good samaritans -- that is, people who discover and report (in good faith) security issues either to the people running the servers directly, or the vendor(s) of the software/hardware that is vulnerable -- provided they do nothing else but confirm the exploit is present and notify the appropriate parties. And, of course, do not retain copies of any sensitive information once the report is made.

      Is it any different than finding an unlocked car in the parking lot and opening the door, pushing the door lock, closing the door, and continuing on your merry way? A pity the legal system does not see it this way... Which leaves only the recourse of scorched earth to make the point.

      --
      #fuckbeta #iamslashdot #dicemustdie
    5. Re:Lack of Hacker Ethics by dwarg · · Score: 3, Insightful

      That was terribly funny, but also terribly stupid.

      I must say you're awfully good looking, but you smell horrible.

      The analogy simply doesn't hold. You know quite well how secure your home is.

      I can see you've put a lot of thought into this... I'll type slowly for you.

      People who like to defend the romantic image of the hacker usually make two mistakes.

      One; they assume the crux of the argument is security when it's actually law.

      Two; they assume intent should be accounted for after the fact.

      The legality of the activity is determined by the possible intent of the actor. When an unauthorized person attempts to bypass a security measure the law is forced to assume they are doing so with malicious intent because they are subverting the means put in place to prevent just that action.

      Breaking into a house is identical to breaking into a computer system in that respect.

      If a crime could only be charged AFTER a person has circumvented security, so they could be sure of intent, what kind of outcomes would that invite before a charge could be filed?

      Seriously, read that last sentence again and think about it.

      On the other hand, if there are security issues with IT infrastructure, you probably don't know about them.

      Considering this is Slashdot, I would certainly hope most of us would have a better idea of the security of our computer systems/networks than the security of our parent's basement.

      It's not very useful for you if somebody tells you that your door locks suck; having crappy locks may even be a conscious decision on your part.

      Really? This is what you're going with? Tell me, why exactly would I want crappy locks on my doors? If you're referring to the fact that I don't choose to wrap the house in razor wire and dig a moat, then yes I have taken a laissez-faire approach to domestic security. The reason none of us need to go that far is because breaking into a house in unconditionally illegal and there are LEGAL mechanisms in place to protect me and provide recourse if that should happen. That is the primary deterrent that keeps people from walking around and "checking" their neighbor's locks to make sure they're secure.

      It is, however, very useful for you if somebody points out security issues with your computer systems. Having security holes in your system is never (well, rarely) a conscious decision.

      Yes it is useful, and there are means to do that which don't involve breaking into someone else's systems and compromising potentially sensitive information--even if only to one person. The difference is that between a hacker and a security consultant.

      If a bank's systems are hacked by anyone outside the organization, regardless of what they do with the information, they are required to inform their customers that their data has been compromised. People close accounts, money is lost and there are repercussions that go beyond the romantic image of the lone hacker who's sticking it to the man, but will never know the soft touch of a woman.

      If a "nice" hacker had alerted twitter to this issue, the current situation would never have occurred.

      Fine, let's assume we live in a world that values the noble efforts of hackers and someone hacked Twitter and alerted them to this problem before an evil cracker used this exploit for his nefarious designs. So we've created an atmosphere where everyone feels secure walking around "checking the locks" as I said earlier.

      Are you going to feel more secure knowing there are a lot of people trying to find ways into your system and that some of them are aren't the good kind of hackers and you have no way of knowing what kind of hacker they are until AFTER they've gotten into your system?

      As an admin, if you see suspicious activity on your server logs do you want that activity stopped or should yo

  2. Re:Limit logins without DOS? by larry+bagina · · Score: 5, Insightful

    Slow down cowboy! It's been 1 minute since your last failed attempt to login.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  3. Re:Limit logins without DOS? by jeffmeden · · Score: 3, Insightful

    Easy, increase the amount of time between the password being supplied and the pass/fail response being sent. If the script has to wait for 5 seconds to see if the password is bad, it increases the dictionary run time by a LOT. The only way around this is to run multiple iterations of the script, each with a section of the list to run. This makes them much easier to spot by other filters.

    However, a legit user waiting 5 seconds for the login to complete probably won't generate a lot of complaints.

  4. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  5. Re:Limit logins without DOS? by causality · · Score: 3, Insightful

    This is one of my favourite security conundrums.

    How do you limit someone's login attempts to an account without allowing an account to be denial of serviced?

    Captcha - hurts young, old, and disabled users. It can also make it hard for normal users if poorly designed (as many are).

    IP Limit - Very easy to bypass with a proxy list.

    Hard Account Limits - Denial of service

    Thus is the problem. How do you limit logins without hurting legitimate users?

    One approach is to still allow the login but to insert artificial delays. Maybe your password cracker can guess several thousand passwords in one second; too bad, because the site will only allow you to try one every three seconds. Even a fairly weak password can be extremely difficult to guess this way, though it is no substitute for strong passwords that are never sent as cleartext.

    --
    It is a miracle that curiosity survives formal education. - Einstein
  6. Comment removed by account_deleted · · Score: 4, Insightful

    Comment removed based on user account deletion

  7. Re:Compromise One Password, Compromise Them All by Chrono11901 · · Score: 3, Insightful

    wait wait wait... you're on slashdot... news for nerds... and you pay for porn?!

    Please hand over your geek card on the way out.