Slashdot Mirror
Twitter Hack Details Revealed
Jack Spine writes "Twitter co-founder Biz Stone has confirmed both to ZDNet UK and Wired's Threat Level blog that a dictionary attack was used to hack Twitter. After the hacker distributed details on the Digital Gangster forum, celebrities such as Britney Spears and Barack Obama had their accounts defaced.
Wired spoke to the alleged hacker, while ZDNet UK got in contact with someone who had been on the Digital Gangster forum at the time."
Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.
Twitter is doubly at fault here. First, it's not that hard to detect rapid-fire password attacks. Even Unix (way before Linux) knew to kick you out after 3 failed attempts. Second, they should enforce better passwords for their employees (not necessarily for regular users, that's another discussion).
He decided not to use other hacked accounts personally. Instead he posted a message to Digital Gangster offering access to any Twitter account by request.
That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.
When I hacked my university's computer network (Vax machines on Bitnet back in 1990), I did it with the knowledge of the sysadmin staff. And once you have made your point, you stand back.
--
FairSoftware.net -- geeks starting fair and open software businesses together
Blackberries are safer than Twitter accounts. If you enter the wrong password into a Blackberry a set number of times (usually 10), it erases its contents.
"For every right, an equal responsibility..."
This is one of my favourite security conundrums.
How do you limit someone's login attempts to an account without allowing an account to be denial of serviced?
Captcha - hurts young, old, and disabled users. It can also make it hard for normal users if poorly designed (as many are).
IP Limit - Very easy to bypass with a proxy list.
Hard Account Limits - Denial of service
Thus is the problem. How do you limit logins without hurting legitimate users?
Why should we care about this? Its not like someones SSN or Credit Card info was stolen. Stuff like this happens all the time.
If you want to defame someone, its a lot easier to just make some wild and unprovable claim on the right webs sites and let the internet do its thing.
It wasn't Obama's account that got attacked. They attacked the account of a Twitter administrator, and then got access to the web-based control panel to reset Obama's password. Pretty lame that a) the admin had such a bad password and b) you can access the control panel from the public internet with the same login as your twitter account.
Comment removed based on user account deletion
Comment removed based on user account deletion
Looks like you didn't actually read the article. The account of a twitter admin was hacked with a dictionary attack. That account was then used to reset the passwords for various other accounts (Fox News, Obama, Britney Spears, etc) to gain access to those accounts. The original passwords for those additional accounts were not obtained. Only one account (the twitter admin) was hacked, the rest just had their passwords reset.
Things you think are in the Constitution, but are not.
Comment removed based on user account deletion
No passwords were compromised except for the admin account he used the dictionary attack on. So really, the GP's analysis of harm done is pretty accurate.
Comment removed based on user account deletion
Somehow it is disturbing that the President-Elect is lumped in with Britney as a celebrity.
What is the level of discourse on Mr. Obama's twitter thing, anyway? I could look, I suppose, but it is more fun to imagine.
---
im in ur white house
secret service bitches following me everywhere. about 3 minutes ago from web
these pancakes are righteous! about 2 hours ago from airforce1r
are ufoz real? I am going to find out! about 4 hours ago from web
I think Hillary just cut the cheese LOLz about 8 hours ago from twitterrific
Comment removed based on user account deletion
Many credit card companies offer a one-time-use credit card number you can use for online purchases. I find it invaluable for online shopping.
That sounds more dangerous; because now my buddy is going to have a blank phone when we go out drinking tonight.
Sometimes, life itself is sarcasm...
You don't (probably) use the same key for your house and your care and your safety deposit box
No, but I wish I could. They're all on the same key ring, after all. If I lost my keys and whoever found them knew whose keys they were, I'd have to change all the locks anyway.
Another "bad security practice" I do is to keep my passwords written down. That's a no-no in the security field, but it's a stupid no-no. I keep them in my wallet, along with my security code for the building I work in, my money, debit card, and other valuables. Unlike money and cards, the passwords are easily disguised as building addresses (1234 Spring Street) or phone numbers (525-1234). Yeah, posting it on a post-it on the monitor is stupid, but keeping it written down with other valuables allows you a tougher to crack password, one a dictionary attack like the one used at Twitter is impossible. E.g., d5#6*;mtTMbp can't be remembered by anyone but a savant, but if it's written down it can't be forgotten.
You could also use the title of a book, write that down, and use every n character in the password. For example, Shrew 9 would be SBlatsle which is every ninth character (exclusing spaces) from the introduction to Wm Shakespeare's Taming Of The Shrew.
Free Martian Whores!
Please RTFA before you post. Thank you. The accounts in question had their password reset to a random 12 character string that was then used to post fake tweets. Your comment is irrelevant.
Sig withheld to protect the innocent.
That's not why they want him to give it up. Federal alw says that all Presidential emails must be kept and can be used as evidence of wrongdoing. If he keeps his blackberry he's a fool.
Free Martian Whores!
Paypal has secure cards too now for free, just install the paypal plugin. I use single use mastercard numbers for all my online purchasing. Especially nice for porn sites, so you don't have to worry about random charges.
Belief? Hope? Preference?The Existential Vortex
Don't forget lame people! Your seething hatred of lame people comes out in treating "pretty lame" as an insult. How many more frightened people still at home in a wheelchair will be afraid to come out when it's demonstrated so clearly that being "lame" is uncool.
Is it any different than finding an unlocked car in the parking lot and opening the door, pushing the door lock, closing the door, and continuing on your merry way?
That's a great analogy. How do you know the owner hasn't left his keys under the seat? Security through obscurity is the best strategy for low-value assets.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Yes, in general, if you compromise one password, you might be compromising them all. In this specific case however, the "hacker" in question never got the passwords himself. He got the password-reset tool to help out a user who has forgotten their password. So that's one happy out of the whole thing--there was a good security practice there that actual passwords are a little harder to get at than that.
Furry cows moo and decompress.
Locks are for honest people.
If I wanted your motorcycle, I'd bring a couple friends, and throw it in the back of a pickup truck, to be rekeyed later.
If I wanted into your house, I'd kick in the door, or go through a window.
If I wanted into your shed, I'd put a pry bar through the padlock and twist.
It's a good thing I don't want these things. :)
Really, I've helped people get around things they've locked accidentally.
One was a door with a "security" lock (one extra pin). They closed it, and couldn't reopen it, because no one had the key. That took me 5 minutes with a lockpick set.
Once the CEO of a company I worked for needed a document on his desk. He was very insistent he needed it immediately. We told him the door was locked, and he had the only key. We then asked for permission to get in by alternative means. His only response was "don't break anything" I had one of the guys stand on a chair and lift a drop ceiling panel out, so he could climb over the wall. It took about 45 seconds.
We had a a life or death emergency at my house, and someone was in the locked room. The fastest method was required to open the door. A swift kick just beside the doorknob, and the door opened, without me missing a step running into the room.
I don't know how many times when I was a kid, someone would get home before their parents, and couldn't get into their own house because they forgot their keys. I'd usually be in, in less than 5 minutes. There's always a window or door that isn't locked, or doesn't latch well.
The same applies here. You have 100 employees with access to do something (like in this case play with twitter accounts). If every one of them isn't secured well (good passwords, good password protection policies, good security measures) it doesn't matter how great one is, someone will walk in through the easier method.
I was moving some servers, and no one knew the password to one of them. I couldn't log in to set the new IP. I asked politely, and then rebooted into single user to change it. I didn't need the password, I had physical access.
Serious? Seriousness is well above my pay grade.
wait wait wait... you're on slashdot... news for nerds... and you pay for porn?!
Please hand over your geek card on the way out.
There has to be someway for a server to archive it all while allowing him access via a blackberry. Even if he has to lean on RIM for a custom server.
A corporate email service archiving mail? Whodathunkit?
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"