The Anatomy Of The Twitter Attack

30 Dec 09

madzientist

security

20 Dec 09

Frank Carey

security twitter

21 Sep 09

Mike Austin

17 Aug 09

Alberto Bartoli

hacking

eyal matsliah

information-security security cloud-computing gmail

The list of services affected either directly, or indirectly, are some of the most popular web applications and services in use today - Gmail, Google Apps, GoDaddy, MobileMe, AT&T, Amazon, Hotmail, Paypal and iTunes . Taken individually, most of these services have reasonable security precautions against intrusion. But there are huge weaknesses when they are looked at together, as an ecosystem. Like dominoes, once one fell (Gmail was the first to go), the others all tumbled as well.
In order to keep private data private, modern web applications have built out their own systems and policies that require a user to register and then manage their identities separately with each app. The identifier that most applications use is an email address, and it is this common factor that creates a de facto trust relationship between a user’s applications. The second factor is a password: a random string that only the user knows, is unique to each application, and in theory should take even a computer months or years to figure out if it started guessing. These two elements would work well enough for most cases, were it not for what is often the single weakest factor: human habit.
2 more annotations...
- Companies that are heavily web based rely largely on users being able to manage themselves - the odds are not only stacked against Twitter, they are stacked against most companies adopting this model.
- this attacker, and certainly others just like him, have been able to demonstrate that some of the biggest and most popular applications on the web contain fundamental weaknesses that alone might seem harmless, but in combination with other factors can cause an attacker to completely tear through the accounts of users, even those who maintain good password policy.

29 Jul 09

Seçkin Anıl Ünlü

twitter security fault email password

Bad human habit #1: Using the same passwords everywhere.

28 Jul 09

Graham Perrin

hack security Twitter PayPal Amazon AT&T MobileMe Gmail Google default password leak unread Apple Inc. 2009

23 Jul 09

Liudvikas Bukys

" A single Gmail account falls, and soon the security integrity of an entire startup crumbles. So for a start, reset those passwords and don’t use the same passwords for different services. Don’t use password recovery questions that can easily be answered with a simple web search (an easy solution is to answer those questions falsely). "

security-examples

22 Jul 09

Kim McCully Mobley

Technology and Twitter

twitter security hacker cloud passwords socialmedia techcrunch

Adriana Lukas

twitter security hacker cloud passwords socialmedia techcrunch

21 Jul 09

David Foltz

"Each new service that a user signs up for creates a management overhead that collapses quickly into a common dirty habit of using simple passwords, everywhere. At that point, the security of that user’s entire online identity is only as strong as the weakest application they use - which often is to say, very weak."

twitter security hack password passwords cloud hacker

Bad human habit #1: Using the same passwords everywhere. We are all guilty of it. Search your own inbox for a password of your own.

Olivier ETIENNE

twitter security hack

20 Jul 09

re: how to select passwords

twitter security privacy

Tien Nguyen

Well designed web applications will never just give a user their password if they forget it, they will force the user to pick a new one. Hacker Croll had access to the account, but with a password he had specified. To not alert the account owner that their account had been compromised, he had to somehow find out what the old Gmail password was and to set it back. He now had a bevy of information at his fingertips, a complete mailbox and control of an email account. It wasn’t long before he found an email that would have looked something like this:
Bad human habit #1: Using the same passwords everywhere. We are all guilty of it. Search your own inbox for a password of your own. Hacker Croll reset the password of the Gmail account to the password he found associated with some random web service the user had subscribed to and that sent a confirmation with the password in clear text (and he found the same password more than once). He then waited, to check that the user was still able to access their account. Not too long later there was obvious activity in the email account from the account owner - incoming email read, replies sent and new messages drafted. The account owner never would have noticed that a complete stranger was lurking in the background. The second domino falls.

Trent Adams

twitter hack identity security

Pete Austin

For Hacker Croll, his first port of call in setting out to gain access to a target network is to make use of public search engines and public information to build a profile of a company or individual. In the case of the Twitter attacks, this public information allowed him to create a rich catalog of data that included a list of employee names, their associated email addresses and their roles within the company. Information like birth dates, names of pets and other seemingly innocent pieces of data were also found and logged. This dragnet across the millions of pages on the web picked up both work and personal information on each of the names that were discovered. Public information on the web has no concept of, or ability to, distinguish between the work and personal details of a person’s identity - so from the perspective of a cracker on a research mission, having both the business and personal aspects of a target’s digital life intertwined only serves to provide additional potential entry points.

With his target mapped out, Hacker Croll knew that he likely only needed a single entry point in any one of the business or personal accounts in his list in order to penetrate the network and then spread into other accounts and other parts of the business.

twitter security hacking smartlogon

Krishnan Subramanian

twitter hack security techcrunch

Daryl Milne

security twitter internet future tech web hack privacy gmail

19 Jul 09

quintoelefante

Andrew Long

A great and thorough explanation of how the hacker "Croll" accessed key Twitter business documents and accounts in the cloud. Comes down to human practices, chance and security holes.

twitter cloud google documents hacked news techcrunch

Sonia Blanco

tesis twitter

It’s clear that Twitter was completely unaware of how deeply they were affected as a company - when Williams said that most of the information wasn’t company related he believed it.
Various bloggers speculated about the cause of the attack - with some placing the blame on Google while others blaming the rising trend of hosting documents in the cloud.
11 more annotations...
- The list of services affected either directly, or indirectly, are some of the most popular web applications and services in use today - Gmail, Google Apps, GoDaddy, MobileMe, AT&T, Amazon, Hotmail, Paypal and iTunes . Taken individually, most of these services have reasonable security precautions against intrusion. But there are huge weaknesses when they are looked at together, as an ecosystem
- Like dominoes, once one fell (Gmail was the first to go), the others all tumbled as well. The end result was chaos, and raises important questions about how private corporate and personal information is managed and secured in a time when the trend is towards more data, applications and entire user identities being hosted on the web and ‘in the cloud’.
- These two elements would work well enough for most cases, were it not for what is often the single weakest factor: human habit.
- Unfortunately for Twitter, Hacker Croll found such a weak point. An employee who has online habits that are probably no different than those of 98% of other web users. It began with the personal Gmail account of this employee. As with most other web applications, the personal edition of Gmail has a password recovery feature that presents a user with a number of challenges to prove their identity so that their password can be reset
- This is the point where the chain of trust broke down, as the attacker discovered that the account specified as a secondary for Gmail, and hosted at Hotmail was no longer active. This is due to a policy at Hotmail where old and dormant accounts are removed and recycled. He registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee. The first domino had fallen.
- Bad human habit #1: Using the same passwords everywhere. We are all guilty of i
- “secret question”.
- Once Hacker Croll had access to the employee’s Twitter email account hosted by Google, he was able to download attachments to email that included lots of sensitive information, including more passwords and usernames. He quickly took over the accounts of at least three senior execs, including Evan Williams and Biz Stone. Perusing their email attachments led to lots more sensitive data being downloaded.
- He didn’t do that, and says he never intended to. All he wanted to do, he says, was to highlight the weaknesses in Twitter’s data security policies and get them and other startups to consider more robust security measures.
- Cloud services are convenient and cheap, and can help a company grow more quickly. But security infrastructure is still nascent.
- A single Gmail account falls, and soon the security integrity of an entire startup crumbles. So for a start, reset those passwords and don’t use the same passwords for different services. Don’t use password recovery questions that can easily be answered with a simple web search (an easy solution is to answer those questions falsely). And just in general be paranoid about data security. You may be happy you were.

Tom Sepp

kevin whited

tech publiustx society

Tammy Kim

web trends web2.0 twitter socialmedia

The Anatomy Of The Twitter Attack - The Diigo Meta page

Would you like to comment?

Top Tags

Check out another URL