If the popular social networking site Twitter was looking to ring in a happy new year, they didn’t have much luck. Instead, 2009 began with an attack and misuse of 33 accounts by an 18 year old hacker. Among those compromised were President Elect Barack Obama’s, the Fox News Channel’s and CNN’s Rick Sanchez’s along with a smattering of other celebrities and notables.
If you’re reading this and thinking ‘Well, it’s just twitter’ or ‘Well, it’s just a another social networking site, it’s nothing really important”, then think again. I will explain later why even a seemingly innocuous web site of social networking ilk, something that is thought of to be just-for-funsies, can have real repercussions for users. There’s definitely some valuable lessons here that we can all apply - both technical and non tech people alike. If you’re a systems administrator or software developer it’s of utmost importance that you protect yourself, your organization and clients and those who ultimately use your software.
A dictionary attack? Really?
The story as it appears in the Wired.com Threat Level blog states…
…Using a tool he authored himself, he launched a dictionary attack against the account, automatically trying English words. He let the program run overnight, and when he checked the results Monday morning at around 11:00 a.m. Eastern Time, he found he was in Crystal's account.
Note: Crystal happens to be a Twitter employee so elevated privileges apply here.
A dictionary attack is a very popular and simple way to hack an application. I emphasize simple because it’s the first chapter in the ScriptKiddie Hacking 101(tm) training manual[1]. There are ways to help prevent dictionary attacks, below are just a few:
- Enforce a strong password policy
- Limit rapid fire logon attempts
All options are fairly easy for developers to code, and watching rapid fire logon attempts can be caught during both application health monitoring done by developers as well as log auditing done by the system administrators.
Make the Effort in Reducing Attack Risk
Passwords composed of all lower case letters that are also plain words found in the dictionary are considered weak passwords, meaning that it’s far easier to guess or figure out what they are by using password cracking software. This is where we get the name dictionary attack, since the cracking software uses a dictionary file to spin through and test plain words against a logon. Strong passwords, on the other hand, are one step of prevention, and when combined with other techniques can make the time factor far greater than hackers are willing or able to put in.
In addition to a good password policy, had Twitter put in place a mechanism to lock and flag accounts of those who try to login with many attempts in a short time span, they would have noticed (I hope) many failed attempts at logon which should raise a red flag. Twitter could also have progressively increased a buffer time in between login attempts to the same account and eventually lock it if unsuccessful. This technique drastically increases the amount of time an attacker needs to run the dictionary attack scripts, as well as giving the sysadmin team time to investigate.
The Repercussions
A lot of people use Twitter (and other social networking sites) just for chatting, friendly banter, and exchanging pearls of wisdom so many tend to look lightly on these type of web sites. But when we look at the businesses, people and organizations that use twitter for real time support or as a business aid we can see that it’s not fun and games for everyone, it can actually be important to some. Tech companies like Dell and HP, local places like the Lehigh Valley Pa tourism agency as well as many individuals, small businesses, newspapers and of course the famous names above all use social networking for lots of important reasons. The damage isn’t as much that the hacker allowed others to post ridiculous messages on those accounts[2], the damage is here:
Users reuse passwords on multiple sites, including financial, social, vendors, partners and customers’ sites. This is the epitome of bad practices.
So now that passwords have been compromised, has Crystal changed her passwords elsewhere? Has Barack Obama? CNN or Fox news or their employees? What would happen if someone were to get a hold of a CNN employee’s password via Twitter, and use it to access CNN networks? What if a small business owner reused the password on a banking site (could they be ruined)? If you have a twitter account, what about you? How do you know if your password was obtained or not during this attack and maybe it just hasn’t been used against you yet? Stop and think for a moment, do you use the same password on multiple sites? Are any the same as your Twitter account?
Conclusion
Twitter, could have completely prevented the hack in the first place if they had done just a few of these simple things.
"I feel it's another case of administrators not putting forth effort toward one of the most obvious and overused security flaws, I'm sure they find it difficult to admit it."
As developers/administrators it’s our job to create and configure the infrastructure needed to help reduce attack surfaces. I find often that developers tend to view security as a necessary evil, and that might well be true, but if more of us added in even simple measures it could make a big difference to our users.
I always suggest to non technical friends and family that they create strong passwords, and only use one password per web site, but I know they don’t listen. They’re users after all, and they don’t want to be concerned with security, they want to be concerned with productivity, fun or other things that computers and websites can do for them (and rightly so). But it’s up to us as developers to enforce policies that guide them to do the necessary things to protect themselves, as we can’t and shouldn’t expect them to be security experts – we need to be that for them.
[1] Lest ye think it’s a real training manual, ScriptKiddie Hacking 101(tm) training is not. So please don’t ask me for it.
[2] Despite the seriousness of this topic overall, it was totally hilarious that someone posted ‘Breaking News: Bill O’Reilly is gay’ to the Fox news account. Just sayin.
