Schneier on Security
A blog covering security and security technology.
« Mapping Drug Use by Testing Sewer Water |
| Social Security Numbers are Not Random »
July 23, 2009
The Twitter Attack
Excellent article detailing the Twitter attack.
Posted on July 23, 2009 at 12:07 PM
• 12 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I noted this sentence:
"A security hole in iTunes gave HC access to full credit card information in clear text."
None of the other failures of security were described as holes, but when credit card information is exposed...
They also make a few notes to cloud security, but this has more to do with automation of password reset services than cloud anything.
In small environments the password reset is manual and trust is checked by an administrator, but in high-volume environments automation is introduced with varying degrees of trust checks.
The security holes of hotmail and google are clearly in their automation of resets, which is not a cloud-specific issue.
Not to be a Devil's advocate or anything, but... Gmail *is* a cloud application.
Had they been using their own internal servers for mail, there would not likely have been an 'automated reset' feature, or web-based security q&a form, albeit they almost certainly would have had other vulnerabilities to deal with.
Just saying, the cloud nods aren't entirely irrelevant here.
"Excellent article detailing the Twitter attack."
...from the people who profited from it.
And this is why people need to actually use gpg or some such end-point encryption. Such an attack would be massively limited if at some crucial points you had to go beyond passwords into the realm of arbitrary numbers.
Gmail can do password resets by sending you an SMS. If you have a mobile that can receive SMS, delete your secondary email and security question*, then it's the only option.
* Don't remember if you can actually delete the question, but you can always change the answer to something like md5(your_password).
Again a disadvantage of webmail (and IMAP). When we downloaded our e-mails to our own computers, it ensured that no one could search through them without physical access to our computer.
But now that we want to access our mail accounts and archives from everywhere with any mobile or other device, the bad guy only needs to social engineer access to the account and gets our whole mail history and archive presented with it.
@noah, im stealing that and making all my secret question answers an MD5 of my last name (with a salt).
@ noah, Petey
noah's accounts can be accessed by obtaining password hashes. These are stored hashed in the first place so that if the hash is made public the account is still not compromised.
Petey at least sees a little protection from the salt but a last name adds nothing secret.
Any protection provided by a password evaporates if there is a simpler method to access an account. Any answers to secret questions should be regarded as your other passwords for that account so the same care should be taken when they are created, stored and destroyed.
So I would suggest just using the account's password as the answer to any secret questions. After all, if the site doesn't hash your answers then when a thief gets that data your account is already compromised.
The weakest link is the extent to which normal computer users maintain many accounts and the human need to rationalise on passwords and things to remember between them.
If Twitter was using all internal email servers and such, they would still have fallen in exactly the same way - a Twitter employee used a public, free email server with a secret question.
Go on, propose an alternative to secret questions that'll work for a free email service and'll work with the 99.9% of the population who don't think they're a target...
The attacker actually got away with it because he could change the password (and re-change it) while the user stayed clueless.
How about system sending a semi-permanent, non-deletable, non-junkmailable, mail message saying something like:
"your password was recently changed. if you did it then ignore this message. if you didn't you've been hacked and should ACT NOW"
This message would stay on for about a week. It should be a mail because of remote access from POP or IMAP.
Would this be useful or only a new nuisance?
@nEJC: A semi-permanent, highly visible marking as you suggest would be a step in the right direction. However, a week long timeout is probably too short. With the amount of information that Hacker Croll had access too it would be easy enough to figure out when the targeted employee was next going on vacation, or otherwise going to be away from email access for a week+.
In fact, is it not common in business, when going on vacation or otherwise going to be away from email, to put an auto-response on email saying just that: I'll be out of the office and unable to access email for the next two weeks... etc.
Good idea though, bravo.
1. Out of offfice messages disclose valuable information to hackers and other criminals and I suggest avoiding them.
2. Use PasswordSafe to manage your passwords. I don't even know most of them.
3. I guess the time zone difference helped - the hacker did not log on while the account owner was active.
4. When forced to use secret questions, I specify incorrect random answers.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.