The Twitter Attack
Excellent article detailing the Twitter attack.
Excellent article detailing the Twitter attack.
Shane • July 23, 2009 12:40 PM
Not to be a Devil’s advocate or anything, but… Gmail is a cloud application.
Had they been using their own internal servers for mail, there would not likely have been an ‘automated reset’ feature, or web-based security q&a form, albeit they almost certainly would have had other vulnerabilities to deal with.
Just saying, the cloud nods aren’t entirely irrelevant here.
Jemaleddin • July 23, 2009 1:09 PM
“Excellent article detailing the Twitter attack.”
…from the people who profited from it.
kangaroo • July 23, 2009 1:23 PM
And this is why people need to actually use gpg or some such end-point encryption. Such an attack would be massively limited if at some crucial points you had to go beyond passwords into the realm of arbitrary numbers.
noah • July 23, 2009 1:40 PM
Gmail can do password resets by sending you an SMS. If you have a mobile that can receive SMS, delete your secondary email and security question*, then it’s the only option.
Marc B. • July 23, 2009 1:43 PM
Again a disadvantage of webmail (and IMAP). When we downloaded our e-mails to our own computers, it ensured that no one could search through them without physical access to our computer.
But now that we want to access our mail accounts and archives from everywhere with any mobile or other device, the bad guy only needs to social engineer access to the account and gets our whole mail history and archive presented with it.
Petey B • July 23, 2009 2:33 PM
@noah, im stealing that and making all my secret question answers an MD5 of my last name (with a salt).
peri • July 23, 2009 5:27 PM
@ noah, Petey
noah’s accounts can be accessed by obtaining password hashes. These are stored hashed in the first place so that if the hash is made public the account is still not compromised.
Petey at least sees a little protection from the salt but a last name adds nothing secret.
Any protection provided by a password evaporates if there is a simpler method to access an account. Any answers to secret questions should be regarded as your other passwords for that account so the same care should be taken when they are created, stored and destroyed.
So I would suggest just using the account’s password as the answer to any secret questions. After all, if the site doesn’t hash your answers then when a thief gets that data your account is already compromised.
will • July 24, 2009 1:39 AM
regarding cloud
The weakest link is the extent to which normal computer users maintain many accounts and the human need to rationalise on passwords and things to remember between them.
If Twitter was using all internal email servers and such, they would still have fallen in exactly the same way – a Twitter employee used a public, free email server with a secret question.
Go on, propose an alternative to secret questions that’ll work for a free email service and’ll work with the 99.9% of the population who don’t think they’re a target…
nEJC • July 24, 2009 2:55 AM
Just wondering…
The attacker actually got away with it because he could change the password (and re-change it) while the user stayed clueless.
How about system sending a semi-permanent, non-deletable, non-junkmailable, mail message saying something like:
“your password was recently changed. if you did it then ignore this message. if you didn’t you’ve been hacked and should ACT NOW”
This message would stay on for about a week. It should be a mail because of remote access from POP or IMAP.
Would this be useful or only a new nuisance?
Anonymous • July 24, 2009 6:33 AM
@nEJC: A semi-permanent, highly visible marking as you suggest would be a step in the right direction. However, a week long timeout is probably too short. With the amount of information that Hacker Croll had access too it would be easy enough to figure out when the targeted employee was next going on vacation, or otherwise going to be away from email access for a week+.
In fact, is it not common in business, when going on vacation or otherwise going to be away from email, to put an auto-response on email saying just that: I’ll be out of the office and unable to access email for the next two weeks… etc.
Good idea though, bravo.
Jony • July 24, 2009 9:58 AM
Out of offfice messages disclose valuable information to hackers and other criminals and I suggest avoiding them.
Use PasswordSafe to manage your passwords. I don’t even know most of them.
I guess the time zone difference helped – the hacker did not log on while the account owner was active.
When forced to use secret questions, I specify incorrect random answers.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Davi Ottenheimer • July 23, 2009 12:24 PM
I noted this sentence:
“A security hole in iTunes gave HC access to full credit card information in clear text.”
None of the other failures of security were described as holes, but when credit card information is exposed…
They also make a few notes to cloud security, but this has more to do with automation of password reset services than cloud anything.
In small environments the password reset is manual and trust is checked by an administrator, but in high-volume environments automation is introduced with varying degrees of trust checks.
The security holes of hotmail and google are clearly in their automation of resets, which is not a cloud-specific issue.