The Anatomy Of The Twitter Attack

&#62; Taken individually, most of these services have reasonable security precautions against intrusion. But there are huge weaknesses when they are looked at together, as an ecosystem. Like dominoes, once one fell (Gmail was the first to go), the others all tumbled as well.<p>Like many others, I gradually gave up my internal resistance on Google knowing most everything about me and have adopted Gmail as my primary mailbox.<p>1) Enable SSL by default on Gmail<p><a href="https://mail.google.com/mail/#settings" rel="nofollow">https://mail.google.com/mail/#settings</a><p>Scroll down to bottom and choose 'Always use HTTPS' for 'Browser Connection'. Click 'Save settings'<p>2) Change your Gmail security question (you may want to do this now because you may have forgotten the answer to your own question that you set way back when you registered)<p><a href="http://mail.google.com/support/bin/answer.py?hl=en&#38;answer=29414" rel="nofollow">http://mail.google.com/support/bin/answer.py?hl=en&#38;answe...</a><p>3) If you can't answer your Gmail security question, it will send a password reset email to your secondary email address. Consider the risks of having the secondary email address compromised (and decide whether to remove it or change it to one with a secure 'secret question' process - e.g. if you work for a company, your work email)<p><a href="http://mail.google.com/support/bin/answer.py?hl=en&#38;answer=6566" rel="nofollow">http://mail.google.com/support/bin/answer.py?hl=en&#38;answe...</a>

They were really cranking up the word count:<p><i>Now going back to Hacker Croll and his list of Twitter employees and other information. Twitter just happens to be one of a number of a new breed of companies where almost the entire business exists online. Each of these employees, as part of their work, share data with other employees - be it through a feature of a particular application or simply through email. As these users become interwoven, it adds a whole new attack vector whereby the weak point in the chain is no longer just the weakest application - it is the weakest application used by the weakest user. For an attacker such as Hacker Croll looking to exploit the combination of bad user habit, poorly implemented features and users mixing their personal and business data - his chances of success just got exponentially greater. Companies that are heavily web based rely largely on users being able to manage themselves - the odds are not only stacked against Twitter, they are stacked against most companies adopting this model.</i><p>Could be summarized as "Twitter used Google docs." Everything else in this paragraph repeats things from earlier. (And things from earlier repeat things from <i>earlier</i>.)

So if a hotmail account expires, they allow just anyone to re-register it as their own email address?<p>That sounds completely irresponsible.

Disregarding the human "holes", I think the biggest hole here is Hotmail allowing expired accounts' usernames to be registered again. That should be a no-no considering the importance of the use of email as an identity. They can purge the account as it expires, but they should not let others use the username again.<p>Most others are just "best practices" that try to keep balance between security and usability. Except for the practice of emailing a password in clear text which compromises a lot of security for little usability gain.

Wow, a 3,900-word magnum opus. The nutshell:<p>(1) Hacker deduced from Google password reset that a Twitter employee had a Hotmail account as their secondary email for a personal Google login.<p>(2) Was able to re-register that dormant Hotmail address (!) -- and thus get the Gmail password reset.<p>(3) Saw a cleartext password confirmation from another web service among the Gmail archives; reverted the Google account password to that, in the hopes it would allow the compromise to evade the user's detection. That worked; the user continued to use their personal Gmail as normal.<p>(4) From there, extended compromise to other of that user's accounts elsewhere, including a separate Google Apps for Twitter account, which used the same password. Used information now visible -- internal Twitter docs, private coworker profiles, etc. -- to crack other employee accounts, likely by also deducing password-reset security-questions. Accounts compromised included Evan Williams and Biz Stone.<p>There's some hand-waving at this last step, but if the early-compromised employees were admin assistants, HR, or sysadmins, and/or if Twitter as a matter-of-course trusted Gmail-to-Gmail internal email as being a safe place to share setup passwords and other private information, it's plausible.<p>This branching-out to multiple accounts included "AT&#38;T for phone logs, Amazon for purchasing history, MobileMe for more personal emails and iTunes for full credit card information" -- as there's said to be a flaw in ITunes that sometimes echoes back full credit card numbers.

The million dollar question: would we have been so interested in how the attack was made if we hadn't had at least a glimpse of the compromised information? In other words, could TC argue that publishing the confidential information was a valid way of raising awareness of the security issue? I'm not convinced, but it's a tough one.

After reading the TSID (Twitter's Secret Internal Documents) which basically tells Twitter plans to "dominate the world" with their Service, is that TC does not deserve any credibility publishing an advertorial making it looks like a revelation from the "underground" hackers; that's cheating.

"iTunes has a security hole that shows credit card information in clear text..."<p>Where are their auditors, their bankers, and their trading partners?<p>SOX won't let us fart on Tuesdays but a public company can store credit card information in clear text? Unbelievable.

Very interesting, but I still think Techcrunch is way beyond the ethical line in this whole farce.

Everyone here is probably fairly well aware of how easy it is to compromise accounts on these online services. I hope most HN users recognize that the appropriate course of action after hacking a service like this is to notify the account holder to help them improve their security before revealing the details.<p>If you really aren't doing this for profit, and you really don't want to hurt the victim of the attack, (as Hacker Croll claims) then don't disclose the information you stole to major press outlets. This attack is really in poor taste, and I think we all of us here at HN should recognize the difference between pointing out the dangers of the internet and being one of the dangers ourselves.

This story illustrates something that I enforce with users that I deal with. I don't allow them to choose their own passwords. This is especially important when they have access to a shared resource like Google Docs, a company wiki, subversion repository, etc. where a compromised account could expose sensitive company documents. It is also a good argument not to use those kinds of services and keep them 'in house' where you have better control and auditing of access to them.<p>If you are running a company 'in the cloud' you need to make sure you or your system administrators have control over the user's account and passwords. They can't be trusted to choose decent passwords.

I think part of the problem is that we have so many places to keep track of(email/passwords wise).<p>I can pretty much guarantee that there is a way for some of my accounts to get compromised with an email address I haven't used in 4 years.<p>Why? Because at this point I probably have a few thousand accounts, and there is just no way to keep track of all of them, when updating your password/email.

The most important lesson here is that no amount of security on a website/server/physical piece of hardware will stand up to the test if the user is lax in their usage.<p>Social engineering is the new wave of security breaches and it would seem that strict password policies etc are just as important as an intrusion proof system/network.

the post would have been a more interesting read if it didnt have so much rambling

Techcrunch = TwitterCrunch