The fiasco of the leak of the document began with a Twitter of the story that the personal accounts of employees of the Twitter were hacked. The Twitter of the CEO Evan Williams comment on this story, saying that the Twitter itself was mostly unaffected. Not committed any personal accounts, and most sensitive information was something that staff-related company, he said. The individual behind the attacks, known as hacker Croll, was not happy with that response. Portions of the Twitter of corporate information was compromised and he would like the world knew about it. So he sent us all the documents he received, some 310 of them, and the story developed from there.
It is clear that the Twitter was totally unaware of how they were deeply concerned as a company – when Williams said that most of the information was not linked the company believed. It was not until later that he made just a bit much and what information was taken. Included such things as financial projections and the executive session notes that contained the highly confidential information.
We have already said a lot about this whole story and the related password = password of the server that was discovered by another individual last week. But we have two more stories to tell. First, this post is exactly how the cuts were based on information compiled from hours of conversations with the hacker Croll. The second is what happened behind the scenes with the Twitter while history revealed. Post this later this week.
When the story first broke the real extent of what had happened and how it occurred was not understood. Several bloggers speculated on the cause of the attack – one putting the blame on Google while others blamed the uprising trend of receiving documents in the cloud.
Reported immediately to Twitter the information we had in our possession (and forwarded to them), while reaching out to the attacker. With a conviction, the attacker responsible for the intrusion into the Twitter began a dialogue with us. Days spent communicating with the attacker in an effort to gain insight into how the attack occurred, what was the real extent of it and how we might learn from it.
We have waited to fix exactly what happened until the Twitter had time to close these security holes.
Some background
In the security industry is a generally accepted philosophy that there is no system or network secure – a competent attacker with enough time, patience and resources you’ll find a way into a possible target. Some of the security breaches most famous of information have relied on nothing more than basic issues exploited by an attacker with enough time and patience to see your current goal through. A classic example is the case of Gary McKinnon, inept self-confessed nerd for whom the computer while it is usually drunk and high on hemp that happen on set or randomly trying to open a session to government servers using default passwords. Their efforts brought about the commitment of almost 100 servers in a number of government departments. Following the McKinnon pass a number of years fished with trawl through the servers they were looking for evidence of foreign life (long story), someone in government finally wised up to their activities leading not only to arrest and try McKinnon’s extradition from United Kingdom, only a massive re-evaluation of the methods of security used to protect government information.
A more recent example is the case of Kendall Myers, who after being recruited to work for the Cuban government by a foreign anonymous resolved while on holiday in that country, in obtaining a high position within the department of state specifically for obtaining access to the secrets of the U.S. Government Kendall devoted his entire life to obtain state secrets, and up until the FBI recently seized what had successfully passed on secret information and internal documents of the Cuban government for 30 years. He confided only in his memory, his credentials in education and dedication steep.
The Twitter of the attack: How ecosystem failed
Like other successful attacks, the hacker Croll used the same combination of patience, determination and rugged something basic methods to access a frightening number of accounts and services related to employees and Twitter Twitter. The list of services affected either directly or indirectly, is now running some of the most popular web applications – Gmail, Google Apps, MobileMe, AT & T, Amazon, Hotmail, Paypal and iTunes. Taken individually, most of these services have reasonable security precautions against intrusion. But there are enormous weaknesses when looking together as ecosystem. Like dominoes, once one fell (Gmail was the first to go), the others all fell as well. The end result was chaos, and raises important questions about how corporate and personal information private and make sure it is handled at a time when the trend is toward more data, and uses the user’s entire identity being received on the web and in the ` the cloud.
The Croll is a hacker in the French 20 years earlier. He currently resides in a European country and first discovered his interest in the safety of fabric over two years ago. Currently between jobs, he has used the extra time he has now, along with his skillset acquired, break into corporate and personal accounts through the web. Their knowledge of web security has been achieved with a combination of materials available to the public and within a closely-knit group of colleagues who share biscuits details of new and sometimes unfamiliar, techniques and vulnerabilities. Despite the significance and affects an attack is successful, the cookie lawsuit primary motivation is a combination of curiosity, exploration and an interest in web security. There is an almost voyeuristic tendency among these individuals, as revealed in the thought of having privileged access to information about the internal lives of individuals and corporations. The high access and gain knowledge must be banished big enough motivation to bring a cookie with the long hours, days and months of effort you can take to hit the pot of gold below.
For the hacker Croll, your first port of call in the exhibition to access a network from the target is to use the public search engines and public information to build a profile of a company or an individual. In the case of the Twitter of the attacks, this enabled him to create a rich catalog of data that included a list of employee names, their email address and its associated roles within the company. Information like birth dates, names of pets and other seemingly innocent pieces of data were also found and registered. This raid through millions of web pages in the work and took personal information on each of the names were discovered. Public information on the web Lingui n has no concept of, or capacity, distinguishes between work and personal details of a person’s identity – so the prospect of a biscuit on a mission of research, taking the business and personal aspects of the intertwined lives of a digital white only to provide additional potential points of entry.
With its projected target, the hacker Croll probably knew he needed only a single point of entry into business or personal accounts on their list to enter the network and then separated into other accounts and other parts of the business. This is because the material was designed at a time where there was implicit trust between its participants – require no central mechanism or ninguÌ No formal identification. To keep confidential information private web applications, have created their own modern systems and policies that require a user to place and manage their identities, then separately with each app. The identifier to use most of the uses is a email address, and it is this common factor that creates a de facto relationship of trust between the uses of a user. The second factor is a password, a random sequence that only the user knows, is unique to each use, and in theory should take months or even years for a computer to see if it started to surmise. These two elements work well enough for most cases, if not for what is often the weakest single factor: human behavior.
See the front page of almost any web application and you will see hints at just how desperate and helpless entailed in managing our digital lives: forgot my password, forgot my username, I keep an open meeting, I kept an open meeting, forgot my name, who are I? . Features that were designed and built as a compromise because we can not often remember and recall a single number of four-digit PIN, let alone a unique password for each application that never signed up for. Each new service for which a user signs up for establishing indirect cost management to quickly collapse into a dirty habit of using common passwords simple, everywhere. At that point, the security of the entire online identity of that user is only as strong as the weakest used usage – which is often said, very weak.
Now back to the hacker Croll and his list of employees of the Twitter and the other information. The Twitter just happens to be one of a number a new breed of companies where the business is almost entirely online. Each of these employees as part of their work, share information with other employees – whether through a feature of a particular purpose, or simply via email. While these users are intertwined, adds a whole new attack vector by which the weak point in the chain is no longer just use weaker – weaker use is used by the weakest user. For an attacker as Croll hackers looking to exploit the combination of mai n habit of the user features and user executed poorly mixing your personal and business – their chances of success just getting exponentially bigger. Stack for companies that rely heavily on the Internet are very much on who can handle – not only against the odds Twitter, they are stacked against most of the companies that adopt this model.
Unfortunately for the Twitter, the hacker Croll found a very weak point. An employee who has habits that are not online are likely ninguÌ No different than the other 98% of web users. Began with the personal Gmail account this employee. As with most other web applications, the Personal Edition has a feature of Gmail Password Recovery to provide a user with a number of challenges to prove their identity in order to reset your password. Probably was not the first account of an employee of a Twitter Croll that the hacker had tried to gain access – but for this particular account he discovered a twist in the frame that gave the first big step. In asking to recover the password, Gmail is reported that an email had been sent to the secondary email account user. In an effort to balance utility with certainty, Gmail offered up a hint as to which email account to reset the password was sent, if the user required a gentle reminder. In this case the indicator obscured the location of the secondary email account was ******. Com’s @ h ******. The best guess was that the natural secondary email account was received at hotmail.com.
In Hotmail, the hacker Croll tried again the procedure for password recovery – making an educated guess of what would be the username based on what he already knew. This is the point where the chain of trust reviewed, since the attacker discovered that the account specified as secondary Gmail, Hotmail and received was not more active. This is due to a policy where Hotmail is removed and recycled the old and inactive accounts. He placed the account, re-requested feature of password recovery in Gmail for some time and had access to personal Gmail account from an employee of the Twitter. The first domino had fallen.
Well-designed web applications just never give your user password if you forget, they will force the user to choose a new one. Croll was the hacker access to your account with a password he had entered. In order not to alert the owner of the account that your account had been compromised, he had to somehow find out what the old password and set it behind Gmail. He now had a bevy of information at your fingertips, a complete and safe control of an email account. It was not long before he found an email that might have looked something like:
To: User lazy
From Web Service for Super Duper
Topic: Thank you for signing up to the Super Duper Web
Lazy Dear User,
Thank you for signing up to the Super Duper Web service. En.beneficio our support department (and anyone who is reading this), please find your account information below:
username: LazyUser
password: funsticks
To reset your password please follow the link a. the ahh forget it, nobody does this anyway.
Respectfully
Web Service for Super Duper
Mai n human habit # 1: Using the same password everywhere. We are all guilty of it. Search your own inbox for a password of their own. The hacker Croll reset the password for a Gmail account password that he found it associated with some random web service user had subscribed to and sent a confirmation that the password in clear text (and he found the same password more than once). He then waited to check that the user could still access your account. There was not too long later activity noticeable in the e-mail account of the owner of the account – read incoming email, the replies and new messages are generated. The account owner would never have noticed that a foreigner was in full stalking in the background. The second domino falls.
Here it was easy.
The hacker now Croll screened through the new information system that has access to it – using the personal email account of Gmail users to complete this further its map information for your target. He extends access out to the rest of it is that this user has signed up for. Sometimes the password is the same again – that took into account Croll work email this user, received in Google Apps for domains. It turns out that this employee (and in fact most / all employees and each of the Twitter) used the same password for your Google Apps email (the email account of the Twitter) as he did with his personal Gmail account. With other sites, where the original password can not work – it takes advantage of a feature that many sites have implemented to help users recover passwords, the notorious secret question.
Splits the story here for a moment because there is a real issue here with the secret question (from here more appropriately abbreviated power just as secrecy. “) For some strange reason, some sites refer to the secret? As additional layer of security — as is often the complete opposite. In the history of the hacker and the Twitter Croll, internal documents, now that we all know about only a few steps away from the first he has granted a. In addition to this, the attacker, and others just like it certainly has been able to demonstrate that some of the greatest use and more popular on the web containing the basic weaknesses that could only seem harmless, but together with other factors can cause an attacker to completely rip accounts users, even those who maintain good password policy.
This is not the first time that the secret? systems being used in password recovery has been lifted. Last September, Republican presidential candidate and former governor of Alaska, Sarah Palin in the U.S. vice president, had screenshots of their personal Yahoo Mail published Wikileaks. A hacker or a group known only as `the anonymous defendant credit for the court, which was performed by the attacker who was educated a guess in response to the question of security used to recover passwords. In early 2005, celebrity Paris Hilton suffered a similar incident when his account of the T-Mobile sidekick was broken into, and the details of her recording of the call, the messages (some with private tables of Hilton) and list of Escapees were to contact the media. The culprit was secret again? .
The donor of the user an option to guess the name of a pet rather than actually knowing a password is just shortening dramatically the chances for the attacker. The service is essentially saying the attacker: we understand that it is hard to guess passwords, so help them to narrow down potentially millions of combinations of a dozen, or even better, if you know Google just one. The problem is not the concept of having an additional symbol of approval, as the mothers maiden name, which can be used to further authenticate a password, the problem arises when reliance power only when the response is stored in clear in the account settings, and when users end up using the same combination of question and response in all their accounts.
From this point, with a single personal account as a starting point, the spread like a virus – infection of the intrusion of a number of accounts in a number of different services both inside and outside Twitter. Once the hacker had access to Croll’s email account Twitter received by Google employee, he could transfer to send attachments via e-mail that included portions of sensitive data, including more user names and passwords. He quickly took over the accounts of at least three major Execs, including Evan Williams and stone business. Read your email carefully accessories led to the most sensitive portions of which were transferred.
He then spidered out and had access to AT & T for the phone logs on to Amazon to buy the story, email to MobileMe and iTunes for more personal information from credit card full (iTunes has a security hole that demonstrates the card information in clear text credit – but we have reported that Apple has not heard back, so do not even post now-open feat).
Basically, when they did, the hacker Croll had enough personal information and work on the executives of the dominant Twitter to make their lives a living hell.
Just to sum up the attack:
1. HC had access to Gmail for a Twitter of the employee using the recovery feature that sends a password reset link email to a secondary. In this case was a secondary email account from Hotmail expired, he placed simply by clicking the link and reset your password. Gmail was then owned.
2. HC then read the email to surmise what was the password of the original Gmail successfully reset the password so the employee does not Twitter notary that the account had changed.
3. HC then used the same password to access the Twitter of the employee’s email in Google Apps for your domain, getting access to a gold mine of sensitive company information and email, particularly email attachments.
4. HC then used this information along with additional adjustments and guesses the password to take control of the Twitter of another employee personal and work email.
5. HC then used the same combination of username / password and the characteristics of the readjustment of the password to access AT & T to MobileMe, iTunes and Amazon, among other services. A security hole in iTunes HC gave access to information of the credit card in full clarity.
6. Even at this point, the Twitter was not absolutely no idea who had been committed.
What could happen next is that the hacker Croll could use or sell this information for profit. He did that, and says it never planned a. All what he wanted done, he says, should highlight the weaknesses in the security policies of data and to Twitter and the other starts to consider more robust security measures.
He also said that he feels for causing so much trouble in the Twitter. Croll hacker asked if he had any message he wants to deliver to Twitter, and he sent me the following:
The months of all of this to the Je tiens of the excuse of personal Twitter au. Of this society that’s one of Je trouve devant elle beaucoup d’avenir’s.
Of the UN in the cela fait of the J’ai but lucratif. Who field of the UN is the security of the years of yo passionne and faire depuis longues for Monday in the most je voudrais’s métier. Quotidien dans Monday, m’arrive contre les dangers de l’internet à prémunir the SE of the des gens d’aider IL. Les règles Apprend base their Je. Example of Equality: The attention of where the Faire in the gang, downloadable from the l’on which the files of them and on which the record of the ce au clavier more. Of the virus are effective against the protection of a team of l’ordinateur est Ensuring that, extérieures of attacks, Spam, phishing D’exploitation of mettre à jour le système, used the of fréquemment les logiciels the Mots of the use of DES de penser à eux passe without the similarity between the no. Regularly changes them from the de penser à l’ordinateur south of the confidential information of the home mechanic of Ne jamais
Easy to sensitive information to the DES d’intentionnée to access the evil of the person joins the A’s peut être IL Quel’s point of auront permis à montres of the repeated interventions of the month trop j’espère that without knowledge of.
Croll hacker.
This translates roughly:
I offer my personal apology to Twitter. I think this company has a great future ahead of her.
I did this to benefit from the information. Security is an area that fascinated me for many years and I do my job. In my life, I help people to guard against the dangers of the Internet. I learned the basic rules. For example: Be careful where you click the files you transferred and what you type on the keyboard. Make sure the computer is equipped with effective protection against viruses, external attacks, Spam, phishing, increasing the operating system software utility remembers passwords without using any similarity between them. Remember to change them regularly ever store sensitive information on computer
I hope my speech will be repeated to show how easy it can be for a malicious person access to sensitive information without much knowledge.
Croll hacker.
What is the takeaway from all this? The clouds are convenient and inexpensive, and can help a company grow faster. But the security infrastructure is still nascent. And while any single service can be pretty sure, the important thing is that the ecosystem is most certainly not possible. Combine the fact that personal information about individuals is so easily on the web hallable with the reality that most people have combined their work and personal identities, and you have the seed of a problem. One Gmail account down, and soon the integrity of the security of an entire boot crumbles. So for a start, and reset the passwords do not use the same passwords for different services. Do not use the questions on the recovery password that can be answered easily with a simple search of the cloth (an easy answer to these questions is false). And just in general is paranoid about data security. You can be happy that you were.
Original article: http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/
