Twitter Hack Details Revealed

Jack Spine writes "Twitter co-founder Biz Stone has confirmed both to ZDNet UK and Wired's Threat Level blog that a dictionary attack was used to hack Twitter. After the hacker distributed details on the Digital Gangster forum, celebrities such as Britney Spears and Barack Obama had their accounts defaced. Wired spoke to the alleged hacker, while ZDNet UK got in contact with someone who had been on the Digital Gangster forum at the time."

Lack of Hacker Ethics

[alain94040 (785132)]

Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.

Twitter is doubly at fault here. First, it's not that hard to detect rapid-fire password attacks. Even Unix (way before Linux) knew to kick you out after 3 failed attempts. Second, they should enforce better passwords for their employees (not necessarily for regular users, that's another discussion).

He decided not to use other hacked accounts personally. Instead he posted a message to Digital Gangster offering access to any Twitter account by request.

That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.

When I hacked my university's computer network (Vax machines on Bitnet back in 1990), I did it with the knowledge of the sysadmin staff. And once you have made your point, you stand back.

--
FairSoftware.net [fairsoftware.net] -- geeks starting fair and open software businesses together

Re:Lack of Hacker Ethics

[by Anonymous Coward]

That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.

Maybe so, but really nice hackers patch the exploit with fairy dust and unicorn farts.

Re:Lack of Hacker Ethics

[dwarg (1352059)]

Yeah, Hacker Ethics, that's it.

That reminds me of the time I thought I heard a noise at night and I walked into my kids room and there was this guy standing there looking at my 8 month old daughter sleeping. Scared the shit out of me. I was about to either kick his ass, or shit myself when he told me to calm down. He was an Ethical Burglar(TM).

He had used some pretty basic lock picking methods to break in and just wanted me to know my family was at risk and that we should cage ourselves in our own home so that the marauding Visigoths couldn't break in and kill us all.

I thanked him for his generous service and he said it was no problem. On his way out he looked at my house one more time and mentioned that he might come back another time and set the place on fire, so we should probably get a coating of asbestos or something to be ready for that.

I only wish we had more of these ethical hackers and burglers to keep up safe.

Re:

[dwarg (1352059)]

First of all, it was the (grand)parent comment that coined the term "Hacker Ethics."

Secondly, the problem with your argument is in actual usage. People that engage in cracking call themselves hackers because calling yourself a cracker implies you married your sister and spend most of your time playing banjo on the porch.

Re:Lack of Hacker Ethics

[dwarg (1352059)]

That was terribly funny, but also terribly stupid.

I must say you're awfully good looking, but you smell horrible.

The analogy simply doesn't hold. You know quite well how secure your home is.

I can see you've put a lot of thought into this... I'll type slowly for you.

People who like to defend the romantic image of the hacker usually make two mistakes.

One; they assume the crux of the argument is security when it's actually law.

Two; they assume intent should be accounted for after the fact.

The legality of the activity is determined by the possible intent of the actor. When an unauthorized person attempts to bypass a security measure the law is forced to assume they are doing so with malicious intent because they are subverting the means put in place to prevent just that action.

Breaking into a house is identical to breaking into a computer system in that respect.

If a crime could only be charged AFTER a person has circumvented security, so they could be sure of intent, what kind of outcomes would that invite before a charge could be filed?

Seriously, read that last sentence again and think about it.

On the other hand, if there are security issues with IT infrastructure, you probably don't know about them.

Considering this is Slashdot, I would certainly hope most of us would have a better idea of the security of our computer systems/networks than the security of our parent's basement.

It's not very useful for you if somebody tells you that your door locks suck; having crappy locks may even be a conscious decision on your part.

Really? This is what you're going with? Tell me, why exactly would I want crappy locks on my doors? If you're referring to the fact that I don't choose to wrap the house in razor wire and dig a moat, then yes I have taken a laissez-faire approach to domestic security. The reason none of us need to go that far is because breaking into a house in unconditionally illegal and there are LEGAL mechanisms in place to protect me and provide recourse if that should happen. That is the primary deterrent that keeps people from walking around and "checking" their neighbor's locks to make sure they're secure.

It is, however, very useful for you if somebody points out security issues with your computer systems. Having security holes in your system is never (well, rarely) a conscious decision.

Yes it is useful, and there are means to do that which don't involve breaking into someone else's systems and compromising potentially sensitive information--even if only to one person. The difference is that between a hacker and a security consultant.

If a bank's systems are hacked by anyone outside the organization, regardless of what they do with the information, they are required to inform their customers that their data has been compromised. People close accounts, money is lost and there are repercussions that go beyond the romantic image of the lone hacker who's sticking it to the man, but will never know the soft touch of a woman.

If a "nice" hacker had alerted twitter to this issue, the current situation would never have occurred.

Fine, let's assume we live in a world that values the noble efforts of hackers and someone hacked Twitter and alerted them to this problem before an evil cracker used this exploit for his nefarious designs. So we've created an atmosphere where everyone feels secure walking around "checking the locks" as I said earlier.

Are you going to feel more secure knowing there are a lot of people trying to find ways into your system and that some of them are aren't the good kind of hackers and you have no way of knowing what kind of hacker they are until AFTER they've gotten into your system?

As an admin, if you see suspicious activity on your server logs do you want that activity stopped or should yo

Re:Lack of Hacker Ethics

[by Anonymous Coward]

To show I have a sense of humor, I modded the parent Troll.

Re:Lack of Hacker Ethics

[Jonah Bomber (535788)]

Aw, what's the use of going through all that trouble if you can't have Bill O'Reilly announce he's gay?

Re:Lack of Hacker Ethics

[TheCycoONE (913189)]

That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.

Perhaps, but it's likely because this kid did a little harm that he's captured the attention of so many people. It adds a healthy dose of sensationalism to the story which convinces people to treat security seriously better than some hypothetical 'it could have been really bad if..' would"

Re:Lack of Hacker Ethics

[bughunter (10093)]

Um... what kind of harm can you cause by hacking Twitter? It's the internet equivalent of writing on a bathroom wall.

(Yes, I'm aware of the recursive metaphor I'm creating here.)

Compromise One Password, Compromise Them All

[Alaren (682568)]

Do you know anyone who uses the same password for everything?

Do you think Britney Spears might be one of those people? What about the President-Elect?

Bad security practices glom together and eventually snowball. In this particular case, the harm was likely de minimus but do you think the individuals whose accounts have been compromised thought to go change their password at their bank, or their email, or whatever?

You don't (probably) use the same key for your house and your care and your safety deposit box, but on the internet that's what a lot, maybe most, people do. It's a bad security practice. And if you can discover someone's password on one site due to that site's bad security practices, the security of other, responsible sites is moot.

I recognize that this is similar to the problem presented by writing your passwords on a post-it, but at least in that case physical access is necessary. And there are worse security threats out there. But in answer to your question specifically, "what kind of harm can you cause by hacking Twitter," I think the answer is "a lot more than you'd think."

Re:Compromise One Password, Compromise Them All

[SighKoPath (956085)]

FTA:

GMZ doesn't know what the reset passwords were, because Twitter resets them randomly with a 12-character string of numbers and letters.

No passwords were compromised except for the admin account he used the dictionary attack on. So really, the GP's analysis of harm done is pretty accurate.

Different Questions

[Alaren (682568)]

So really, the GP's analysis of harm done is pretty accurate.

Yes, in this particular case, as I noted. But the GP question wasn't "how much harm was caused," but how much harm can you cause. And the security hole of allowing rapid-fire password attacks does create the potential for significant harm in an environment where most users aren't security-savvy enough to know that you don't use the same password for every site, even though the weak security is "just" on a site like Twitter.

Re:

[mcgrew (92797)]

You don't (probably) use the same key for your house and your care and your safety deposit box

No, but I wish I could. They're all on the same key ring, after all. If I lost my keys and whoever found them knew whose keys they were, I'd have to change all the locks anyway.

Another "bad security practice" I do is to keep my passwords written down. That's a no-no in the security field, but it's a stupid no-no. I keep them in my wallet, along with my security code for the building I work in, my money, debit card,

Re:

[JWSmythe (446288)]

Locks are for honest people.

If I wanted your motorcycle, I'd bring a couple friends, and throw it in the back of a pickup truck, to be rekeyed later.

If I wanted into your house, I'd kick in the door, or go through a window.

If I wanted into your shed, I'd put a pry bar through the padlock and twist.

It's a good thing I don't want these things. :)

Really, I've helped people get around things they've locked accidentally.

Re:

[FredFredrickson (1177871)]

Paypal has secure cards too now for free, just install the paypal plugin. I use single use mastercard numbers for all my online purchasing. Especially nice for porn sites, so you don't have to worry about random charges.

Re:

[Chrono11901 (901948)]

wait wait wait... you're on slashdot... news for nerds... and you pay for porn?!

Please hand over your geek card on the way out.

Re:

[truthsearch (249536)]

I'm sure news agencies and bloggers watch twitter accounts of famous people. Putting in messages (that aren't obviously defacements or spam) could cause incorrect information to spread to "reputable" sources. We've seen bloggers post incorrect information that gets spread around until newspapers pick it up. The same could happen here.

Re:

[sexconker (1179573)]

Anyone trusting blogs, twitter, etc. for news is a moron. Any newspaper, news network, etc. doing the same is run by morons, and should go back to journalism school.

Re:

[not new here (1448011)]

Liar, I'm not new here!

Re:

[MyHair (589485)]

Liar, I'm not new here!

Oh no, not again... [slashdot.org]

Re:Lack of Hacker Ethics

[silentquasar (1144257)]

That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.

When I hacked my university's computer network (Vax machines on Bitnet back in 1990), I did it with the knowledge of the sysadmin staff. And once you have made your point, you stand back.

Indeed. At my college a while back, some seniors found a way to hack into the school's network. They posted every user's password on a local network site. Only a handful of weeks away from graduation, they were expelled. Sure, they meant no harm, just to expose the weaknesses in the system, but they broke the rules and seriously compromised the system by posting the passwords, so they had to pay the price. Yikes!

Re:

[severoon (536737)]

I think if you run a system that a good number of people depend upon, and a breach in security could cause important problems, then you have a serious obligation to institute a good security policy. If you don't, it's negligence and should be treated as such.

Are unethical hackers responsible for their actions? Sure, just as responsible as a business that takes on the trust of its users willingly.

Re:

[drx (123393)]

If pushing out some ironic/satirical messages is already harm, then i don't know ...

Re:Lack of Hacker Ethics

[girlintraining (1395911)]

As much as I don't want to say it, ethics don't mean crap these days. If you hack into a system and leave a note saying "Hey, hacked your box, here's how I did it, here's how to fix it, Thanks. Signed, Good Samaritan"... It only means they will send an army of lawyers and g-men after you because you embarassed them, and because while techies like us might understand what the hacker wanted to accomplish, management will not. Frankly, given that there is no protection for people who adhere to the hacker ethos as opposed to those who don't, there is no incentive do be nice. If you get the chance, gut the bastards and don't leave anything behind except a zero'd drive and a message on the screen saying "Next time, don't use a 'password' as the root login." Is it damaging? Yes. But if you don't crap the server, all you're doing is beating the hornet's nest with a stick.

It's sad that nobody has thought to pass a law to protect digital good samaritans -- that is, people who discover and report (in good faith) security issues either to the people running the servers directly, or the vendor(s) of the software/hardware that is vulnerable -- provided they do nothing else but confirm the exploit is present and notify the appropriate parties. And, of course, do not retain copies of any sensitive information once the report is made.

Is it any different than finding an unlocked car in the parking lot and opening the door, pushing the door lock, closing the door, and continuing on your merry way? A pity the legal system does not see it this way... Which leaves only the recourse of scorched earth to make the point.

Re:Lack of Hacker Ethics

[RemoWilliams84 (1348761)]

Is it any different than finding an unlocked car in the parking lot and opening the door, pushing the door lock, closing the door, and continuing on your merry way?

I like to do this when I find a car sitting outside a gas station still running.

Re:Lack of Hacker Ethics

[liquidpele (663430)]

It's sad that nobody has thought to pass a law to protect digital good samaritans -- that is, people who discover and report (in good faith) security issues either to the people running the servers directly, or the vendor(s) of the software/hardware that is vulnerable

It will never happen, because "harm" is arguable, so they can accuse you of harm no matter what you do. You should always *always* report these things anonymously. Not doing so is... a learning experience.

Re:

[causality (777677)]

It's sad that nobody has thought to pass a law to protect digital good samaritans -- that is, people who discover and report (in good faith) security issues either to the people running the servers directly, or the vendor(s) of the software/hardware that is vulnerable

It will never happen, because "harm" is arguable, so they can accuse you of harm no matter what you do. You should always *always* report these things anonymously. Not doing so is... a learning experience.

If they're (the vulnerable site) going to be that way about it, maybe the solution is to stop reporting anything to them at all. I mean really, if you intend to do something good, why go where you're not wanted? Let them wonder why they've seen a sudden spike of $ACTIVITY and let them find and fix the flaws on their own. Let them explain to their users that they couldn't perform damage control/threat mitigation early on because they have soiled any kind of trust relationship between companies and the wou

Re:

[liquidpele (663430)]

If they're (the vulnerable site) going to be that way about it, maybe the solution is to stop reporting anything to them at all. I mean really, if you intend to do something good, why go where you're not wanted

I guess it depends on what you think is ethical. In my opinion you should always be ethical, but that doesn't mean you should be stupid. Report it to them anonymously with a date when you will make it a public thing (so they can't just ignore you). The hard part is making sure they actually got your message though.

Personally, I like 1 month before going public for a website, and 3-6 months for a product they'll have to distribute the fix for.

Assumptions

[bill_mcgonigle (4333)]

Is it any different than finding an unlocked car in the parking lot and opening the door, pushing the door lock, closing the door, and continuing on your merry way?

That's a great analogy. How do you know the owner hasn't left his keys under the seat? Security through obscurity is the best strategy for low-value assets.

After all of this...

[Thelasko (1196535)]

Obama still won't give up his Crackberry. [cnn.com]

Re:After all of this...

[NewbieV (568310)]

Blackberries are safer than Twitter accounts. If you enter the wrong password into a Blackberry a set number of times (usually 10), it erases its contents.

Re:

[Joe Snipe (224958)]

That sounds more dangerous; because now my buddy is going to have a blank phone when we go out drinking tonight.

Re:

[mcgrew (92797)]

That's not why they want him to give it up. Federal alw says that all Presidential emails must be kept and can be used as evidence of wrongdoing. If he keeps his blackberry he's a fool.

Re:

[Fulcrum of Evil (560260)]

There has to be someway for a server to archive it all while allowing him access via a blackberry. Even if he has to lean on RIM for a custom server.

A corporate email service archiving mail? Whodathunkit?

Limit logins without DOS?

[Manip (656104)]

This is one of my favourite security conundrums.

How do you limit someone's login attempts to an account without allowing an account to be denial of serviced?

Captcha - hurts young, old, and disabled users. It can also make it hard for normal users if poorly designed (as many are).

IP Limit - Very easy to bypass with a proxy list.

Hard Account Limits - Denial of service

Thus is the problem. How do you limit logins without hurting legitimate users?

Re:Limit logins without DOS?

[larry bagina (561269)]

Slow down cowboy! It's been 1 minute since your last failed attempt to login.

Re:Limit logins without DOS?

[jeffmeden (135043)]

Easy, increase the amount of time between the password being supplied and the pass/fail response being sent. If the script has to wait for 5 seconds to see if the password is bad, it increases the dictionary run time by a LOT. The only way around this is to run multiple iterations of the script, each with a section of the list to run. This makes them much easier to spot by other filters.

However, a legit user waiting 5 seconds for the login to complete probably won't generate a lot of complaints.

Re:Limit logins without DOS?

[Phrogman (80473)]

Perhaps even add +x seconds after every attempt, so your first attempt goes through and fails the next one has a delay of 5s and thereafter its incremented. Most users will get their password correct on the second try or perhaps the third, the script will die a slow death.

Re:

[the_humeister (922869)]

Encryption with a unique keyfob just for you. I'd want that for banks, but not necessarily for Twitter because who cares if I'm now "taking a huge crap in the toilet that's now overflowing."?

Re:

[paulhar (652995)]

One way would be to get progressively slower at *processing* a login for a particular user based on the number of failed attempts. I.e. user enters a password, the timer ticks away, and then at the end it really does the test and checks if the password was right.

You would typically double the time delay with a reasonable limit of say 1 minute so that each failed attempt sticks at 1 minute delay.

You put up a banner after the delay reaches 10 secs or so saying "Your login will be slower as you have had X fail

Re:Limit logins without DOS?

[liquidpele (663430)]

1) Allow a certain number of tries per IP address. Ban the IP, not the user. If they're behind a NAT, sorry. You may want to have the threshold to block kinda high to alleviate NAT networks.

2) Block anonymous proxies. If you ever look at your logs, slashdot will sometimes request a file when you're not logged in and post (http://slashdot.org/ok.txt) from you to see if your IP is an anonymous proxy. IF they get their own file from your IP, they block you.

3) Ban times should not be hard coded, but should be a function. Ban for 5 minutes, then if they get banned again make it 30, then 2 hours, etc etc. This takes care of serious cases but makes the wait short if it's a false positive.

4) Captchas and other things can be used in conjunction (like gmail adds a captcha with the login after 2 failed attempts).

Re:

[evanbd (210358)]

A global limit with an exception that grants a per-ip limit to ips that have previously had a successful login (within the last $time_period) does better than those options.

Re:Limit logins without DOS?

[causality (777677)]

This is one of my favourite security conundrums.

How do you limit someone's login attempts to an account without allowing an account to be denial of serviced?

Captcha - hurts young, old, and disabled users. It can also make it hard for normal users if poorly designed (as many are).

IP Limit - Very easy to bypass with a proxy list.

Hard Account Limits - Denial of service

Thus is the problem. How do you limit logins without hurting legitimate users?

One approach is to still allow the login but to insert artificial delays. Maybe your password cracker can guess several thousand passwords in one second; too bad, because the site will only allow you to try one every three seconds. Even a fairly weak password can be extremely difficult to guess this way, though it is no substitute for strong passwords that are never sent as cleartext.

Re:

[TubeSteak (669689)]

Hard Account Limits - Denial of service

Thus is the problem. How do you limit logins without hurting legitimate users?

Give locked out users the option to send a one-time login link to their e-mail address of record.
It isn't much different than sending out a password reset e-mail.

But it's fairly stupid not to include a hard cap on the # of login attempts per [unit of time]

Best Result of Twitter Hack - new movies...

[Jherek Carnelian (831679)]

Because of the message from the hacked britney spears account, I found out about a cool indie horror flick - Teeth [imdb.com] - found it online and enjoyed it for the quirky little story that it was.

Obama, a celebrity?

[IronChef (164482)]

Somehow it is disturbing that the President-Elect is lumped in with Britney as a celebrity.

What is the level of discourse on Mr. Obama's twitter thing, anyway? I could look, I suppose, but it is more fun to imagine.

---

im in ur white house

secret service bitches following me everywhere. about 3 minutes ago from web

these pancakes are righteous! about 2 hours ago from airforce1r

are ufoz real? I am going to find out! about 4 hours ago from web

I think Hillary just cut the cheese LOLz about 8 hours ago from twitterrific

why is this news?

[iron spartan (1192553)]

Why should we care about this? Its not like someones SSN or Credit Card info was stolen. Stuff like this happens all the time.

If you want to defame someone, its a lot easier to just make some wild and unprovable claim on the right webs sites and let the internet do its thing.

Re:

[PoitNarf (160194)]

We should care about this because this directly shows end users that many /. readers such as myself support exactly why a weak password such as "happiness" is an inherently bad thing.

Re:

[by Anonymous Coward]

It wasn't Obama's account that got attacked. They attacked the account of a Twitter administrator, and then got access to the web-based control panel to reset Obama's password. Pretty lame that a) the admin had such a bad password and b) you can access the control panel from the public internet with the same login as your twitter account.

Re:iam3prez

[Mr. Sketch (111112)]

Looks like you didn't actually read the article. The account of a twitter admin was hacked with a dictionary attack. That account was then used to reset the passwords for various other accounts (Fox News, Obama, Britney Spears, etc) to gain access to those accounts. The original passwords for those additional accounts were not obtained. Only one account (the twitter admin) was hacked, the rest just had their passwords reset.