Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Social Networks The Internet IT

Twitter Hack Details Revealed 222

Jack Spine writes "Twitter co-founder Biz Stone has confirmed both to ZDNet UK and Wired's Threat Level blog that a dictionary attack was used to hack Twitter. After the hacker distributed details on the Digital Gangster forum, celebrities such as Britney Spears and Barack Obama had their accounts defaced. Wired spoke to the alleged hacker, while ZDNet UK got in contact with someone who had been on the Digital Gangster forum at the time."
This discussion has been archived. No new comments can be posted.

Twitter Hack Details Revealed

Comments Filter:
  • by alain94040 ( 785132 ) * on Thursday January 08, 2009 @12:10PM (#26373731) Homepage

    Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.

    Twitter is doubly at fault here. First, it's not that hard to detect rapid-fire password attacks. Even Unix (way before Linux) knew to kick you out after 3 failed attempts. Second, they should enforce better passwords for their employees (not necessarily for regular users, that's another discussion).

    He decided not to use other hacked accounts personally. Instead he posted a message to Digital Gangster offering access to any Twitter account by request.

    That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.

    When I hacked my university's computer network (Vax machines on Bitnet back in 1990), I did it with the knowledge of the sysadmin staff. And once you have made your point, you stand back.

    --
    FairSoftware.net [fairsoftware.net] -- geeks starting fair and open software businesses together

    • by Anonymous Coward on Thursday January 08, 2009 @12:20PM (#26373871)

      That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.

      Maybe so, but really nice hackers patch the exploit with fairy dust and unicorn farts.

      • by dwarg ( 1352059 ) on Thursday January 08, 2009 @04:53PM (#26377849)

        Yeah, Hacker Ethics, that's it.

        That reminds me of the time I thought I heard a noise at night and I walked into my kids room and there was this guy standing there looking at my 8 month old daughter sleeping. Scared the shit out of me. I was about to either kick his ass, or shit myself when he told me to calm down. He was an Ethical Burglar(TM).

        He had used some pretty basic lock picking methods to break in and just wanted me to know my family was at risk and that we should cage ourselves in our own home so that the marauding Visigoths couldn't break in and kill us all.

        I thanked him for his generous service and he said it was no problem. On his way out he looked at my house one more time and mentioned that he might come back another time and set the place on fire, so we should probably get a coating of asbestos or something to be ready for that.

        I only wish we had more of these ethical hackers and burglers to keep up safe.

    • by Jonah Bomber ( 535788 ) on Thursday January 08, 2009 @12:20PM (#26373873)
      Aw, what's the use of going through all that trouble if you can't have Bill O'Reilly announce he's gay?
      • by Sleepy ( 4551 )

        Aw, what's the use of going through all that trouble if you can't have Bill O'Reilly announce he's gay? ... and is even such an admission NECESSARY, I would ask?

    • by TheCycoONE ( 913189 ) on Thursday January 08, 2009 @12:25PM (#26373951)

      That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.

      Perhaps, but it's likely because this kid did a little harm that he's captured the attention of so many people. It adds a healthy dose of sensationalism to the story which convinces people to treat security seriously better than some hypothetical 'it could have been really bad if..' would"

      • by bughunter ( 10093 ) <bughunterNO@SPAMearthlink.net> on Thursday January 08, 2009 @12:46PM (#26374253) Journal

        Um... what kind of harm can you cause by hacking Twitter? It's the internet equivalent of writing on a bathroom wall.

        (Yes, I'm aware of the recursive metaphor I'm creating here.)

        • Comment removed (Score:5, Insightful)

          by account_deleted ( 4530225 ) on Thursday January 08, 2009 @01:01PM (#26374429)
          Comment removed based on user account deletion
          • by SighKoPath ( 956085 ) on Thursday January 08, 2009 @01:27PM (#26374791)
            FTA:

            GMZ doesn't know what the reset passwords were, because Twitter resets them randomly with a 12-character string of numbers and letters.

            No passwords were compromised except for the admin account he used the dictionary attack on. So really, the GP's analysis of harm done is pretty accurate.

          • I do, and it's perfectly fine!

            I mean who'd guess a password like "1FeelDumbEnteringThisPassword" anyway? I'm perfectly safe!

          • by mcgrew ( 92797 ) *

            Using the same password for slashdot as your bank account would be stupid, yes, since nobody wants Cowboy Niel in his bank account, but I do reuse certain passwords.

            My various email accounts have the same passwords as each other. My password for the dozens of newspapers I log on to is 111111, easy to remamber and what possible reason would I have for keeping it secret? That password is not for my benefit, it's for the newspaper's benefit, and is only an annoyance to me.

            My slashdot password is unique, as is

            • Re: (Score:2, Informative)

              by Anonymous Coward

              Many credit card companies offer a one-time-use credit card number you can use for online purchases. I find it invaluable for online shopping.

              • Re: (Score:3, Informative)

                Paypal has secure cards too now for free, just install the paypal plugin. I use single use mastercard numbers for all my online purchasing. Especially nice for porn sites, so you don't have to worry about random charges.
                • Re: (Score:3, Insightful)

                  by Chrono11901 ( 901948 )

                  wait wait wait... you're on slashdot... news for nerds... and you pay for porn?!

                  Please hand over your geek card on the way out.

          • Re: (Score:3, Interesting)

            by mcgrew ( 92797 ) *

            You don't (probably) use the same key for your house and your care and your safety deposit box

            No, but I wish I could. They're all on the same key ring, after all. If I lost my keys and whoever found them knew whose keys they were, I'd have to change all the locks anyway.

            Another "bad security practice" I do is to keep my passwords written down. That's a no-no in the security field, but it's a stupid no-no. I keep them in my wallet, along with my security code for the building I work in, my money, debit card,

            • by Lumpy ( 12016 )

              I do have the same key on all my doors at the house and the mailbox, back gate, garage, shed. That same key also works for my mothers home so I only need 1 key to cover two homes and all areas in those homes. I also had my bike locks all changed to use the same key. as well as my motorcycle was re-keyed so one ket unlocks everything.

              Having a different key does nothing. A determined thief will get past everything.

              Locks are there to keep crackheads and punk kids out of your stuff.

              • Re: (Score:3, Insightful)

                by JWSmythe ( 446288 )

                Locks are for honest people.

                If I wanted your motorcycle, I'd bring a couple friends, and throw it in the back of a pickup truck, to be rekeyed later.

                If I wanted into your house, I'd kick in the door, or go through a window.

                If I wanted into your shed, I'd put a pry bar through the padlock and twist.

                It's a good thing I don't want these things. :)

                Really, I've helped people get around things they've locked accidentally.

          • Re: (Score:2, Informative)

            by everett ( 154868 )

            Please RTFA before you post. Thank you. The accounts in question had their password reset to a random 12 character string that was then used to post fake tweets. Your comment is irrelevant.

          • Re: (Score:2, Insightful)

            by MegaFur ( 79453 )

            Yes, in general, if you compromise one password, you might be compromising them all. In this specific case however, the "hacker" in question never got the passwords himself. He got the password-reset tool to help out a user who has forgotten their password. So that's one happy out of the whole thing--there was a good security practice there that actual passwords are a little harder to get at than that.

        • I'm sure news agencies and bloggers watch twitter accounts of famous people. Putting in messages (that aren't obviously defacements or spam) could cause incorrect information to spread to "reputable" sources. We've seen bloggers post incorrect information that gets spread around until newspapers pick it up. The same could happen here.

          • Re: (Score:3, Interesting)

            by sexconker ( 1179573 )

            Anyone trusting blogs, twitter, etc. for news is a moron. Any newspaper, news network, etc. doing the same is run by morons, and should go back to journalism school.

            • I don't disagree at all. But the fact remains that most people blindly trust mainstream media, and there are some mainstream organizations that report what's found on blogs with no corroborating evidence.

              • So what? Let the retards wallow. If you rely on them believing your iCEO is healthy to keep your stock prices up, then you better educate them, or be more open with them. (Then again, iCEO has that awesome backdate stock options feature, so who really cares?)

              • [Citation needed]
                • Are you joking? Turn on any 24 hour news channel and eventually you'll see it. CNN even lets anyone post their own news to their site. Average visitors don't consider if it's validated by CNN. Remember incorrect reports of Steve Jobs' health causing the stock price to drop?

                  • How will I see that "most people blindly trust mainstream media" by watching a 24 hour news channel? Maybe you thought I was asking for source of your other claim? (I wasn't.)
          • We've seen bloggers post incorrect information that gets spread around until newspapers pick it up.

            Indeed. Steve Jobs just personally announced on Twitter that he has died.

    • by silentquasar ( 1144257 ) on Thursday January 08, 2009 @12:28PM (#26373981)

      That's where the 18-year old kid is at fault. He showed a lack of hacker ethics. Good hackers may discover an exploit, but they don't do harm.

      When I hacked my university's computer network (Vax machines on Bitnet back in 1990), I did it with the knowledge of the sysadmin staff. And once you have made your point, you stand back.

      Indeed. At my college a while back, some seniors found a way to hack into the school's network. They posted every user's password on a local network site. Only a handful of weeks away from graduation, they were expelled. Sure, they meant no harm, just to expose the weaknesses in the system, but they broke the rules and seriously compromised the system by posting the passwords, so they had to pay the price. Yikes!

      • Re: (Score:3, Insightful)

        by severoon ( 536737 )

        I think if you run a system that a good number of people depend upon, and a breach in security could cause important problems, then you have a serious obligation to institute a good security policy. If you don't, it's negligence and should be treated as such.

        Are unethical hackers responsible for their actions? Sure, just as responsible as a business that takes on the trust of its users willingly.

    • by drx ( 123393 )

      If pushing out some ironic/satirical messages is already harm, then i don't know ...

    • by girlintraining ( 1395911 ) on Thursday January 08, 2009 @12:52PM (#26374327)

      As much as I don't want to say it, ethics don't mean crap these days. If you hack into a system and leave a note saying "Hey, hacked your box, here's how I did it, here's how to fix it, Thanks. Signed, Good Samaritan"... It only means they will send an army of lawyers and g-men after you because you embarassed them, and because while techies like us might understand what the hacker wanted to accomplish, management will not. Frankly, given that there is no protection for people who adhere to the hacker ethos as opposed to those who don't, there is no incentive do be nice. If you get the chance, gut the bastards and don't leave anything behind except a zero'd drive and a message on the screen saying "Next time, don't use a 'password' as the root login." Is it damaging? Yes. But if you don't crap the server, all you're doing is beating the hornet's nest with a stick.

      It's sad that nobody has thought to pass a law to protect digital good samaritans -- that is, people who discover and report (in good faith) security issues either to the people running the servers directly, or the vendor(s) of the software/hardware that is vulnerable -- provided they do nothing else but confirm the exploit is present and notify the appropriate parties. And, of course, do not retain copies of any sensitive information once the report is made.

      Is it any different than finding an unlocked car in the parking lot and opening the door, pushing the door lock, closing the door, and continuing on your merry way? A pity the legal system does not see it this way... Which leaves only the recourse of scorched earth to make the point.

      • by RemoWilliams84 ( 1348761 ) on Thursday January 08, 2009 @01:02PM (#26374451)

        Is it any different than finding an unlocked car in the parking lot and opening the door, pushing the door lock, closing the door, and continuing on your merry way?

        I like to do this when I find a car sitting outside a gas station still running.

      • Comment removed (Score:5, Insightful)

        by account_deleted ( 4530225 ) on Thursday January 08, 2009 @01:08PM (#26374519)
        Comment removed based on user account deletion
        • It's sad that nobody has thought to pass a law to protect digital good samaritans -- that is, people who discover and report (in good faith) security issues either to the people running the servers directly, or the vendor(s) of the software/hardware that is vulnerable

          It will never happen, because "harm" is arguable, so they can accuse you of harm no matter what you do. You should always *always* report these things anonymously. Not doing so is... a learning experience.

          If they're (the vulnerable site) going to be that way about it, maybe the solution is to stop reporting anything to them at all. I mean really, if you intend to do something good, why go where you're not wanted? Let them wonder why they've seen a sudden spike of $ACTIVITY and let them find and fix the flaws on their own. Let them explain to their users that they couldn't perform damage control/threat mitigation early on because they have soiled any kind of trust relationship between companies and the wou

          • Re: (Score:3, Interesting)

            Comment removed based on user account deletion
            • I guess it depends on what you think is ethical.

              My ethics don't include taking undeserved abuse from someone for whom you are trying to do a significant favor when the favor is on a "take it or leave it" basis so no one is being coerced into anything. This is a situation where trying to do something good can easily get a person prosecuted. There are probably a lot of "white hats" who would help with these things, for free, if only their efforts were appreciated. Laws like this have a significant chillin

              • I like CC gun laws just fine, but... they don't really affect crime rates either way. That's more a function of economic opportunity and culture than anything else.

                On topic, while I see the good side of pointing out security holes, any time it goes to actively pentesting a site, the perpetrators need to be prosecuted; sure, they don't mean to break things, but a well intentioned idiot can cause a lot of damage, and what would it solve anyway? People who don't care about security won't change just because th

        • by smoker2 ( 750216 )
          Yeah, my favourite is sticking a script in cron.daily that emails them saying "still here !".
      • by mcgrew ( 92797 ) *

        Is it any different than finding an unlocked car in the parking lot and opening the door, pushing the door lock, closing the door, and continuing on your merry way?

        If I come upon an unlocked car with the lights on, I won't even shit the guy's lights off for him. The harm he's possibly caused by my lack of being a good samaritan (a dead battery) is far less than the harm that could be caused by me if he or a policeman happened by as I was opening the door and mistook me for a thief.

        Help people when you can,

        • Re: (Score:2, Funny)

          I won't even shit the guy's lights off

          The guy's already drained his car battery. He doesn't need your vulgarities.

        • The harm he's possibly caused by my lack of being a good samaritan (a dead battery) is far less than the harm that could be caused by me if he or a policeman happened by as I was opening the door and mistook me for a thief.

          Somebody please start a non-profit legal defense fund to help fight these abuses. It'll better society when a prosecutor doesn't stand a good chance of getting news coverage for prosecuting somebody who pulls a person from a burning car.

      • Assumptions (Score:3, Insightful)

        Is it any different than finding an unlocked car in the parking lot and opening the door, pushing the door lock, closing the door, and continuing on your merry way?

        That's a great analogy. How do you know the owner hasn't left his keys under the seat? Security through obscurity is the best strategy for low-value assets.

      • Well, I could go hack, get the details I wanted, sell the credit card data or change the grades, etc. Then I leave a cute widdle note there saying "Hey be careful, looks like your passwords are compromised" and look like a hero? There's not an easy answer to this dilemma, as you stated yourself.
      • It's sad that nobody has thought to pass a law to protect digital good samaritans

        That's retarded. What would you do if you came home, caught someone picking your lock and they said "O hai! Was just gonna point out your security vulnerabilities!"?

        A. Kick their ass.
        B. Call the cops.
        C. Both.

        B, maybe C for me.

    • by sam0737 ( 648914 )

      Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.

      ...Even Unix (way before Linux) knew to kick you out after 3 failed attempts...

      Let me fix that for you...Even Windows does!

    • by NewbieV ( 568310 ) <victor DOT abrah ... AT gmail DOT com> on Thursday January 08, 2009 @12:45PM (#26374233)

      Blackberries are safer than Twitter accounts. If you enter the wrong password into a Blackberry a set number of times (usually 10), it erases its contents.

      • Re: (Score:3, Funny)

        by Joe Snipe ( 224958 )

        That sounds more dangerous; because now my buddy is going to have a blank phone when we go out drinking tonight.

      • Re: (Score:3, Informative)

        by mcgrew ( 92797 ) *

        That's not why they want him to give it up. Federal alw says that all Presidential emails must be kept and can be used as evidence of wrongdoing. If he keeps his blackberry he's a fool.

        • . Federal alw says that all Presidential emails must be kept and can be used as evidence of wrongdoing.

          Or preserved for prosperity. It would be amazing to examine the thinking of FDR or Churchill, and many people use their letters to do so. Imagine if all their business coorespondence was in one place.

          If he keeps his blackberry he's a fool.

          There has to be someway for a server to archive it all while allowing him access via a blackberry. Even if he has to lean on RIM for a custom server.

          • Re: (Score:3, Funny)

            There has to be someway for a server to archive it all while allowing him access via a blackberry. Even if he has to lean on RIM for a custom server.

            A corporate email service archiving mail? Whodathunkit?

        • Huh? Why couldn't Presidential emails sent via Blackberry be stored in the archive? After all, the emails still go through a mail server. The linked article mentions nothing about data retention laws - it says that they are worried somebody will steal/hack into it.
          • by bberens ( 965711 )
            The issue is probably more of an IT security nightmare than anything else. How much street cred could someone get for hacking the POTUS's e-mail account. Of course, that's a good way to get bagged and tagged too... but kids are dumb these days.
      • I'll have to remember that when out drinking and having hard time with my password.
  • by Manip ( 656104 ) on Thursday January 08, 2009 @12:47PM (#26374271)

    This is one of my favourite security conundrums.

    How do you limit someone's login attempts to an account without allowing an account to be denial of serviced?

    Captcha - hurts young, old, and disabled users. It can also make it hard for normal users if poorly designed (as many are).

    IP Limit - Very easy to bypass with a proxy list.

    Hard Account Limits - Denial of service

    Thus is the problem. How do you limit logins without hurting legitimate users?

    • by larry bagina ( 561269 ) on Thursday January 08, 2009 @12:56PM (#26374371) Journal
      Slow down cowboy! It's been 1 minute since your last failed attempt to login.
    • by jeffmeden ( 135043 ) on Thursday January 08, 2009 @12:59PM (#26374411) Homepage Journal

      Easy, increase the amount of time between the password being supplied and the pass/fail response being sent. If the script has to wait for 5 seconds to see if the password is bad, it increases the dictionary run time by a LOT. The only way around this is to run multiple iterations of the script, each with a section of the list to run. This makes them much easier to spot by other filters.

      However, a legit user waiting 5 seconds for the login to complete probably won't generate a lot of complaints.

      • by Phrogman ( 80473 ) on Thursday January 08, 2009 @01:19PM (#26374663)

        Perhaps even add +x seconds after every attempt, so your first attempt goes through and fails the next one has a delay of 5s and thereafter its incremented. Most users will get their password correct on the second try or perhaps the third, the script will die a slow death.

        • Perhaps even add +x seconds after every attempt, so your first attempt goes through and fails the next one has a delay of 5s and thereafter its incremented. Most users will get their password correct on the second try or perhaps the third, the script will die a slow death.

          The problem with this is that it doesn't prevent the denial of service scenario that the institution of the delay was trying to prevent! If the script is running on the account, the legitimate user now has to wait an incredibly long time to log in.

          • by smoker2 ( 750216 )
            Why ? Surely whatever we are talking about here allows multiple logins ? I can have gmail open on 2 PCs at once, I can login over SSH more than once.
        • by ghjm ( 8918 )

          This utterly misses the denial of service side of the issue. If you and your BFF are of the age where Twitter is important to you, but then you stop being BFFs, each of you can remove the other's Twitter access by running a script that constantly tries and fails to log in.

          It also misses the point that the moving part in the attack is the username, not the password. If I only get three attempts before it locks me out or becomes too slow to bother with, I'll try password, Password1 and letmein on every userid

    • Encryption with a unique keyfob just for you. I'd want that for banks, but not necessarily for Twitter because who cares if I'm now "taking a huge crap in the toilet that's now overflowing."?

    • Re: (Score:3, Interesting)

      by paulhar ( 652995 )

      One way would be to get progressively slower at *processing* a login for a particular user based on the number of failed attempts. I.e. user enters a password, the timer ticks away, and then at the end it really does the test and checks if the password was right.

      You would typically double the time delay with a reasonable limit of say 1 minute so that each failed attempt sticks at 1 minute delay.

      You put up a banner after the delay reaches 10 secs or so saying "Your login will be slower as you have had X fail

    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Thursday January 08, 2009 @01:02PM (#26374463)
      Comment removed based on user account deletion
    • by evanbd ( 210358 )
      A global limit with an exception that grants a per-ip limit to ips that have previously had a successful login (within the last $time_period) does better than those options.
    • by causality ( 777677 ) on Thursday January 08, 2009 @01:03PM (#26374473)

      This is one of my favourite security conundrums.

      How do you limit someone's login attempts to an account without allowing an account to be denial of serviced?

      Captcha - hurts young, old, and disabled users. It can also make it hard for normal users if poorly designed (as many are).

      IP Limit - Very easy to bypass with a proxy list.

      Hard Account Limits - Denial of service

      Thus is the problem. How do you limit logins without hurting legitimate users?

      One approach is to still allow the login but to insert artificial delays. Maybe your password cracker can guess several thousand passwords in one second; too bad, because the site will only allow you to try one every three seconds. Even a fairly weak password can be extremely difficult to guess this way, though it is no substitute for strong passwords that are never sent as cleartext.

    • Hard Account Limits - Denial of service

      Thus is the problem. How do you limit logins without hurting legitimate users?

      Give locked out users the option to send a one-time login link to their e-mail address of record.
      It isn't much different than sending out a password reset e-mail.

      But it's fairly stupid not to include a hard cap on the # of login attempts per [unit of time]

    • Security question after a few attempts. And let people make their own security question.

    • by Thaelon ( 250687 )

      One way to do it is to have the person with the locked account call or stop by the helpdesk to get their account password reset.

      In the case of twitter it would likely be calling only. Real users have no problem confronting a real human being to get access to their account. Hackers are less likely to. Also, it's a lot more difficult to brute force something involving a phone call to a person every 4 attempts.

      DOS, can still be used, but if the user can let you know there's a problem via a phone call you ca

      • by Kozz ( 7764 )
        Congratulations, you've DOSed the help desk.
      • That is basically what we do for internal user logins, since we have to have a helpdesk anyway; but there is just no way that some barely-ad-supported-trendy-new-media-web2.0-mashup-widget-api-hipster outfit is going to be able to afford a bunch of real people sitting at phones and waiting for users with free accounts to have trouble. Also, while it definitely stops high-speed scripted attacks, humans are, on average, pretty easy to social engineer. In an environment where I can walk down and talk to you in
    • You don't. Instead you throttle login speed and monitor X multiple fails. You can also break-up the way the application responds to multiple failed attempts, you can redirect X failed logins to a help page or password reset page. Your only limited by your imagination, there is a lot you can do that won't really impact a human but will impact a script and quite differently.
    • Easy, user keys. During account creation, generate a unique user key and send it to the client creating the account and make the login associate to the user key only. This way, the user can carry their key in a usb drive when they move around, the client will simply be directed to encrypt the authentication attempt using the user key.

      the following may increase security:
      1) associated user name do not affect key generation. (this way the attacker has to guess the user name linked to the key)
      2) key morphing sc

    • by GWLlosa ( 800011 )

      Easy. You throttle the logins. After the first failed login, you add a 1 sec delay. Every subsequent failed login, you double the delay. Reset delay after successful login. Good luck with your million-year dictionary attack.

  • Because of the message from the hacked britney spears account, I found out about a cool indie horror flick - Teeth [imdb.com] - found it online and enjoyed it for the quirky little story that it was.

  • by IronChef ( 164482 ) on Thursday January 08, 2009 @01:39PM (#26374935)

    Somehow it is disturbing that the President-Elect is lumped in with Britney as a celebrity.

    What is the level of discourse on Mr. Obama's twitter thing, anyway? I could look, I suppose, but it is more fun to imagine.

    ---

    im in ur white house

    secret service bitches following me everywhere. about 3 minutes ago from web

    these pancakes are righteous! about 2 hours ago from airforce1r

    are ufoz real? I am going to find out! about 4 hours ago from web

    I think Hillary just cut the cheese LOLz about 8 hours ago from twitterrific

Talent does what it can. Genius does what it must. You do what you get paid to do.

Working...