It is never satisfying being the Nostradamus of security. No matter how many warnings you give through your writing, presentations, and conversations you will always be in a position to say “I told you so” because security is not enabled until after the fact.
Of course if you want to continue to ignore your security people and myriad pundits you could always read the news and react after someone else gets hacked. If only the folks at TJX had been reading the paper, or my blog, and noticed that Lowes had been attacked by a couple of kids here in Southfield Michigan. They used a Pringles can antenna to break in via wifi; the exact method used against TJX stores two years later. TJX would be $200 million richer today if they had invested a tiny amount in reacting to the Lowes incident.
I am truly glad that the 18 year old kid in California that hacked into Twitter using a dictionary attack this past Sunday did not credit my warning published November 12, 2008 (Twitter is Doomed)
I ran a few checks on Twitter. I set up an account, squatter1, and tried some password tests. Can I use “squatter1” as my password? Yup. Can I use “password” as my password? Yup. As I posted before (Twitter squatting?) you can use a fake email address to sign up for a twitter account. There is no email verification. Once you are in your account you can change your password without entering your old password. This could be a problem if you Twitter from a public kiosk or if one of your co-workers happens to be on your computer and decides to mess with you.there is no lockout for multiple tries. This makes password guessing easy for an attacker.The biggest issue with Twitter that they should address quickly is that
I went on to describe how a password cracking tool like Brutus could be used to run a dictionary attack against a Twitter account. My warning to users published the day before (Twitter Apps: fun or dangerous?) pointed out that once your password had been guessed you could face the additional risks of your other accounts being attacked.Crystal who it turns out is a Twitter employee. The hacker then used her password “happiness” to break into the password reset utility that Twitter made available to its support team. The Wired story that broke this news yesterday fails to point out how this kid found that utility. Let me guess: it was at admin.twitter.com? Just like the recent discovery by Dan Goodin, San Francisco based reporter for the UK Register ( Politics and web security ) that the Obama team’s transition web site Change.gov exposed its administrative interface at www.change.gov/admin Which is still there. (Hello??? Is anyone listening??? )
This scenario played out this week as a hacker ran his own tool against the Twitter account of
So, hacker cracks password, gets admin access, posts passwords to a forum, and Twitter is in the news for an embarrassing series of posts to CNN, FOX News, Obama, and Britney Spears Twitter accounts.
Twitter is scrambling to fix the issue. Great. Kudos in advance for locking out accounts after six or more failed password attempts.
A lesson learned for all social media, Web 2.0 sites, heck all web applications. Do this stuff early. Don’t wait for a hacker to drive the lesson home with a well executed attack.