The internet is all atwitter about the breach at Twitter. A hacker broke into the account of Jason Goldman, currently Twitter’s director of product management and others (including Twitter co-founder Evan Williams). Information obtained from these accounts was then used to break into Google Apps and possibly sensitive documents downloaded. The hacker is planning to make public all the documents that were obtained. How did this happen?
The hacker targeted Twitter employees and guessed their passwords to log in to their accounts. Now, you would wonder how could this hacker have guessed so many employees’ passwords? Well, there are many ways to do it. The easiest way is to find some background information about the target and try out things like birthdays or anniversaries. A lot of people use very simple passwords.
If you want to automate it a bit, you can write a script that will generate all combinations of a set of characters. If you know what the character set is and what the minimum and maximum lengths are, this is easy. This is called a brute force attack. Another variation of this is to use a dictionary of commonly used words and try all the words in the list. This is called a dictionary attack. If the application was designed properly, it would have safeguards to prevent against these attacks. The easiest defense is to disallow more than a few invalid login attempts in a short span of time.
In this particular case, it looks like there were a few problems:
- Going by on quote that the hacker used a brute force attack, the application(s) did not block too many invalid login attempts.
- The fact that breaking into the twitter accounts revealed information that were used in other attacks such as on Google Docs and also against the personal accounts of Mr. Goldman’s wife, shows that people were storing information that they should not have in their twitter accounts. Or they were not stored securely.
- Whether it was a brute force attack or the passwords were just guessed, strong passwords would have gone a long way towards protecting against these attacks. The employees apparently had easy to guess passwords and had not turned on the strong password requirements in their accounts.
This also illustrates the dangers of trusting your data to a 3rd party. Apparently in this case, the hacker got hold of sensitive Twitter documents that were stored on Google Docs. There are some things you can do to protect yourself:
- Use strong passwords. These are ones that are at least 8 characters long, have at least one upper case character, one number and a special character such as the one you find over the number on a keyboard. These are very hard to guess or brute force.
- Change your passwords frequently. This can be a pain sometimes, but you can use password managers such as KeePass to manage your passwords.
- Always be aware of what information you store on public services such as gmail, yahoo mail, etc. If they make a mistake with your data, you will be hurt and they usually disclaim liability.
While these are not the only things you can do, they are a good starting point.