Twitter Attack Analyzed

July 24, 2009

Many of you may have seen news stories recently describing an attack on the popular micro-blogging service, Twitter.   When the story was first reported, it was originally thought that the extent of the break-in was the compromise of some Twitter employees’ accounts.  The attacker, who went by the pseudonym ‘Hacker Croll’, was apparently dissatisfied by the way the story was being reported, and sent copies of 300+ sensitive internal Twitter documents to the TechCrunch blog.

It [the documents] included things like financial projections and executive meeting notes that contained highly confidential information.

TechCrunch, having had some extended conversations with both Twitter and the attacker, has a post describing the attack in some detail.  It makes for interesting reading, in part because the attacker gained access, bot by discovering some previously unknown security flaw, but by exploiting a combination of well-known areas of weakness.  As the TechCrunch writer, Nik Cubrilovic, put it:

In the security industry there is a generally accepted philosophy that no system or network is completely secure – a competent attacker with enough time, patience and resources will eventually find a way into a target. Some of the more famous information security breaches have relied on nothing more than elementary issues exploited by an attacker with enough time and patience at hand to see their goal through.

In the case of the Twitter attack, it was not a vulnerability in a single application or system that led to the success of the attack; rather, it was the attacker working on the collective weak points of an “ecosystem” of applications that led to his success.

The first step in the attack was to use standard search engines and public sources to compile a collection of data on people associated with Twitter:

In the case of the Twitter attacks, this public information allowed him to create a rich catalog of data that included a list of employee names, their associated email addresses and their roles within the company. Information like birth dates, names of pets and other seemingly innocent pieces of data were also found and logged

Once this was done, the attacker was in a position to try to gain access to one or more individual’s accounts, from which he could work on further compromising security.  In this case, the initial target was a personal GMail account.  As with other Web services, GMail has an “I forgot my password” link, which, also typically, will E-mail you a link to reset your password.  Although there are some secret security questions involved, the answers were possible to guess based on the dossiers of personal information that the attacker had compiled.  (I’ve written before about the inherent weakness of these “secret” questions.)

Giving the user an option to guess the name of a pet in lieu of actually knowing a password is just dramatically shortening the odds for the attacker. The service is essentially telling the attacker: “we understand that guessing passwords is hard, so let us help you narrow it down from potentially millions of combinations to around a dozen, or even better, if you know how to Google, just one”.

Because the E-mail address is used as the identifier at so many Web sites, it creates an implicit “web of trust”, which allows an attacker to steadily expand his penetration of related systems.  The attacker’s job is also made easier by people’s unfortunate but understandable tendency to use the same password for multiple sites. And once a number of E-mail accounts have been compromised, the messages they contain will usually yield a wealth of other information.

I’ve just skimmed the surface of how the attack worked here; if you are interested in security, I think the whole TechCrunch article is worth reading.  There are a couple of key things I think one can take away from this incident.   The first is that Web (or “cloud”) services are still relatively new, and their security arrangements are often untried, or poorly understood by the people that use them.  (How many people really understand all of Facebook‘s priivacy controls ?)   The second is that your security can be compromised by low-tech snooping or user ineptitude at least as well as by the latest vulnerability of the day.  Finally, and perhaps most important, security is not a product; it is a process and a system, and the old adage about chains and weakest links still very much applies.

%d bloggers like this: