digg

Facebook Connect Join Digg About
See the original image at techcrunch.com

The Anatomy Of The Twitter Attack

techcrunch.com The Twitter document leak fiasco started with the simple story of personal accounts of Twitter employees being hacked. Here's how the hacker obtained the necessary information..

Who dugg this? Made popular Jul 20, 2009

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

27 Comments

show profanity settings
expand all
  • IvanB, on 07/19/2009, -0/+28That's what GMail's
    'Last account activity: 1 minute ago at this IP (x). Details'
    is good for.

  • petomni, on 07/19/2009, -0/+14As soon as so called 'security questions' came out I hated them. I no longer type in just answers to the questions but rather a secondary complex password I came up with that contains expletives to express my opinion on them. I can't wait for the opportunity to answer what the name of my first pet was (oh wait, I don't forget my passwords in the first place).

    oh crap I just posted a security vulnerability for my accounts on digg
  • xpose, on 07/20/2009, -0/+11Guessing his secondary "forgot password" email addy, then finding out its expired was nicely done.
  • doshindude, on 07/20/2009, -7/+18Buried as a Twitter story.
  • ophello, on 07/20/2009, -3/+13***** Twitter.
  • MikeSobe, on 07/19/2009, -0/+9I just searched my Gmail for a substring that is common in most of my passwords and I found an email with it. Stupid forum confirmation. Pretty good article btw.
  • dtkirby, on 07/19/2009, -0/+8Sobering. I'm guilty of many of the poor habits described.
  • inactive, on 07/20/2009, -0/+6are their diamond chains and leather straps strong enough to choke you with?
  • FUR10N, on 07/20/2009, -0/+5and since that is rarely clicked on, google needs to add a function that notifies you when your account has been accessed from an IP not on a specified list.
  • pw378, on 07/20/2009, -1/+5So in the end we find out that once again, its Microsofts fault (hotmail).

  • undervalued, on 07/20/2009, -0/+2Yes, have used this once to kill access. True, was my fault for not signing out properly but the bastard shouldn't have kept my account open like that.
  • FutureGuy, on 07/20/2009, -0/+2Why because you would rather not know that someone could hack into your Gmail account?
  • trevorjez, on 07/20/2009, -0/+2The cloud is so safe...
  • shinkou, on 07/20/2009, -1/+3Call me an old fart if you like, but what all these translated to me is, "cloud computing can NEVER replace desktop computing." What RMS said is right.
  • zakatov, on 07/20/2009, -0/+1DMZ = demilitarized zone (i.e. no security). I think you meant something else.
  • HonoredMule, on 07/20/2009, -0/+1Nothing is worse than the website that forces you to choose one of a half-dozen predefined security questions. Invariably they are all at least one of the following:
    A) Impossible to use properly because you have no correct answer you can assign.
    B) Terribly insecure because they are matters of public knowledge, offline if not online as well (like mother's maiden name, first pet's name, where I went to high school, etc.)
    C) Useless to myself anyway, because I won't be able to remember the answer. (WTF, [important service], childhood hero? There's no ***** way I chose that as my question because I didn't HAVE one, and the "nobody" type answers didn't work either!)
    And C of course brings me to the worst of the worst...when one of those ***** questions is picked for you, and you have to just deal with it.

    I like your idea, as it allows me to standardize on something that might actually be obscure. I already have a great set of question-answer pairs that's both long and convoluted, and definitely known by no one, but that requires me to be able to set the question. I've long considered using passwords with a standard base but seeded by something relevant to the account (like the service name) like a hash, and while websites generally screw that up*, something like that may work a bit more consistently for security hints.

    *Invariably any attempt to use a standardized yet secure system fails because of the retarded restrictions that /reduce/ security while rejecting what you want to specify as a password (character limits/minimums, arbitrary rules for inclusion or placement of standard characters, etc.) Ultimately, the greatest potential feat of OpenID would be crippling developers' means of ***** up users' own (good) security standards.
  • HonoredMule, on 07/20/2009, -0/+1(or at least in a list of specified ranges...a lot of people are still on dynamic IPs)
  • pw378, on 07/20/2009, -0/+1no.

    Cloud computing security can be better than desktop security. You heard me right, it can be better if done right. Its easier to protect data in one place that is intended to keep it secure, than in 1 billion where users are continually doing stupid things like downloading hacked apps, viruses, rootkits and video codecs.

    If you had to protect 1,000,000 machines, would you rather have then all exposed to the Internet directly and have home users doing security individually, or would you install a firewall, IDS and IPS to protect them all and remove all users from the machines? Think about it. Same goes for a company, should each company try to do security individually with varying levels of competence, or gain economy of scale and have only the best engineers doing security?
  • HonoredMule, on 07/20/2009, -0/+1The way he referenced DMZ suggests misuse, but I think what he meant was to refer to how corporate networks have a DMZ which is typically firewalled from the private network. Having a DMZ then implies that the corporate services employees will access are actually /outside/ the DMZ and safe(r) from hackers. The internet has no demilitarized zone because it is in its entirety "demilitarized."

    Whether it's what he meant to say or not, working in the cloud essentially means you and your servers ARE the DMZ and thus have to arm/protect yourself, because the "military support" is no longer there (as zakatov stated).
  • shinkou, on 07/22/2009, -0/+1"it can be better if done right"

    This is taken as granted, but the problem is that cloud computing can never be done right, at least not in the foreseeable future, because of its nature.

    Besides, you were talking about 1 million machines. Who possesses that many machines in the world? Google? I only have a few machines to take care of, my company has hundreds, if not a few dozens. For companies who didn't have the skills to protect themselves from wild wild web, their most economic option would be to outsource the security job to the experts. Nonetheless, it doesn't necessarily mean they have to (or 'd better to) hand over their data to those cloud computing services, but of course, there are people who blindly believe in all kinds of buzz.

    Cloud computing surely has its place, but forgoing what we can do without its presence believing it can replace desktop computing is an oxymoron.
  • byakkun, on 07/20/2009, -1/+1Also buried this. Not because I hate a company, but rather because this kind of story makes heroes out of hackers, and gives some kids reasons and basic knowledge to start hacking. This article won't change user's habits (it can't reach to 98% of the average stupid internet users) but it is a hell of an "how to hack your mom's mail". Also I have to wonder why a journalist would do this to a company? I hope they don't say that they want to change the security model companies use because that is just hilarious not to say hypocritical.
  • FutureGuy, on 07/20/2009, -1/+1Yes, good for the 0.2% of web user who know that IP does not only mean "Intellectual Property".

    This was an accident waiting to happen; cloud stuff is great for personal use but far too immature to conduct business. One has to have many layers of security; there is no DMZ in the cloud.
  • doom777, on 07/20/2009, -2/+2SSH Key authentication FTW.

    -No need to remember passwords.
    -Secure as a brick
    -Optional encryption makes easy switch to secure protocols
    -If one account gets compromised, others don't at all.
  • HonoredMule, on 07/20/2009, -1/+1Apparently byakkun would like to bury his head in the sand, and thinks telling everyone else to do the same is good security practice.

    "Security by obscurity," we call that. And if we could execute every brain-dead fool who thinks there is any merit or value to that whatsoever (even as a layer over /real/ security), the world would be a better place. Crimes of opportunity are incredibly rare, while crimes of (user/victim) ignorance take the lion's share in IT.
  • resry, on 07/20/2009, -4/+3Buried as a TechCrunch story.
  • catvllvs, on 07/20/2009, -2/+0Cool!

    I just bought your mother on http://www.isellmywhoremother.com
  • pixelgeek, on 07/20/2009, -6/+2So the same scumbags that made profits from posting these hacked documents are now trying to get more traffic by explaining how they were stolen

    Just when you think there was a bottom to the barrel that Techcrunch would go to

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.