|Home » Industry Watch » Heroes Banquet
The web's second wake up call. For free. But will anyone listen?
Hacker Croll is a hero today. And if that's not universally recognised it should be soon. He pulled off the Hack of the Century (easy - it's a new century) and he did no damage whatsoever, his sole purpose being to scare the powers that be into adopting better security procedures before it's too late. And it's nearly too late already.
Hacker Croll is of course a made-up name. He says he's originally from France, in his early twenties, and currently unemployed.
Hacker Croll's the one who started 'Twittergate' - he's the one who broke into Twitter and hung out their underwear to dry.
But what's particularly interesting about this story - and there are naturally several things - is that the technological weakness per se was not at Twitter as many presume, nor was it at Google as others who think they know better presume, but actually at - are you ready?
Leave it to Microsoft to institute a policy whereby people signing up for new accounts can use account names that have previously been in use but gone dormant. Not even Yahoo do something that stupid - at least when last checked.
'The Anatomy of the Twitter Attack' by Nik Cubrilovic fairly spells out what happened and how easy it was to make the whole cloud - terrible metaphor here - crumble like a house of cards.
The list of services affected are some of the most popular web applications and services in use today - Gmail, Google Apps, GoDaddy, MobileMe, AT&T, Amazon, Hotmail, Paypal, and iTunes.
[Note the mention of iTunes - there's a gaping hole there too, almost as big as the one at Hotmail. Ed.]
Taken individually, most of these services have reasonable security precautions against intrusion. But there are huge weaknesses when they are looked at together as an ecosystem. Like dominoes, once one fell (Gmail was the first to go) the others all tumbled as well. The end result was chaos and raises important questions about how private corporate and personal information is managed and secured in a time when the trend is towards more data, applications, and entire user identities being hosted on the web and 'in the cloud'.
[Again: Gmail was the first to go but it was actually a colossal blooper only Microsoft would be capable of that started it, a blooper worthy of mention in The Technological it's so colossally stupid. Ed.]
Hacker Croll followed the well-trodden path in 'Hacking Exposed': if you want to hack into a network then pick a new company or a company fresh out of a merger or acquisition That's when the weaknesses show.
Then you do something called footprinting.
For Hacker Croll, his first port of call in setting out to gain access to a target network is to make use of public search engines and public information to build a profile of a company or individual. In the case of the Twitter attacks, this public information allowed him to create a rich catalog of data that included a list of employee names, their associated email addresses, and their roles within the company. Information like birth dates, names of pets, and other seemingly innocent pieces of data were also found and logged.
Hacker Croll next chose his 'weakest link'.
Hacker Croll knew he likely only needed a single entry point in any one of the business or personal accounts in his list in order to penetrate the network and then spread into other accounts and other parts of the business. This is because the web was designed at a time where there was implicit trust between its participants - requiring no central or formal identification mechanism.
But is it really that easy? Oh yeah!
Look at the front page of almost any web application and you'll see hints at just how hopeless and helpless we are in managing our digital lives: 'forgot my password', 'forgot my username', 'keep me logged in', 'do not keep me logged in', 'forgot my name', 'who am i'.
Twitter just happens to be one of a number of a new breed of companies where almost the entire business exists online. Each of these employees, as part of their work, share data with other employees - be it through a feature of a particular application or simply through email. As these users become interwoven, it adds a whole new attack vector whereby the weak point in the chain is no longer just the weakest application - it is the weakest application used by the weakest user.
Unfortunately for Twitter, Hacker Croll found such a weak point.
At this point you get the general gist of the story and you best continue here - it's definitely worth your time reading.
Hacker Croll gave the web a wake up call not unlike the call Anaconda gave it back in May 2000. No one listened back then - 90% of surfers still use Microsoft Windows - and again the question today is 'how stupid are people really?'
Can we hope people are more intelligent today when 90% of them are still using Microsoft Windows? Anyone want to take bets that this won't happen again?
Hacker Croll, wherever you are: merci bien.
And now to iTunes: Nik Cubrilovic claims he and the crew at TechCrunch are sitting on a really embarrassing iTunes exploit - that it's namely possible to see full credit card information in plain text if you know how to hack it. They've naturally contacted Apple and naturally won't reveal how it's done until it's fixed but Apple naturally have up to now refused to respond.
Je tiens à présenter toutes mes excuses au personnel de Twitter. Je trouve que cette société a beaucoup d'avenir devant elle.
J'ai fait cela dans un but non lucratif. La sécurité est un domaine qui me passionne depuis de longues années et je voudrais en faire mon métier. Dans mon quotidien, il m'arrive d'aider des gens à se prémunir contre les dangers de l'internet. Je leur apprend les règles de base... Par exemple: Faire attention où on clique, les fichiers que l'on télécharge et ce que l'on tape au clavier. S'assurer que l'ordinateur est équipé d'une protection efficace contre les virus, attaques extérieures, spam, phishing... Mettre à jour le système d'exploitation, les logiciels fréquemment utilisés... Penser à utiliser des mots de passe sans aucune similitude entre eux. Penser à les changer régulièrement... Ne jamais stocker d'informations confidentielles sur l'ordinateur...
J'espère que mes interventions répétées auront permis de montrer à quel point il peut être facile à une personne mal intentionnée d'accéder à des informations sensibles sans trop de connaissances.
- Hacker Croll
TechCrunch: The Anatomy of the Twitter Attack