Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Heroes Banquet

Hacker Croll

The web's second wake up call. For free. But will anyone listen?


Get It

Try It

Hacker Croll is a hero today. And if that's not universally recognised it should be soon. He pulled off the Hack of the Century (easy - it's a new century) and he did no damage whatsoever, his sole purpose being to scare the powers that be into adopting better security procedures before it's too late. And it's nearly too late already.

Hacker Croll is of course a made-up name. He says he's originally from France, in his early twenties, and currently unemployed.

Hacker Croll's the one who started 'Twittergate' - he's the one who broke into Twitter and hung out their underwear to dry.

But what's particularly interesting about this story - and there are naturally several things - is that the technological weakness per se was not at Twitter as many presume, nor was it at Google as others who think they know better presume, but actually at - are you ready?

Microsoft's Hotmail.

Leave it to Microsoft to institute a policy whereby people signing up for new accounts can use account names that have previously been in use but gone dormant. Not even Yahoo do something that stupid - at least when last checked.

'The Anatomy of the Twitter Attack' by Nik Cubrilovic fairly spells out what happened and how easy it was to make the whole cloud - terrible metaphor here - crumble like a house of cards.

The list of services affected are some of the most popular web applications and services in use today - Gmail, Google Apps, GoDaddy, MobileMe, AT&T, Amazon, Hotmail, Paypal, and iTunes.

[Note the mention of iTunes - there's a gaping hole there too, almost as big as the one at Hotmail. Ed.]

Taken individually, most of these services have reasonable security precautions against intrusion. But there are huge weaknesses when they are looked at together as an ecosystem. Like dominoes, once one fell (Gmail was the first to go) the others all tumbled as well. The end result was chaos and raises important questions about how private corporate and personal information is managed and secured in a time when the trend is towards more data, applications, and entire user identities being hosted on the web and 'in the cloud'.

[Again: Gmail was the first to go but it was actually a colossal blooper only Microsoft would be capable of that started it, a blooper worthy of mention in The Technological it's so colossally stupid. Ed.]

Hacker Croll followed the well-trodden path in 'Hacking Exposed': if you want to hack into a network then pick a new company or a company fresh out of a merger or acquisition. That's when the weaknesses show.

Then you do something called footprinting.

For Hacker Croll, his first port of call in setting out to gain access to a target network is to make use of public search engines and public information to build a profile of a company or individual. In the case of the Twitter attacks, this public information allowed him to create a rich catalog of data that included a list of employee names, their associated email addresses, and their roles within the company. Information like birth dates, names of pets, and other seemingly innocent pieces of data were also found and logged.

Hacker Croll next chose his 'weakest link'.

Hacker Croll knew he likely only needed a single entry point in any one of the business or personal accounts in his list in order to penetrate the network and then spread into other accounts and other parts of the business. This is because the web was designed at a time where there was implicit trust between its participants - requiring no central or formal identification mechanism.

But is it really that easy? Oh yeah!

Look at the front page of almost any web application and you'll see hints at just how hopeless and helpless we are in managing our digital lives: 'forgot my password', 'forgot my username', 'keep me logged in', 'do not keep me logged in', 'forgot my name', 'who am i'.

Twitter just happens to be one of a number of a new breed of companies where almost the entire business exists online. Each of these employees, as part of their work, share data with other employees - be it through a feature of a particular application or simply through email. As these users become interwoven, it adds a whole new attack vector whereby the weak point in the chain is no longer just the weakest application - it is the weakest application used by the weakest user.

Unfortunately for Twitter, Hacker Croll found such a weak point.

At this point you get the general gist of the story and you best continue here - it's definitely worth your time reading.

http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/

Hacker Croll gave the web a wake up call not unlike the call Anaconda gave it back in May 2000. No one listened back then - 90% of surfers still use Microsoft Windows - and again the question today is 'how stupid are people really?'

Can we hope people are more intelligent today when 90% of them are still using Microsoft Windows? Anyone want to take bets that this won't happen again?

Hacker Croll, wherever you are: merci bien.

Postscript: iTunes

And now to iTunes: Nik Cubrilovic claims he and the crew at TechCrunch are sitting on a really embarrassing iTunes exploit - that it's namely possible to see full credit card information in plain text if you know how to hack it. They've naturally contacted Apple and naturally won't reveal how it's done until it's fixed but Apple naturally have up to now refused to respond.

Shop carefully.

Je tiens à présenter toutes mes excuses au personnel de Twitter. Je trouve que cette société a beaucoup d'avenir devant elle.

J'ai fait cela dans un but non lucratif. La sécurité est un domaine qui me passionne depuis de longues années et je voudrais en faire mon métier. Dans mon quotidien, il m'arrive d'aider des gens à se prémunir contre les dangers de l'internet. Je leur apprend les règles de base... Par exemple: Faire attention où on clique, les fichiers que l'on télécharge et ce que l'on tape au clavier. S'assurer que l'ordinateur est équipé d'une protection efficace contre les virus, attaques extérieures, spam, phishing... Mettre à jour le système d'exploitation, les logiciels fréquemment utilisés... Penser à utiliser des mots de passe sans aucune similitude entre eux. Penser à les changer régulièrement... Ne jamais stocker d'informations confidentielles sur l'ordinateur...

J'espère que mes interventions répétées auront permis de montrer à quel point il peut être facile à une personne mal intentionnée d'accéder à des informations sensibles sans trop de connaissances.
 - Hacker Croll

See Also
TechCrunch: The Anatomy of the Twitter Attack

About Rixstep

Stockholm/London-based Rixstep are a constellation of programmers and support staff from Radsoft Laboratories who tired of Windows vulnerabilities, Linux driver issues, and cursing x86 hardware all day long. Rixstep have many years of experience behind their efforts, with teaching and consulting credentials from the likes of British Aerospace, General Electric, Lockheed Martin, Lloyds TSB, SAAB Defence Systems, British Broadcasting Corporation, Barclays Bank, IBM, Microsoft, and Sony/Ericsson.

Rixstep and Radsoft products are or have been in use by Sweden's Royal Mail, Sony/Ericsson, the US Department of Defense, the offices of the US Supreme Court, the Government of Western Australia, the German Federal Police, Verizon Wireless, Los Alamos National Laboratory, Microsoft Corporation, the New York Times, Apple Inc, Oxford University, and hundreds of research institutes around the globe. See here.

All Content and Software Copyright © Rixstep. All Rights Reserved.

CONTACT INFO:
John Cattelin
Media Contact
contact@rixstep.com
PURCHASE INFO:
ACP/Xfile licences
User/Family/Business
http://rixstep.com/buy
About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.