Twitters Cloud computing hacked.

Keyboard_Commando · Jul 18, 2009

http://www.scmagazineuk.com/Twitter-hacking-shows-lack-of-security-in-cloud-computing-according-to-commentators/article/140245/

http://www.scmagazineuk.com/TechCrunch-claims-it-contacted-Twitter-ahead-of-publication-of-hacked-documents/article/140246/

Not so sure that this means Cloud is of greater vulnerability. Twitter is just going through the same microscopic secuirty examination Myspace, Facebook, etc, have all gone through. You'd think security specialist vendors will have better protection policies server side.

Cudni · Jul 18, 2009

i don't think the cloud got hacked rather it was the case of predictable passwords
http://www.channelinsider.com/c/a/S...Password-Weaknesses/?kc=CITCIEMNL07172009STR2
"...
It’s believed that a hacker named Croll used the automated password reset system of Google Apps to gain access to a wiki used by Twitter employees. Once into the wiki and Gmail account, the hacker got all the information he needed to access other Twitter accounts, including the e-mail of the wife of CEO Evan Williams.
.."

Keyboard_Commando · Jul 18, 2009

Cudni said:

i don't think the cloud got hacked rather it was the case of predictable passwords

.."
Click to expand...

Yeah you're right. And surprise surprise, YAHOO! MAIL is the origin of the problem.

For instance, gaining access to someone's Yahoo account (which is how this all started) can be simple if you have access to one of their other e-mail accounts. Yahoo's process for password retrieval has several steps, with the primary one being the option to send a password reset to another e-mail account it has on file. There's also the option to say you can't access that e-mail account, which is likely the route the hacker went. Doing this takes you to a page where you have to answer a secret question (usually a pet name), the answer of which is penned during the account sign-up process.
Click to expand...

http://news.cnet.com/8301-17939_109-10287558-2.html

Yahoo has only recently added multi secret questions to their password retrieval. It was 3 or 4 questions for such a long time. Madness!

As for the log-ins though, it's a wake-up call to the importance of a good password, and having systems in place that make it hard for the wrong people to get in. And not all systems are created equal.
Click to expand...

One weak link in the chain.

Cudni · Jul 18, 2009

and when answering those questions there is no need to be truthful

xxJackxx · Jul 20, 2009

Cudni said:

and when answering those questions there is no need to be truthful
Click to expand...

Exactly! Never answer these correctly.

Keyboard_Commando · Jul 22, 2009

http://www.scmagazineuk.com/Hacker-Croll-details-how-he-hit-Gmail-account-of-Twitter-employee-that-led-to-last-weeks-incident/article/140334/

Cubrilovic said: “Various bloggers speculated about the cause of the attack - with some placing the blame on Google while others blaming the rising trend of hosting documents in the cloud.”

The article claimed that "Hacker Croll was successful by using the same combination of patience, sheer determination and somewhat elementary methods to gain access to a frightening number of accounts and services related to Twitter and Twitter employees."
Click to expand...

In the case of the Twitter attacks, public information allowed him to create a catalogue of data that included a list of employee names, their associated email addresses and their roles within the company. He was also able to find and log information such as birth dates, names of pets and other seemingly innocent pieces of data.
Click to expand...

On requesting to recover the password, Gmail informed him that an email had been sent to the user's secondary email account. In an effort to balance usability with security, Gmail offered a hint as to which account the email to reset the password was being sent to, in case the user required a gentle reminder.

At Hotmail, Hacker Croll again attempted the password recovery procedure - making an educated guess of what the username would be based on what he already knew. Finding that the hotmail account was dormant, he registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee.
Click to expand...

Once he had the login and static password, Hacker Croll then used the same combination and reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave him access to full credit card information in clear text.

When asked by TechCrunch for a comment, Hacker Croll said: “I would like to offer my personal apology to Twitter. I think this company has a great future ahead of it.

"I did not do this to profit from the information. Security is an area that fascinated me for many years and I want to do my job. In my everyday life, I help people to guard against the dangers of the internet.

“I learned the basic rules. For example: be careful where you click the files that you download and what you type on the keyboard. Ensure that the computer is equipped with effective protection against viruses, external attacks, spam, phishing. Upgrading the operating system, software commonly used. Remember to use passwords without any similarity between them. Remember to change them regularly. Never store confidential information on the computer".
Click to expand...

Stephen Howes, CEO/CTO of GrIDsure, said: “The Twitter hacking case is yet another demonstration of the inherent weakness of fixed passwords. Not only are they easy to break, but the same password is often used across a number of consumer and business accounts because they are not easy to remember – clearly shown by the ‘forgot my password' feature present on the password login screen.

“With cloud computing-based services becoming the norm in today's online world, it is time that providers start looking seriously at alternatives that are easier to remember and much more secure than traditional passwords to ensure that confidence in their services are not dashed by further breaches such as this.”
Click to expand...

Log in or Sign up

Twitters Cloud computing hacked.

Keyboard_Commando Registered Member

Cudni Global Moderator

Keyboard_Commando Registered Member

Cudni Global Moderator

xxJackxx Registered Member

Keyboard_Commando Registered Member

Log in or Sign up

Twitters Cloud computing hacked.

Keyboard_Commando Registered Member

Cudni Global Moderator

Keyboard_Commando Registered Member

Cudni Global Moderator

xxJackxx Registered Member

Keyboard_Commando Registered Member

Useful Searches