Monday, January 5, 2009

Twitter attack wave; real site-cracking edition.

The latest round of Twitter attacks took place seemingly last night, and these new ones took advantage of a legitimate site security flaw in Twitter's interface to compromise accounts.


Quoting the Twitter blog:

The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend. These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can't remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're safe and secure.


Blah, that's a pretty gloomy thing to come in to work on a Monday morning. I don't feel for the coders at Twitter...


But this highlights a bunch of points that normal people (non IT people!) don't yet appreciate;



    • Any computer connected to the Internet can be subject to a break in (especially the one you're reading this post from).
      Big brand IT shops with big budgets aren't immune, even if they have been as diligent as they can with security.
      Security is a cat and mouse game. As smart as security people are, the crooks are just as capable.


    • tl;dr .. We're back at That Password Thing... Change your twitter password as soon as you can. I doubt the public outside of Twitter will know how deep these guys got into the system before the compromise was noticed.


    This blog isn't immune by any stretch of the imagination, so I'm not posting this from some mountaintop of smugness. It's only a matter of time before someone finds a hole in Wordpress, or a plugin I'm using, or in the base operating system of my server, and bam I'm pwnd.


    Finally; we, being humans, need to move past our current methods of authentication. Not to some weird draconian Big Brother type system where one central command corporation has the full rights to this data, but an open system based on tried and true methods of cryptography and digital signatures.


    Making it easy and portable to prove who you are is the next leap in online communications. Literally establishing trust relationships with real people using digital keys to solidify the trust of others in what is being posted.

    Posted by at
    Labels:

    1 comment:

    1. Posts about Twitter Plugins as of 01/06/2009 | The Lessnau LoungeJanuary 6, 2009 at 7:59 AM

      [...] also have the plugin create daily or weekly digests of your Twitter activity. If you tweet, don Twitter attack wave; real site-cracking edition. - devlab.ca 01/05/2009 The latest round of Twitter attacks took place seemingly last night, … [...]

      ReplyDelete

    Subscribe to: Post Comments (Atom)