Twitter has lifted the lid on its recent advice to many users to reset their passwords for the micro-blogging site. Originally, it was thought that the guidance had come in response to a common or garden phishing attack. In a post on Tuesday, Twitter explained that the attack was actually far more devious and elaborate. Hackers …
I worked on a project a few years back that could solve all of these password problems, the thing got built never got put into business unfortunately, and now the company has folded.
Basically it was an outsourced RSA solution with HSM's etc. Anyone could take out a servive and rent the authentication cards, then you just plug in to the network via VPN and run your access software locally (web site or whatever) and it would send off the password to the server farm, which then said yay or nay.
Worked pretty well and removed all of those tedious support issues that you get with hosting your own RSA solution.
Ok, own up who downvoted me :) At least you could say why.
I worked on a project that counters this quite effectively too. Basically it was a rod composed of blended aluminium phyllosilicates and graphite used to encode passwords on a cellulose substrate. This allowed a user to easily retain multiple login credentials for future reference, thereby enabling the use of unique passwords for each site.
Forgive my naïvety but as I'm not on Twitter I'm a little curious as to the purpose of this attack. Gaining more followers is hardly a way to siphon funds to a Swiss bank account, or is it as much about a proof of concept as anything?
As another Reg article discussed yesterday, is the next step to use the passwords on some financially sensitive web sites...?
you said it yourself in your last paragraph.
MOST users use the same password for multiple sites, if you can get a titter users name, email, password and maybe more details then you can, to use leet speak "Pwn" them. Bank, email, credit card, shopping services all become yours to do with as you please (well that's the theory anyway)
It's called single sign-on
I have an old PDA, which will probably soon decease. When it does, I will have to find a new home for my 30+ encrypted passwords that I need for work, home network devices, my TV, various internet accounts with various stores or support sites, etc, etc... One password gets me access to these and that is a strong password, so nearly signle sign-on.
The alternative is to pick one or two secure passwords and use these for all access, then run the risk of when one is compromised, all accounts with that password are at risk, if not already plundered.
It is the age old trade-off, multiple paswords, which are weak so that they can be remembered, which may work for up to 10 passwords, or use a strong password for everything. (I know, some people use weak for everthing, but these are the same people that write their PIN on the back of their debit card.)
Anyone that comes up with a user friendly, secure solution to this problem will make a fortune. And UK ID cards won't cut it, it may be something you have, (and others can also have when a truck load of blanks go missing), but the something you know will be at risk the same as a common password.
I'm somewhat confused.
I can understand how this was done... Just not why.
It seems an awful lot of effort to go to just to take control of something as fatuous and pointless as a twitter account.
I suppose it could have been a trial run to test the concept, before moving on to trying to hijack something important. Although... while people may be daft enough to use the same password for a dodgy warez site as their inane-celebrity-witter account, surely far fewer people would have the necessary single digit IQ to do the same with a password they use for something that is actualy important?
Oh wait - we're talking about twitter users. I seem to have answered my own question.
meanwhile in the real world...
'We strongly suggest that you use different passwords for each service you sign up for'
Oh yes good practical advise. If I did this then I'd quickly have to start writing them down to remember them all. I mean I'm probably using up to about 10 different variants of user credentials across everything at the moment and I that still means a hell of a lot of duplication.
So which is the more cardinal security sin? Duplicating or documenting?
And the point is?
I use the same login on a number of sites, none of which matter. twitter would be one of them, so would facebook, so would this site. If they are compromised there is no great loss.
Sure, Del . . .
"The takeaway from this is that people are continuing to use the same email address and password (or a variant) on multiple sites," writes Del Harvey director of Trust and Safety at Twitter. "We strongly suggest that you use different passwords for each service you sign up for," he adds.
Yes, people will use the same email address for multiple signups, especially with Gmail now requiring your mobe number so they can text you your confirmation code (pathetic). Still shopping around for a new freemail provider.
People ask "why bother pwning Twitter?".
The answer is simple. Alice (our imaginary character) uses the password xyzzy on a warez forum. The unidentified slackers who have access to this information will then attempt to make matches with other well-known services. In this instance, Twitter reported an issue. But for all we know, Alice was looked up on MySpace and Facebook (both of which use email address for ID), maybe GMail and Yahoo! Mail.
The crunch, the entire point, is simple. They don't care about pretending to be Alice on Twitter. They aren't really interested in Alice's experiments with crochet discussed at tedious length on MySpace (with pictures that are all slightly out of focus, taken under fluo lights so everything looks vomit-yellow). No, they are interested only in that initial access. For if it succeeds, then it indicates that Alice recycles her passwords. It's a short hop from there to attempting something with value, something that will be financially rewarding for all this effort.