Password guessing attack exposed in Twitter pwn Miscreants broke into Twitter's admin system on Sunday night using a simple password guessing hack, it has emerged. A teenage hacker, known in the digital underground as GMZ, claims he obtained access to the micro-blogging site’s admin controls using a brute force dictionary attack. After guessing the login identity of an …
Digital's VAX/VMS operating system had a strong solution to this 25 years ago, so there's no excuse for such easily crackable login code.
After the third sequential failed login attempt VMS disconnected the login program from the account and replaced it with another program that looked and acted the same, but whose only actions were to log that it had been started and then accept and discard all following login attempts. Once the switch-over had occurred the account could not be used again until the local BOFH had reset it. The technique was reinforced by requiring users to select long passwords that were not in a dictionary of common words, etc.
This was in the days of dial-up access: the idea of the fake login program was to see how high you could run the perp's phone bill before he twigged that his automated dictionary attack was never going to work.
Adapting this approach to the Internet Age is easy: implementation is left as an exercise for the reader.
Interesting idea. But what if you're just a clueless user who can't remember your password? This is very user-unfriendly. Do you want to handle the support calls from the users who have spent all evening trying to log in and have been given no indication that they're wasting their time?
You going to have to tell your users to stop trying after three fails. And if you do that no-one is going to bother trying a dictionary attack. So you'd be as well just doing a simple account lockdown and forget about the whole fake login idea.
Script kiddies != hackers. He's got a brute force password tool and didn't hide behind at least a proxy? C'mon now - if Twitter has any idea, they would have already reported it in to authorities with the connection details used for that admin account (Unless they have no logging at all...I guess that's possible seeing as they have nothing in place to stop someone from attempting this to begin with).
Hell, if this GMZ is in the US, they could tag this as "terrorist" going after Obama's feed.
Even our Windows domain at work has three (mis)strikes and you're out ie the account is blocked. Though that's actually a problem in itself, because it opens up a whole world of DoS attacks. But it does prevent dumb brute force attacks like this one.
As already noted, VMS had a lot of this kind of thing sorted, back in the 80s. But the sysadmins of today (and their IT Manager/Director bosses) largely don't listen to those that have been there done that and read the manual (remember manuals?), 'cos if it can't be done in Ruby on Rails using RESTful Service Oriented Abominations, or whatever else is trendy till someone Twitters that it's dead, it's not interesting.
Considering compromising this account put him in a place to forge communications from president elect of the Unites States among many other people, yeah I'd say that's pretty sensitive.
Also, no proxy? Looks like the cracker was as dumb as the twitter admins. It shouldn't be too hard to track him down assuming twitter even bothers to keep logs.
This ‘hacker’ (the word actually is cracker when someone breaks into something and vandalises it by the way) needs to have a word with Paris methinks. This is totally unacceptable behaviour for some total n00b.
What is even worse than this mess happening in the first place is that people trust websites like Twitter... I mean this website is used mostly by teenagers... and they usually like to be sadistic meanies :-( which means destroying things they don’t own and are jealous of so erm yep so can someone, please tell me?! Why you would open a ‘Twitter’ account and put yourself at risk of Hayley the cheerleader hacker and all her too cool for schools friends. Hacker hmm...? More like a script kiddie, but every cloud... yet again it’s proven that social networking sites like Twitter are a total waste of time. I just hope this hacker doesn’t hack into our El Reg and start posting bad articles’ although it seems like that has already happened at times. :P
Same way world + dog on the 'net does it. Once your Account's been blocked, your next attempt is greeted with something like: You have made three incorrect login attempts. Shove this button to get a new password mailed to the email account you registered with us. Said new pwd turns up and the first thing you get to do on using it is change it.
I recall some bright managerial tit extolling the virtues of this for our systems not so long back. It had to be the right thing 'cos "that's the way everyone does it on teh Intertoobs". My innocent question as to, given it was the desktop / LDAP password he was talking about, how the f*** the user was supposed to get at their company email account to find the new password, let alone gain access to the Intranet to use said automated reset system in the first place, went down like a cup of warm sick.....
@Gav
>But what if you're just a clueless user who can't remember your password? This is very user-unfriendly. Do you want to handle the support calls from the users who have spent all evening trying to log in and have been given no indication that they're wasting their time?
To be frank, if someone doesn't understand the concept of "you've tried it X times, give up and call support", they probably shouldn't be allowed to use a computer. Letting them try a 1000 times is a complete waste of their time, which is a good thing, as they could be using it to do witless damage in other areas.
Mine's the one dated November 17, 1858
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
