Triune Designs Blog: Web Design, Development, & Marketing

A few weeks ago I read The Anatomy Of The Twitter Attack on TechCrunch. All I can say is wow!!

In case you have not been following along on TechCrunch (TC) lately, let me fill you in. The online tech publication recently received over 300 documents from a hacker who retrieved sensitive business information from the executives at Twitter. These documents included Twitter’s financial details, executive-level meeting notes, and various documents outlining Twitter strategies, goals, and processes. Using this information, TC wrote a series of behind-the-scenes articles about Twitter and their plans for the present and future.

Security Holes
The Anatomy article reveals exactly how the hacker gained access to Twitter’s sensitive information. Hacker Croll (HC), as he wanted to be called, gained access through a Twitter employee’s Gmail account.

1. HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.
2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.
5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text. HC now also had control of Twitter’s domain names at GoDaddy.
6. Even at this point, Twitter had absolutely no idea they had been compromised.

Your Security
In terms of online security and privacy, this is a horror story at its finest. Jason, Freddy, and all the others would be jealous.

Web developers are always a little paranoid of security and (hopefully) try to minimize the number of security holes on a given website. This mindset should apply to everyone, though. As more of our (and our companies’) information heads on-line we need to stay mindful of keeping our data more secure.

Quick Security Tips
Here are a few quick tips for increasing your security.

• Have a different password for every on-line account.
• Change your passwords regularly
• Keep your password retrieval options up to date.
• Consider changing your security questions to things that are not true, but that you will remember.
• Keep all of your on-line apps and computer software up-to-date. (i.e. make sure you are running the latest WordPress version available. Make sure you are running the latest version of Internet Explorer, Safari, or Firefox.)
• Always be careful with email and any attachments. This is especially true if the email comes from an unknown sender or from your bank, credit card company, etc.

If you have any other online security suggestions please throw them down in the comments.

Many Thanks
Thanks to TechCrunch, Twitter (reluctantly I am sure) and H. Croll for providing us with this great example our fragile online security.

The bank vault image is courtesy of Anonymous Account and can be found on Flickr.

Tags: security, web development