To update yesterday’s story, the attack on Twitter pushing diet pills appears to be the result of weak passwords combined with brute force. Thank you to the users who contacted me, as the data you provided was helpful in researching this attack.
After cleaning up his account, John C. Dvorak admitted to having a weak password on his Twitter stream. Other affected users have also reported using less-than-complex passwords.
On his No Agenda podcast and on This Week in Tech with Leo Laporte, Dvorak admitted it was in fact a “skeleton key” password. A skeleton key password is one that is used to log in to multiple sites.
Many users have tried to cope with the password complexity challenge by having a throwaway or skeleton key for sites they don’t consider a security risk, and different passwords for online banking, etc. This practice is fraught with risk, as many of the techniques people use to compose their passwords have patterns, and this strategy also allows a whole mass of sites to be compromised by one security incident.
I recommend users employ techniques like the ones demonstrated by Sophos’s Graham Cluley in this video, or use a secure password vault that offers automatic password generation that is unique for each site.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
It is especially important to never to use the password from your work environment on social media, forums, or any other services. The passwords acquired through phishing attacks on Facebook, Twitter, and MSN are frequently used to attempt to access corporate environments and allow the initial penetration required for the much-publicized attacks against companies like Google, Intel, and Adobe.
If you are using a password vault like 1Password or LastPass be sure to secure it using a strong password as outlined in the above video. If the service offers two-factor authentication with a one-time password, or Yubikey, take advantage of these techniques to further enhance your password security.