Sophos Cloud Optix
I’ve been speaking to the media today about the Twitter hack that saw the credentials of around 250,000 users scooped up by cybercriminals.
During the day, the same questions have been cropping up – and I thought it would be useful to briefly cover them here.
What did the hackers steal?
According to a blog post by Twitter, the hackers stole usernames, email addresses, session tokens and salted-and-hashed passwords (which is certainly better news than if they had stolen plaintext passwords).
What could the hackers do with that information?
A few things:
- The hackers could spam the email addresses, pretending to be Twitter and maybe trick you into clicking on a link or opening an attachment. In this way they might steal further information from you.
- They could target specific Twitter users (they now know the email address associated with each of the affected accounts) and craft an email designed to dupe the user in some way – potentially into clicking on a dangerous link or attachment – perhaps pretending to be someone else.
- Using the stolen session token they could, in theory, hijack your account, at least until the you or the hacker next logs off.
- They could attempt to crack the passwords, by setting computers and large dictionaries of commonly used passwords against the problem. If some of the passwords are cracked, the hackers could then attempt to see if the same passwords will also unlock victims’ *other* accounts (such as their email).
Who is behind the hack attack on Twitter?
We don’t know. Twitter has had its internal systems hacked in the past (infamously, for instance, celebrity accounts were hijacked after a Twitter employee was found by hackers to be using an extremely weak password – “happiness”). Normally attacks are against individual accounts with the intention of spreading diet spam or malicious links, rather than against Twitter’s systems themselves.
I’ve heard media reports linking the Twitter hack with the attack on the New York Times and other newspapers that’s been blamed on China. Was it the Chinese who hacked Twitter?
Although Twitter referenced the recent high-profile attacks on newspapers, they haven’t explicitly said that they believe China hacked Twitter or presented any evidence to suggest that.
If Twitter has any information that does point a finger of suspicion towards China (such as if dissident or human rights Twitter accounts were targeted) they haven’t shared that with the media.
How will I know if I am one of the Twitter users who has been affected?
Twitter has emailed affected users, resetting passwords and revoking session tokens. Your old password will no longer allow you into Twitter, and you’ll have to choose another one.
What kind of password should I use?
Always use passwords that are not easy-to-guess or dictionary words. Make it as long as possible, and use a mixture of upper and lower case letters, numbers and special characters.
How am I supposed to remember a password like that?
Here’s a video which explains how to choose a strong password, which is easy to remember but still hard to crack:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
But you say I should have a different password for every website I use… how can I realistically remember all of them?
You can’t. Use password management software like KeePass, 1Password or LastPass. They can hold your passwords securely, and all you have to remember is your master password (make it a good one). Password management software can even generate random, complex passwords for you when you create new accounts.
Couldn’t I just let my browser remember my passwords?
Most modern browsers do offer to save your usernames and passwords for the websites you visit, but I do not recommend it.
Why does Twitter say that I should disable Java in my browser?
Whether your browser is Java-enabled or not has no bearing on whether Twitter (on completely different computers from your own) is capable of being hacked or not. However, we do see frequent web-based attacks exploiting security holes in Java – so, unless you really need it, it might be wise to learn how to turn off Java in your browser.
Think of it as Twitter just trying to be helpful and neighbourly, rather than giving advice specific to this latest attack.
(Of course, it’s always possible that the computers of Twitter employees were infected via a Java vulnerability. But they haven’t owned up to that. Other possible vectors by which Twitter staff might have been hit by malware included boobytrapped Word Documents or PDF files).
How else might take advantage of the Twitter hack?
It’s possible we could see bogus emails spammed out pretending to come from Twitter. Users might be tricked into believing that they are really messages from Twitter telling them that their account was compromised in the hack, and click on links without thinking of the possible consequences. All users need to be on their guard against social engineering tricks like this.
What else should I do?
Read this article by my colleague Paul Ducklin.
Stay secure.
Has someone hacked into the English captions on the password creation video? They are truly bizarre!
I don’ț see how having a master-password protected, browser-integrated, password management system is worse than a 3rd party, Javascript-activated or two-step manager.
I use Opera’s, and it’ș seamless and safe. What would be your objection to this?
Can you give more details why? I know the lukes of Firefox tries to rapidly plug security holes, but I have little knowledge of the likes of KeePass, 1Password or LastPass and how quickly they plug holes. I am not sure that I would let any system save banking passwords.
Because browsers require very little in the way of authentication to replay those passwords.
Once you've stored the password in the browser, someone can just start the browser and log in as you wherever they want. This isn't possible with 1password or last pass, both of which require authentication.
Additionally many browsers do not encrypt the password database.
Not if you set up a master password, which you should.
That’s technically false, and not relevant if you use a master password.
I would also recommend Password Gorilla. When I was looking for a manager this looked like the only one that offered good securiy, desired features, and Winx & Linux compatibility. I need the same PWDB available on many different systems.
Can you recommend password management software for the iPhone? I don't know who I can trust, but I think I really need something on the device I have with me at all times.
KeePass and 1Password both have iOS apps; not sure about LastPass.
You failed to point out that Twitter said in their official blog post that the attackers were "extremely sophisticated."
This hack was not cybercrime as you suggest. It is APT related.
APT means:
A = Advanced = It got past our defences, whatever they might have been.
P = Persistent = It survives a logout and a reboot.
T = Threat = It is a threat.
If it's an unauthorised intrusion, which I don't think anyone would deny, how does that make it "not cybercrime"?
Not sure how the sophistication of the attack affects its criminality, at least in this case.
Cybercrime is truly defined as financially motivated malware or hacking attacks.
The APT was not financially motivated. They were after something, or someone. I'm not the only one saying this, Paul. See: www.f-secure.com/weblog/archives/00002496.html
If you define cybercrime as "financially motivated" (I'm not sure that's a useful definition, nor one that is widely accepted), *and* you assume that there was no financial motivation here (and I'm not sure how you say this on the available evidence), then I guess this wasn't cybercrime.
And, to be fair to our friends over at F-Secure, the post to which you refer does not make the claim you suggest. (The post is about whether you should use Java or not.)
Sean at F-Secure actually wrote this: "Twitter was hacked last week. And for some reason (which wasn't all that clearly explained), Twitter's Director of Information Security recommended disabling Java's browser plug-in. If we were to speculate, we'd guess a developer at Twitter fell victim to a targeted attack which used a Java exploit."
There is no mention of motivation. And I'm not sure how that affects the criminality of the intrusion anyway, since my opinion is that the person or persons who did this broke the law, and that it was a criminal act.
[This thread is now closed.]
Your link leads to a brief entry on the topic of "What is Java technology and why do I need it?"; no mention there of cybercrime, regardless of how you define it.
No that it matters to me… I don't care who might have said it, it's a lousy definition. By that logic, murder is not a crime unless the motive is money.
Violations of law in the cyberworld constitute cybercrime. It's that simple.
“They could attempt to crack the passwords, by setting computers and large dictionaries of commonly used passwords against the problem.”
The passwords were hashed and salted, so were not stored as dictionary words as you suggest.
Problem is that although storing hashes instead of the raw passwords helps a lot, you're still not supposed to lose the hashes. As Graham points out, someone who steals the hashes gets to try out passwords from a dictionary against the list of hashes.
And they get to do that *as fast and for as long as they want*.
So Graham wasn't saying (indeed, didn't say) that the passwords were stored as dictionary words. Just that after the hashes were stolen, the crooks could mount a dictionary attack at their end…
(If the stolen passwords had been stored in raw form, they wouldn’t need a dictionary or an attack, would they? They’d have the passwords straight off the bat 🙂
Thanks for your reply.
He is saying, as you appear to be, that they were stored as hashed dictionary words (should the user have chosen such a password).
I'm saying that they were salted… i.e. the original password has been altered by a given value before being hashed – so they should not be able to mount a dictionary attack.
That's not quite correct.
A salt makes it harder or impossible to use a *precomputed* dictionary attack.
If you use a straight hash, every time someone chooses, say, "happiness" as a password, the hash is, say, "1badc0de". So you can pre-compute a list of hashes, keyed by dictionary words, and use it to mount your dictionary attack as a simple list lookup.
If you add a random character to the password (the salt) then each dictionary word can end up hashed in 26 different ways:
ahappiness
bhappiness
chappiness
….
and so your pre-computed list just got 26 times bigger. Make the salt longer, say four characters or more, and the pre-computed list quickly becomes impracticable. Instead of a list of one million words and their hashes, you might end up with a list of one million variants of one million words.
You can still do a dictionary attack – but you actually have to calcluate HASH(salt,password) every time for every word in the dictionary. You can't just check to see if HASH(password) is in the list.
That's typically a lot slower, but it doesn't *prevent* a dictionary attack.
(Don't forget that the password database has to store both the salt and the hash. So if you steal it, you get the salts too. The salts aren't used once and then discarded because you need them to check the hashes later.)