The Twitter document leak fiasco started with a simple story that personal accounts of Twitter employees were hacked. Twitter CEO Evan Williams commented on that story, saying that Twitter itself was mostly unaffected. No personal accounts were compromised, and “most of the sensitive information was personal rather than company-related,” he said. The individual behind the attacks, known as Hacker Croll, wasn’t happy with that response. Lots of Twitter corporate information was compromised, and he wanted the world to know about it. So he sent us all of the documents that he obtained, some 310 of them, and the story developed from there.
This post isn’t about the confidential information taken from Twitter. It’s about exactly how Hacker Croll was able to get such deep access to Twitter in the first place.
It’s clear that Twitter was completely unaware of how deeply they were affected as a company – when Williams said that most of the information wasn’t company related he believed it. It wasn’t until later that he realized just how much and what kind of information was taken. It included things like financial projections and executive meeting notes that contained highly confidential information.
We’ve already said a lot about all of this and the related “server password = password” story that was discovered by another individual last week. But we’ve got two more stories to tell. The first, this post, is exactly how the hacks took place, based on information gathered from hours of conversations with Hacker Croll. The second is what was happening behind he scenes with Twitter as the story unfolded. We’ll post that later this week.
When the story first broke the true scope of what had taken place and how it occurred was not understood. Various bloggers speculated about the cause of the attack – with some placing the blame on Google while others blaming the rising trend of hosting documents in the cloud.
We immediately informed Twitter of the information we had in our possession (and forwarded it to them), and at the same time reached out to the attacker. With some convincing, the attacker responsible for the intrusion at Twitter began a dialog with us. I spent days communicating with the attacker in an effort to gain insight into how the attack took place, what the true scope of it was and how we could learn from it.
We’ve waited to post exactly what happened until Twitter had time to close all of these security holes.
Some Background
In the security industry there is a generally accepted philosophy that no system or network is completely secure – a competent attacker with enough time, patience and resources will eventually find a way into a target. Some of the more famous information security breaches have relied on nothing more than elementary issues exploited by an attacker with enough time and patience at hand to see their goal through. A classic example is the case of Gary McKinnon, a self-confessed “bumbling computer nerd” who while usually drunk and high on cannabis would spend days randomly dialing or attempting to login to government servers using default passwords. His efforts led to the compromise of almost 100 servers within a number of government departments. After McKinnon spent a number of years trawling through servers looking for evidence of alien life (long story), somebody within the government finally wised up to his activities which lead to not only the arrest and attempted extradition of McKinnon from the United Kingdom, but a massive re-evaluation of the security methods employed to protect government information.
A more recent example is the case of Kendall Myers, who after being recruited to work for the Cuban government by an anonymous stranger they met while on holiday in that country, set out to obtain a high ranking position within the State Department specifically to obtain access to US government secrets. Kendall dedicated his entire life to obtaining state secrets, and up until he was recently caught by the FBI had successfully passed on secret information and internal documents to the Cuban government for 30 years. He relied only on his memory, his education credentials and sheer dedication.
The Twitter Attack: How The Ecosystem Failed
Like other successful attacks, Hacker Croll used the same combination of patience, sheer determination and somewhat elementary methods to gain access to a frightening number of accounts and services related to Twitter and Twitter employees. The list of services affected either directly, or indirectly, are some of the most popular web applications and services in use today – Gmail, Google Apps, GoDaddy, MobileMe, AT&T, Amazon, Hotmail, Paypal and iTunes . Taken individually, most of these services have reasonable security precautions against intrusion. But there are huge weaknesses when they are looked at together, as an ecosystem. Like dominoes, once one fell (Gmail was the first to go), the others all tumbled as well. The end result was chaos, and raises important questions about how private corporate and personal information is managed and secured in a time when the trend is towards more data, applications and entire user identities being hosted on the web and ‘in the cloud’.
“Hacker Croll” is a Frenchman in his early 20’s. He currently resides in a European country and first discovered his interest in web security over two years ago. Currently in between jobs, he has made use of the additional time he now has, along with his acquired skillset, to break into both corporate and personal accounts across the web. His knowledge of web security has been attained through a combination of materials available to the public and from within a tight-knit group of fellow crackers who exchange details of new, and sometimes unknown, techniques and vulnerabilities. Despite the significance and impact a successful attack has, the cracker claims that his primary motivation is a combination of curiosity, exploration and an interest in web security. There is almost a voyeuristic tendency amongst these individuals, as they revel in the thought of gaining privileged access to information about the inner lives of individuals and corporations. The “high” of access and gaining unauthorized knowledge must be big enough to carry a cracker’s motivation through the long hours, days and months of effort it may take to hit the next pot of gold.
For Hacker Croll, his first port of call in setting out to gain access to a target network is to make use of public search engines and public information to build a profile of a company or individual. In the case of the Twitter attacks, this public information allowed him to create a rich catalog of data that included a list of employee names, their associated email addresses and their roles within the company. Information like birth dates, names of pets and other seemingly innocent pieces of data were also found and logged. This dragnet across the millions of pages on the web picked up both work and personal information on each of the names that were discovered. Public information on the web has no concept of, or ability to, distinguish between the work and personal details of a person’s identity – so from the perspective of a cracker on a research mission, having both the business and personal aspects of a target’s digital life intertwined only serves to provide additional potential entry points.
With his target mapped out, Hacker Croll knew that he likely only needed a single entry point in any one of the business or personal accounts in his list in order to penetrate the network and then spread into other accounts and other parts of the business. This is because the web was designed at a time where there was implicit trust between its participants – requiring no central or formal identification mechanism. In order to keep private data private, modern web applications have built out their own systems and policies that require a user to register and then manage their identities separately with each app. The identifier that most applications use is an email address, and it is this common factor that creates a de facto trust relationship between a user’s applications. The second factor is a password: a random string that only the user knows, is unique to each application, and in theory should take even a computer months or years to figure out if it started guessing. These two elements would work well enough for most cases, were it not for what is often the single weakest factor: human habit.
Look at the front page of almost any web application and you will see hints at just how hopeless and helpless we are in managing our digital lives: “forgot my password”, “forgot my username”, “keep me logged in”, “do not keep me logged in”, “forgot my name”, “who am i?”. Features that were designed and built as a compromise since we are often unable to remember and recall a single four-digit PIN number, let alone a unique password for every application we ever sign up for. Each new service that a user signs up for creates a management overhead that collapses quickly into a common dirty habit of using simple passwords, everywhere. At that point, the security of that user’s entire online identity is only as strong as the weakest application they use – which often is to say, very weak.
Now going back to Hacker Croll and his list of Twitter employees and other information. Twitter just happens to be one of a number of a new breed of companies where almost the entire business exists online. Each of these employees, as part of their work, share data with other employees – be it through a feature of a particular application or simply through email. As these users become interwoven, it adds a whole new attack vector whereby the weak point in the chain is no longer just the weakest application – it is the weakest application used by the weakest user. For an attacker such as Hacker Croll looking to exploit the combination of bad user habit, poorly implemented features and users mixing their personal and business data – his chances of success just got exponentially greater. Companies that are heavily web based rely largely on users being able to manage themselves – the odds are not only stacked against Twitter, they are stacked against most companies adopting this model.
Unfortunately for Twitter, Hacker Croll found such a weak point. An employee who has online habits that are probably no different than those of 98% of other web users. It began with the personal Gmail account of this employee. As with most other web applications, the personal edition of Gmail has a password recovery feature that presents a user with a number of challenges to prove their identity so that their password can be reset. It likely wasn’t the first account from a Twitter employee that Hacker Croll had attempted to access – but in the case of this particular account he discovered a kink in the armor that gave him the big first step. On requesting to recover the password, Gmail informed him that an email had been sent to the user’s secondary email account. In an effort to balance usability with security, Gmail offered a hint as to which account the email to reset the password was being sent to, in case the user required a gentle reminder. In this case the obfuscated pointer to the location of the secondary email account was ******@h******.com. The natural best guess was that the secondary email account was hosted at hotmail.com.
At Hotmail, Hacker Croll again attempted the password recovery procedure – making an educated guess of what the username would be based on what he already knew. This is the point where the chain of trust broke down, as the attacker discovered that the account specified as a secondary for Gmail, and hosted at Hotmail was no longer active. This is due to a policy at Hotmail where old and dormant accounts are removed and recycled. He registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee. The first domino had fallen.
Well designed web applications will never just give a user their password if they forget it, they will force the user to pick a new one. Hacker Croll had access to the account, but with a password he had specified. To not alert the account owner that their account had been compromised, he had to somehow find out what the old Gmail password was and to set it back. He now had a bevy of information at his fingertips, a complete mailbox and control of an email account. It wasn’t long before he found an email that would have looked something like this:
To: Lazy User
From: Super Duper Web Service
Subject: Thank you for signing up to Super Duper Web ServiceDear Lazy User,
Thank you for signing up to Super Duper Web Service. For the benefit of our support department (and anybody else who is reading this), please find your account information below:
username: LazyUser
password: funsticksTo reset your password please follow the link to.. ahh forget it, nobody does this anyway.
Regards,
Super Duper Web Service
Bad human habit #1: Using the same passwords everywhere. We are all guilty of it. Search your own inbox for a password of your own. Hacker Croll reset the password of the Gmail account to the password he found associated with some random web service the user had subscribed to and that sent a confirmation with the password in clear text (and he found the same password more than once). He then waited, to check that the user was still able to access their account. Not too long later there was obvious activity in the email account from the account owner – incoming email read, replies sent and new messages drafted. The account owner never would have noticed that a complete stranger was lurking in the background. The second domino falls.
From here it was easy.
Hacker Croll now sifts through the new set of information he has access to – using the emails from this user’s personal Gmail account to further fill in his information map of his target. He extends his access out to all the other services he finds that this user has signed up for. In some instances, the password is again the same – that led Croll into this user’s work email account, hosted on Google Apps for Domains. It turns out that this employee (and in fact most/all Twitter employees and everyone else) used the same password for their Google Apps email (the Twitter email account) as he did with his personal Gmail account. With other sites, where the original password may not work – he takes advantage of a feature many sites have implemented to help users recover passwords: the notorious “secret question”.
Fork the story here for a moment because there is a real issue here with the “secret question” (from here on abbreviated more appropriately as just “secret ?”). For some strange reason, some sites refer to the “secret ?” as an additional layer of security – when it is often the complete opposite. In the story of Hacker Croll and Twitter, the internal documents that we now all know about were only a few steps away from the first account he gained access to. In addition to that, this attacker, and certainly others just like him, have been able to demonstrate that some of the biggest and most popular applications on the web contain fundamental weaknesses that alone might seem harmless, but in combination with other factors can cause an attacker to completely tear through the accounts of users, even those who maintain good password policy.
This is not the first time that the issue of “secret ?” being used in password recovery systems has been raised. Last September, US Republican Vice Presidential candidate and former governor of Alaska, Sarah Palin, had screenshots of her personal Yahoo mail account published to Wikileaks. A hacker or group known only as ‘Anonymous’ claimed credit for the hack, which was carried out by the attacker making an educated guess in response to the security question used to recover passwords. In early 2005, celebrity Paris Hilton suffered a similar incident when her T-Mobile sidekick account was broken into, and the details of her call log, messages (some with private pictures of Hilton) and contact list were leaked to the media. The culprit, again, was “secret ?”.
Giving the user an option to guess the name of a pet in lieu of actually knowing a password is just dramatically shortening the odds for the attacker. The service is essentially telling the attacker: “we understand that guessing passwords is hard, so let us help you narrow it down from potentially millions of combinations to around a dozen, or even better, if you know how to Google, just one”. The problem is not the concept of having an additional authorization token, such as mothers maiden name, that can be used to authenticate in addition to a password, the problem arises when it is relied on alone, when the answer is stored in the clear in account settings, and when users end up using the same question and answer combination on all of their accounts.
From this point, with a single personal account as a starting point, the intrusion spread like a virus – infecting a number of accounts on a number of different services both inside and outside of Twitter. Once Hacker Croll had access to the employee’s Twitter email account hosted by Google, he was able to download attachments to email that included lots of sensitive information, including more passwords and usernames. He quickly took over the accounts of at least three senior execs, including Evan Williams and Biz Stone. Perusing their email attachments led to lots more sensitive data being downloaded.
He then spidered out and accessed AT&T for phone logs, Amazon for purchasing history, MobileMe for more personal emails and iTunes for full credit card information (iTunes has a security hole that shows credit card information in clear text – we’ve notified Apple but have not heard back, so we won’t publish the still-open exploit now).
Basically, when he was done, Hacker Croll had enough personal and work information on key Twitter executives to make their lives a living hell.
Just to summarize the attack:
- HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.
- HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
- HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
- HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.
- HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text. HC now also had control of Twitter’s domain names at GoDaddy.
- Even at this point, Twitter had absolutely no idea they had been compromised.
What could have happened next is that Hacker Croll could have used or sold this information for profit. He didn’t do that, and says he never intended to. All he wanted to do, he says, was to highlight the weaknesses in Twitter’s data security policies and get them and other startups to consider more robust security measures.
He also says he’s sorry for causing Twitter so much trouble. We asked Hacker Croll if he had any message he wants to deliver to Twitter, and he sent me the following:
Je tiens à présenter toutes mes excuses au personnel de Twitter. Je trouve que cette société a beaucoup d’avenir devant elle.
J’ai fait cela dans un but non lucratif. La sécurité est un domaine qui me passionne depuis de longues années et je voudrais en faire mon métier. Dans mon quotidien, il m’arrive d’aider des gens à se prémunir contre les dangers de l’internet. Je leur apprend les règles de base.. Par exemple : Faire attention où on clique, les fichiers que l’on télécharge et ce que l’on tape au clavier. S’assurer que l’ordinateur est équipé d’une protection efficace contre les virus, attaques extérieures, spam, phishing… Mettre à jour le système d’exploitation, les logiciels fréquemment utilisés… Penser à utiliser des mots de passe sans aucune similitude entre eux. Penser à les changer régulièrement… Ne jamais stocker d’informations confidentielles sur l’ordinateur…
J’espère que mes interventions répétées auront permis de montrer à quel point il peut être facile à une personne mal intentionnée d’accéder à des informations sensibles sans trop de connaissances.
Hacker Croll.
This roughly translates to:
I would like to offer my personal apology to Twitter. I think this company has a great future ahead of it.
I did not do this to profit from the information. Security is an area that fascinated me for many years and I want to do my job. In my everyday life, I help people to guard against the dangers of the Internet. I learned the basic rules .. For example: Be careful where you click the files that you download and what you type on the keyboard. Ensure that the computer is equipped with effective protection against viruses, external attacks, spam, phishing … Upgrading the operating system, software commonly used … Remember to use passwords without any similarity between them. Remember to change them regularly … Never store confidential information on the computer …
I hope that my intervention will be repeated to show how easy it can be for a malicious person to gain access to sensitive information without too much knowledge.
Croll hacker.
What’s the takeaway from all this? Cloud services are convenient and cheap, and can help a company grow more quickly. But security infrastructure is still nascent. And while any single service can be fairly secure, the important thing is that the ecosystem most certainly is not. Combine the fact that so much personal information about individuals is so easily findable on the web with the reality that most people have merged their work and personal identities and you’ve got the seed of a problem. A single Gmail account falls, and soon the security integrity of an entire startup crumbles. So for a start, reset those passwords and don’t use the same passwords for different services. Don’t use password recovery questions that can easily be answered with a simple web search (an easy solution is to answer those questions falsely). And just in general be paranoid about data security. You may be happy you were.
A global poll about Internet security is being conducted.
Question: Are you concerned about your the security of your Internet identity and information?
See poll at http://qulse.com/q.jsp?id=20
I am concerned that your site is going to steal my Internet identity.
Why bother with the poll? There’s plenty of research on consumer sentiment in regards to internet security available already. Visit any site that sells trust marks (McAfee Secure Site, Hacker Safe, etc) and they’ll point it out quickly.
the lengthiest post on TC ever?
Its good that the hacker didnt sell this information!
Hacker Croll may have been nice enough to not use the data for profit, but TechCrunch didn’t let that stop them.
HE DIDN’T?
What, you think he just gave it to TC?
“What, you think he just gave it to TC?”
I think so.
@ Chris Herbert:
I beg to differ here. He IS a hacker. He mapped out the target, observed, analyzed and exploited a weakness in the security system (or, in this case eco-system, or combination of systems).
Hollywood has created is an image of “hacker” as a guy who sits in front of a monitor with a whole bunch of code running in front of him, and (in movies that can at least claim SOME accuracy) using nmap.
The reality is, “hacker” can be simply a person who used a phone and some “social engineering” to gain access to particular system by exploiting the weakest (at times) link – the human.
You said it yourself – he gamed the system, that very much counts as a “hack” – whether it was done using network sniffer, brute force attack, password guessing (admit it, his solution was much more intelligent, and elegant than a brute-force), or social engineering. He identified the weakness of the system and exploited it.
Now, i’m not goign to get into whether he should count as black, white or gray hat – here i think distinction may be subjective, but he certainly deserved to be called a “hacker”. Maybe if there were more people like this, companies and users would start taking security more seriously.
It is a bit lengthy but since the topic is quite controversial. I guess it had to be this way.
All online services should offer login log, with past login time/date, and if possible ip. Showing somebody his own logins wont be any privacy breach whatsoever. And showing last login in post-login page also worth it.
Gmail does that — it’s in the footer. But likely most people don’t ever really look at it.
That gmail footer info is very valuable! Problem is I’ve got 1 iPhone and 1 Blackberry checking gmail every 15 minutes both from different IP’s, so that isn’t the best solution.
I agree. Gmail Footer is really a goldmine.. But sadly many peeps doesn’t even know abt it.
Too bad gmail doesn’t show the IP address of the email sender if sent from gmail.
Very controversial.
You are a spammer and I hate spammers
http://twitter..../filthyrichmond gave me anal warts
Hes likely scared shitless. Rightfully so as I am sure everyone is looking for the guy.
you bet I am. and so should you
So techcrunch made a few thousand $$$ from posts about this story right and the buzz it created (anyone can estimate how much?) – The guy who did all the work gets nothing in return?
i hope twitter sues techcrunch (which they don’t seem to be willing to do, which is in itself very suspicious) and gives the compensation money to this guy, because he deserves it for his hard work
Under what legal theory would they sue TechCrunch?
Breaking into a computer system is illegal, but TC did not do that, nor did they aid or encourage it.
There’s no law against sharing a document someone hands to you.
Now thats a excellent point which makes TechCrunch post everything right here
Actually, it is illegal if the document in question is stolen, and they knew it was stolen. And since it probably crossed state lines, it is a violation of federal law. The FBI needs to step in here and arrest those responsible.
There are laws against benefiting from illegal activities. The documents that Tech Crunch posted were stolen from a private business. Tech Crunch knew the documents were obtained illegally and posted the documents anyway. Tech Crunch did so knowing it would benefit from the advertising revenue generated from the additional page views.
of course they can. The documents they received were stolen goods. that’s a crime on its own, but they also published it knowing they were stolen
Read back a couple articles, TC got permission from Twitter to post the docs.
Dan Grossman:
“There’s no law against sharing a document someone hands to you.”
Yes there is, according to the California Uniform Trade Secrets Act. It is not only illegal to steal trade secrets, it’s illegal to publicly disseminate them no matter how you got them, without expressed consent of the owner of the secrets.
http://www.legi...le=3426-3426.11
Relevant section:
“At the time of disclosure or use, knew or had reason to know that his or her knowledge of the trade secret was:
(i) Derived from or through a person who had utilized improper means to acquire it;”
Why could twitter sue TechCrunch? From two ways, loss in revenue from strategic relationships that are inevitably destroyed as a result of this public display of secrets. And from “unjust enrichment” from TechCrunch profiting by displaying the data on this site with ads.
Relevant section:
“3426.3. (a) A complainant may recover damages for the actual loss caused by misappropriation. A complainant also may recover for the unjust enrichment caused by misappropriation that is not taken into account in computing damages for actual loss.”
IANAL, just someone disappointed in how this entire thing played out. I really hope TechCrunch spent a lot of time with their lawyers before deciding to throw all this data out there.
Screw you. “Proper” journalists have been doing this for years. It’s a way to keep businesses and public entities on their toes; reminds them that someone is always watching.
Even if they did sue TechCrunch, do you REALIZE how big that would be??
If techcrunch won under the Shield Law, that would validate a blog as a “real” news source. It’d be a landmark decision, and would elevate TechCrunch to a level way out of the tech industry they’re solidly in right now.
Michael Arrington is a lawyer. I’m quite sure he didn’t do this without thinking through all the possibilities, including techcrunch getting sued. The opportunity to raise a constitutional issue that could end up in the Supreme Court has got to be really exciting to anyone, and much more so to an attorney.
I’m very curious to see how this plays out.
Of course they could sue TC and MA knows that. My feeling is that twitter actually arranged with arrington that he prints the documents first before anyone else, so they can benefit from the (negative) buzz in the most harmless way. Twitter would never sue techcrunch because they helped make twitter what is today (i would not be on twitter if it weren’t for TC’s shameless promotion of twitter). nobody ’s harmed in this win-win situation
by the way i don’t know the situation in the US but you need to be a proper journalist to have journalistic rights. MA is not a journalist (plus he didn’t really do the ‘research’)
I agree. How do you decide when a website transcends from an extracurricular activity to a must-read newsworthy source.
He had full control of the twitter.com domain?! OMG.
Boooor-ring….
seriously.
down with longass paragraphs.
cut to the chase bro!
Nik Cubrilovic, the author of this post, is the CEO of Omni-drive.
About 2 years, I used Omni-drive to back up all my files. One day Nik decided to take down the website and has kept my files forever. Why have you done this, Nik?
I still need my files Nik. Its incredible that you could just shut off access to an online backup company without us even being able to withdraw our files. Then you profit from people like me trying to access our old files by placing adverts on the domain name.
You are shameless aren’t you Nik.
I still need my files Nik.
Don’t you care?
Please email me if you care. I have lost those files for ever.
Brendan.
Weird ass post. Were you trying to come off as intimidating?
I genuinely hope you never receive your files.
I also hope you never receive your files
Just keep posting things on twitter… wait till some one hacks techcrunch and posts things on competitive blogs like gizmodo, gigaom, engadget et all and then you feel how twitter is feeling.
the idea is to protect the company who gives you most of the earnings (indirectly) through ads by posting twitter related posts. so please be careful of what you post.
no i m not threatening, just a friendly reminder.
i love to read twitter related things but there is some where you need to draw a line… are you getting my point?
Great Story… The author clearly differentiates between hacking and cracking! Awesome…
2 years ago I had to do the same cos some guy was pissing me off by stalking my friend via email (she told so and I took down his email id): To know who he was I just tried the forgot my pass at gmail and it led to first a security question of frequent flyer number which I couldn’t answer, and a reset pass mail to mail.com and there the security question was related to his first bike and I figured out that it was YAMAHA, and from there I got to know that the has a yahoo.com account, I noticed a birthday reminder service where i used the forgot my pass which led to a clear text pass mail. This I used to get into yahoo.com mail account, and also read personal docs…And guess what frequent flyer number in plain text in a mail… So I reset his gmail, read the mail… And again guess… He was not stalking my friend, they were having an affair and the guy was innocent, she was just trying to break up with him… Bad!
so compromised mail.com -> birthday reminder -> yahoo mail -> gmail…
Lesson: Know who your friends are!
BTW the techcrunch.com DNS is hosted at EASYDNS.COM and the security question is Fathers Middle name or Mothers Maiden name or something…
Hope you guys at TC make it a strong question to crack as well as renew your domain at once for 10 years cos it was
last updated 11-jun-2009 and will expire on 10-jun-2010, what happens if you forget to renew and someone snatches TechCrunch.com… You will lose a week or so business… BTW if the above security questions do not have a very secure answer.. It may lead a cracker to divert traffic to a random IP and this may cause you to lose business from a few hours to upto 70 hours or so depending on DNS propagation… So Dear TechCrunch and Michael Arrington, I love you, your Blog and all your writers there… Hope to see TechCrunch last for many more decades!
Hacker Troll
Did you really leave a “Hacker” name in your signature when your first name last initial was in the title?
This is an excellent story, getting at the real news behind the attack without resorting to divulging any of the actually sensitive details. The last one… not so much.
Wow! What a story!!
))
Everyone thinks that a hacker speaks an alien language and thinks in multi dimension coordinates.
Pure truth is that 99% of them speculates the human mistakes and poor habits.
I’ll go and change my passwords
Funny you say that. I remember reading an early book about Mitnick in his early exploits and how we all revered him as a genius but his main method of attack was dumpster diving. Just dig in dumpsters for paper with passwords on it.
Twitter should definately find who this guy is and hire him as a security officer. Nobody knows their systems better than him
There’s a little mistake:
- “J’espère que mes interventions répétées auront permis de montrer”
Means
- “I hope that my repeated interventions [[his ones, multiple times]] will help people to see how easy is to access personal information without too much knowdelge”.
Ok, that’s a stupid thing. But he talks about his own interventions, so it’s not his first time (and he probably will ‘repeat’).
No matter what you think of the whole story, and the posting of the details etc.. THIS is an outstanding post – So many lessens for everyone..
Learn them.. now
No. Its a pseudo informational piece that tries to make everybody (except hacker) look good, as if they were all accidental parties in this event. Cut Put simply, Google’s security sucked. So did anonymous web service company that was noted.
The moral of the story is do not store sensitive information online. That means your company should not use Google Docs. It worries me that the LA Police Dept is considering migrating to Google Docs. Imagine the hacking opportunity if a police dept posted their records online.
Wrong translation of the last part, which completely changes the signification of the message !
Better translation (I’m Swiss french) below.
Change AT LEAST this:
“I hope that my intervention will be repeated to show how easy it can be a malicious person [...]”
into:
“I hope that my repeated interventions have shown how easy it can be for a malicious person [...]”
Full translation to come
Full translation by myself:
“I would like to offer apologies to the staff of Twitter. I think that this company as a great future coming for it.
I did this for a non profit goal. Security is an area which enthrall me since several years and I would like to do it my job. In my everyday tasks, I sometime help people to protect themselves against the danger of the Internet. I learn them the basic rules, e.g.: Be careful where you’re clicking, what files you’re downloading and what you’re typing. Be sure that the computer has an effective protection against viruses, outside attacks, spam, phishing… Update the operating system, the frequently used softwares… Think about using password without similarities between them. Think about changing them often… Never store confidential informations on their computers…
I hope that my repeated interventions have shown how easy it can be for a malicious person to access sensitive informations without much prior knowledge.
Hacker Croll.”
Try “I teach them the basic rules” in place of “I learn them the basic rules”?
Wow Nik Cubrilovic appears ‘in public’ for the first time in nearly 12 months. So I guess the dust has settled Nik?
I think… he is hacker croll
Spending 12 months on this story…
a very interesting read… this was quite a methodical attack… although HC’s first hack (of the first twitter employee gmail account) was ingenious in itself, the further accounts that fell were also “weakly” protected… i remember the time when in uni, ever root login was simultaneously sent to a printer for a full hardcopy log… seems old fashioned, but multiple alerts on multiple channels on suspect behavior, will at least help detect a hack sooner…
Great post! There is always the question of publishing how attacks are made – on one hand, I’m sure it’s a huge lesson for anyone who is running a startup (or any other) company in how important security is (and backups!!), as oppose to the inevitable outcome of such a post, which is more people trying to hack into other services as explained in this VERY detailed document.
TC has made it clear throughout the Twitter meltdown that they’ll publish (almost) everything, and I think it’s their right.
Thanks for the interesting read, it should be a lesson for us all, but it seems that we need to read stories like this over and over before we are starting to realize.
It is btw also with start-ups that they are more focussed on making their dream come true, then investing alot of effort in their security…
Well I guess that makes everything okay then.
tl;dr
in summary Croll hacker -> twitter employee’s gmail password recovery -> send an email to the secondary account -> that hotmail account was expired -> Croll created a new one with the same username -> thus getting twitter’s corporate gmail account password
btw, i think you owe this guy some money for his work. i hope you pay him back
I don’t think that expired Hotmail accounts get recycled and can be re-registered.
Hotmail (since being acquired by Microsoft) is the worse web service on the planet.
You may not know, but they deleted thousands of mailboxes that haven’t been used for a couple months!! Yes, deleted EVERYTHING!!
Hotmail was my first webmail and has many very personal, valuable emails. MSFT deleted all of them!!
I had same bad experience. Hotmail sucks!! Do u know gmail has 8 month expiry. I mean WTF.
They do. I used an account a couple of years back when I was new to the internet, I then abandoned it a few months later and switched to a new account with gmail, I decided I wanted to recover something a few weeks back and went to login, only to find the account no longer existed. This was 3 years difference but it shows they do remove accounts. Luckily I just re-registered and then had everything sent to the account.
:3
I haven’t used my hotmail account for about 3ish years. After reading this story, I logged into the account. It was there and available to login to, but there was no old mail at all in the inbox. I know for a fact that when I stopped using the account there were old messages in it.
That’s the only thing they do – they do delete the messages, but they don’t delete the accounts. Yahoo! Mail does the same thing.
I agree, Nikolay. That’s been my experience too.
They used to delete the whole account, I lost mine some times around 2004~2006, but I don’t know if they are still doing that.
I think it was hotmail security that broke down because they let an account expire. Why would a free account expire? By letting free email accounts expire they have endangered the whole web. Nice one hotmail :/
Great read.
I think hotmail are partly to blame here – recycled email addresses are a security nightmare, particularly when accounts can expire without you knowing just because you haven’t logged in, in a while. I can’t believe they still do that…
Yes bash Microsoft. How convenient.
What is more likely is that this guy either entered a fake Hotmail account just to provide some email address when signing up for Gmail.
Most probably.
When I began to read this piece I thought it was a vulnurability with Gmail, but it turns out it is a policy for Hotmail and dormant account. Is there such a policy for Gmail?
I’ve been following this story to get some insight into the attack and try to minimize exposure online for myself and others. Thanks for providing the details to the story.
For information on best practices for securing your information online you might want to read these simple tips;
http://www.gils...-privacy-online
According to GMail Help group at Google Groups, accounts that are left idle for more than nine months are deleted (6 months of no activity leaves it dormant, then deleted 3 months later).
GMail usernames are not recycled so you cannot register the same name again once it has been deleted.
Wonder if Yahoo Mail has a similar policy, hope they do.
@GlobetrotterSA: Thanks for the clarification. Thankfully the names can’t be recycled.
I wonder what new Gmail accounts will look like in 20 years when all the shorter names are gone…that or they can get another domain.
gjpereragilsmethod1234451111111111@gmail.com
No! No! No! You can’t move the blame to Microsoft. How typical. Google was the root of the problem. They want to manage everybody’s information, and have it be a password away from everybody on the planet? They provided the first bit of info to the hacker. Without the hotmail hint, this likely would not have happened.
Microsoft’s been doing that for the past 30 years…the difference is that instead of storing the information on “vulnerable” networked computers, you’ll be storing it in the cloud…hmph, I guess it boils down to which evil you prefer.
Hmmm… sounds like there is a lot of ways to point the finger of blame, but I think it generally just comes down to a generally insecure Internet.
I didn’t know about Hotmail “recycling” logins. Makes me wonder if my unused hotmail account from 10 years ago has been recycled for nefarious purposes (or some poor sod is just getting all of my old spam.)
You would think that, instead of all these stupid “Hackersafe” paid-for accreditations, there would be an agreed to policy for this stuff among providers (i.e. no recycling of accounts, better triple-factor authentication for forgotten passwords, etc.)
Is it just me, or is it insane for Twitter to use Google Apps to store their business’s confidential information? I bet Google could use that information to gain the upper hand were they ever to enter acquisition talks.
Google would never take such a risk, even if they were evil. And why would they, anyway, when they could simply ask for that information?
Maybe. However, there’s nothing precluding a competitor of a company using Google Apps trying to get one of their hired by Google (or bribe someone working there) to get access to docs. It’s not like this hasn’t happened before.
If your server is in the cloud there’s unfortunately just no way to go down to the server room and unplug the damn thing off the network until you fix a security issue. Plus, if you’re tired of you “provider” you can always terminate your contract but then who’s got your data? Is it really erased? Especially knowing that the only real way to ensure data stored on a disk is destroyed is to physically destroy said disk?
Absolutely true. Great points. This is one of the reasons that many big companies are not willing to put their data in somebody else’s cloud. Especially big players like Google. There’s a big market to enable these big corporations with software which will allow them to deploy their own “internal clouds” where they don’t have to keep their data in somebody else’s hands.
Los Angeles Police Department is actively considering it as their information management strategy. How insane is that?
No. It’s not just you. It is stupid of them to do so. Not because of Google, but just in general.
I can smell the hum of password changing activity at inumerable startups tomorrow.
and if i give you our corporate gmail accounts, will we be on techcrunch tomorrow?
Looks like some one is trying to bring google down as google gives its user a easy way to sign in to multiple sites which they own e.g orkut, reader, gmail etc
if one of the passwords is gone then all are gone …
Beware GOOGLE!
Great one….
everyone after reading this will make their password more secure..
“everyone after reading this will make their password more secure..”
No they wont, they will agree that it is a thoroughly good thing to do, will plan to do it soon.. and then forget all about it. Or they will just change it from their pets name to their wifes name.
Human nature..
This whole story makes me think, a) make sure everything financial have unique passwords, b) don’t put anything else online just for casual convenience sake, and c) get an authenticator when possible (my WoW account is now looking like the most secure online service I have
).
Interesting post. Thanks for sharing. A valid point about passwords and perhaps the usefulness of decentralized identity systems. Now this is done (for now) hopefully soon I can get the EV files game out of my head. http://www.ev-files.com/
a better translation for hc’s final note:
“I wish to express how sorry I am to all of Twitter’s employees. I believe this company has a very bright future ahead of it.
I did not do this for money. Security is a subject that has interested me for many years, and it’s my wish to pursue it as a career. In my daily life, I help people understand and prepare against internet borne dangers. I teach them the basic rules..For example: Pay attention to what you click, the files you download and what you type on your keyboard. Ensure your computer is properly protected against viruses, internet-based attacks, spam, phishing…completely updated operating system, most frequently used applications…Remember to use passwords that are not at all similar. Remember to change them regularly…Never save personal information on your computer…
I hope my repeated intrusions have demonstrated where it’s very easy for a malicious person to gain access to sensitive information without much effort or knowledge.”
I think what HC did is pretty smart. As much as it retrospectively sounds straight forward when reading the above article, it takes significant skill to execute this.
What I find interesting about this story is that he sent the confidential documents to Techcrunch, so that they can profit from the story (no offense meant)?
If his aim was to prove to the world that he did this, why not send a few docs to TC and the rest back to Twitter? That way Twitter would have to confirm the attack when asked to comment by TC.
There is an obvious and simple solution to this problem:
All systems should log failed attempts to login, usage of password recovery and others.
Then, they should display them prominently for many days (so that the real user has the time to see it) & sessions (so that the real user sees it many times).
This alone would make it impossible to hack a system without being detected. After that, it is simply a matter of how fast you are a closing the holes.
Also, there should be a “panic” button that, when pressed, shuts down everything and requires contacting Google/Microsoft/… to have the account re-opened (the same principle exists for credit cards).
Of course, a mortal can’t ever contact Google via normal means. Well documented.
True. Had a google account hacked once, by similar methods used above (the leak for this occurrence was an old Yahoo account and their lack of a secret question which could be reset by a hacker, which gave access to gmail acct). To get the account back, I had to know somebody inside Google to help recover.
Just a few corrections on your French translation:
1. HC says he teaches people those tips, not that he learned them.
2. HC says he hopes his repeated attempts have shown how easy it is to compromise a system, not that he hopes someone else repeats this.
There are many other small errors that changes the meaning of the message. Did you use Google Translate?
Here is a more accurate translation:
—
I would like to offer my apologies to the Twitter team. I think this company has great future ahead of her.
I did this for non-lucrative reasons. Security is an area that fascinated me for many years and I would like to make it my job. In my everyday life, I sometimes help people to guard against the dangers of the Internet. I teach them the basic rules.. For example: Be careful where you click, the files that you download and what you type on the keyboard. Ensure that the computer is equipped with effective protection against viruses, external attacks, spam, phishing… Updating the operating system, software commonly used… Remember to use passwords without any similarity between them. Remember to change them regularly… Never store confidential information on the computer…
I hope that my repeated interventions will have helped showing how easy it can be for a malicious person to access sensitive information without too much knowledge.
Hacker Croll.
—
A more accurate translation (minor changes, but they affect the meaning):
I would like to present my apologies to Twitter. I think this company has a great future ahead of it.
My goal was not for money. Security is a topic that has fascinated me for many years and I would like to make it my profession. In my everyday life, I help people guard against the dangers of the Internet. I teach them the basic rules… For example: Pay attention to what you click on, the files that you download, and what you type on the keyboard. Ensure that your computer is equipped with effective protection against viruses, external attacks, spam, phishing… Update the Operating System and frequently used programs… Use passwords without any similarity between them. Change your passwords regularly… Never store confidential information on your computer.
I hope my repeated interventions (intrusions?) have allowed me to to show just how easy it can be for a malicious person to access sensitive information without too much knowledge.
This is a very well done piece. I’m still critical of the fact that TechCrunch would publish stolen documents, there is no excuse for being party to the crime yourself, but you have done a great service in discussing the anatomy of the attack. Clearly the mistakes made at Twitter were mistakes of user training and awareness. Your article should help raise awareness elsewhere and I am recommending to all I know that they read this.
Bob
@bobgourley — I agree, Nik did a wonderfully deep piece of online journalism here. Should be next sunday’s NY Times Magazine cover story, IMHO.
I would not assume it was “mistakes of user training and awareness.” After an employee of my company saved a file on their hard drive with 100,000 people personal info and had their lap top stolen, we were bombarded with training and awareness. Like, excessive amounts of training. Almost one year later to the day, another employee’s lap top is stolen with a file on the hard drive containing over 300,000 people’s information. Training and awareness are only as good as employees who will follow the rules.
The infrastructure of identity in this country (world) is so out of whack, we need a paradigm shift to start dealing with it effectively. For instance, the mere fact that credit bureaus manage the data associated with our identities as if they owned rights to it is a mistranslation of the inherent structure of identity. The fact that credit companies are allowed to sell the service of securing identities, rather than being required to do so, is a mistranslation of accountability. But this all stems from the fact that our identities are originated at birth in such a way as to mistranslate ownership…. Internet account services hold too much centralized control over user identity because no one expects any other structure to the relationship. Mechanisms exist to fix this, but more important is the operating model of society that must change to put ownership and accountability of this important data under secured individual control. Obscuring identity across an open network is very possible once we originate identity in an appropriate way. Until that point, it is a choice to participate or not to participate. These hackers are the leaders of us all. We can imprison them, but it is at our own demise. We need to heed their lessons better at some point, not just find ways to work around them.
Good Article
When terrorists communicate to the world through Television and TV channels broadcast their interviews and statements do we blame the TV channels and newspapers of profiting through supporting the terrorists?
What happened with twitter is nothing but a new from of terrorism we need to be prepared for.
The interview shows how venerable the digital ecosystem is..
hope the codes to the nukes are safe in the presidents blackberry
as far as Techcrunch is concerned this event to me is what the ‘Gulf War’ was to CNN..
Team Techcrunch great job in reporting and analyzing the same
Let’s rename the site TwitterCrunch.
Let’s rename you to lazyzatz.
Read the WHOLE article, then think about what you are going to say, fuckface.
Let’s rename you to troll
tl;dr that was the longest article ever.
Do you get paid by words or something? Aren’t journalists supposed to be succint?
So what? Need your news in bitesize chunks? Try reading a book or a full Economist issue and expand your brain.
Twitter, or any other web business that is serious about their web security should hire Croll hacker.
No way. He’s a destructive criminal and all this cajoling of hackers is pathetic.
Sadly, few businesses which are serious about their web security would hire someone who has a demonstrated lack of ethics and give them access to their security-sensitive systems.
By going public with this hack, Croll may be limiting the number of potential employers who would touch him with a 10-foot-pole.
How so? Is he going to put “hacker croll” on his resume?
Lack of ethics? If he lacked ethics he would have used/sold the info for profit but didn’t. I would think companies would be lining up to hire someone with such hacking abilities. Who better to set up your security system – someone who’s been there and done that??
I have to completely agree here. What really is a lack of ethics? Having the ability to dig into a system and show how it could be protected better? Or simply leaving it alone and letting someone with more sinister intentions do it silently?
Having all the information at his disposal, and doing nothing more that proving how much he had gotten by using an intermediary (TechCrunch in this case) to illustrate just how vulnerable the (eco) system is, is LAUDABLE… Illegal? yeah well maybe, but I’d rather get hacked by a guy who turns around and tells me how he did it than a guy who’s going to take my itunes account information and start buying song and well… whatever else.
The take away here is:
1.) Security is important, and you must practice it every day.
2.) It could have been a LOT worse…
thank’s! interesting article
Lol, I agree with DaveZatz. This blog is extremely Twitter-oriented. And that’s ever since pre-security scandal.
This blog entry was interesting and gave me pause to change my passwords. The internet is becoming an increasingly dangerous place and users should be ensured (through governmental action) some protections.
I’m closing my Facebook account. There is simply way too much personal info floating about out there.
One word: Gtoken, a paid upgrade to Gmail and Google apps. You can already use 2-factor auth with Gmail and Apps. No, it’s not a magic bullet, but it actually might have still blocked the Croll from gaining access to Gmail, depending on how TFA is setup at Gmail / Google Apps (for example, is it used on password resets). More thoughts, comments, and links to how to setup TFA on Google here: http://chrisco....authentication/
This whole Twitter thing has been a great expose and a really useful insight for those concerned with web security…
However, I don’t think it was neccessary for TechCrunch to post as much information as they did. A fraction of what was published would have still gotten the point across.
I don’t give a rat’s ass about Twitter.
Look at the Feedburner.. TC just lost 400K+ readers.
“had access to the employee’s Twitter email account hosted by Google, he was able to download attachments to email that included lots of sensitive information, including more passwords and usernames. He quickly took over the accounts for at least three senior execs”
?????
This is the reason for the scope of this attack. who in their right mind sends/recieves an email attachment with the list of senior execs (or admin) passwords?!? wtf…
I was wondering about that as well. It seems to me to be the great unaddressed piece of this story. How did the scope grow to include more Google Apps passwords and user names, like those of execs???
Was the account hacked that of the person or persons in the org who manages the GApps accounts/relationship for the company? Could be.
Over the years there have been so many stories about high profile company and government break-ins where credit card and other personal information has been stolen and sold. in fact, we know that this is a very profitable business for fraudsters. So far, these stories have done little to change human behavior.
Hopefully all this press about Twitter’s attack will get companies and consumers to pay serious attention to doing something about security.
So you basically just printed a hackers handbook as a public service?
Hackers have the hackers handbook. The goal is to educate the general population about these risks.
I wonder how many ppl here voiced there concern when Palin’s email was compromised. i think if you defended that dude (not a hacker really but still he stole private informations to make them public) you should defend the twitter hack the same. There are no differences between those 2 cases…
What is particulary stupid is to use google online services when you know that your company is also a target of google… what would have prevented google to have access to those info ?
What I admire most about TC is that they clearly demonstrate that blogging can be as journalistic as the mainstream media if it has the resources and distribution. This post, along with a slew of others, show where the future of journalism can go.
I would place this series (I think you can classify this a Twitter-gate) up for a Pulitzer even if it doesn’t win to show the world the future.
Keep it up Mike!!!
I didn’t read the other comments but in case it wasn’t addressed…am I the only one who logs into my gmail account and scrolls to the bottom and checks out the account activity where it shows you where you’ve logged in from and the ip address that was used? If you pay attention to that and see an unfamiliar ip or log in time that should throw up a big red flag!
Good point , I never noticed that earlier
Nope. And who is this Sanjay imposter anyway? Such is the word of the real sanjay.
This is one of the takeaways from the story, does Gmail (or similar services) need to bring more visibility to this information? What is the right balance between auditing/security and usability/advertising display in web services interfaces?
It can be hard to track. I have my iphone connecting and my checkGmail too. So I can have up to 2 ip with 3 different connection at the same time. And because the guy is in Europe he can log at a time is almost sure the guy is not connected to minimize risk of being caught.
Does twitter have two CEOs?
their linkedin profile shows Jack Dorsey as the CEO too. what a goof up!!
Jack was the original CEO of Twitter. Ev is now in that role. People sometimes forget to update their LinkedIn.
given the fact that their passwords have been compromised, it’s surprising that his linkedin profile doesn’t read “Porn star, former stripper”