Twitter-Savvy Hackers Tweak the Twitterati

Twitter

Life’s not so tweet over at Twitter these days. The microblogging company, which allows users to broadcast short messages to groups of followers, recently found itself the target of a wave of hacking and phishing attacks.

The San Francisco-based company said Monday that 33 member accounts were hijacked, including those of President-elect Barack Obama, singer Britney Spears and CNN correspondent Rick Sanchez.

On Monday, fake updates were made to several accounts, including obscene references to body parts and mentions of illicit drug use. Shortly after the fraudulent updates were posted, either account owners or Twitter intervened and deleted them.

The company said the accounts were compromised by a malicious hacker who infiltrated the set of tools used by Twitter’s support team to recover passwords and edit e-mail addresses associated with user accounts.

“We detected it right away, shut down the accounts, and took away the tool,” said Biz Stone, co-founder of Twitter, in a phone interview.

Mr. Stone said the accounts have since been restored but the tools were still being examined and would remain unavailable until the company resolved the situation. He said he was unsure as to why the popular social networking site was aimed at but noted, “Twitter has gotten a lot of attention recently, which could be reason enough for an attack.”

In addition to the hacked accounts, over the weekend, a series of e-mails and direct messages claiming offers of free iPhones or photographs were sent out to some Twitter members. The links redirected them to a fake Web site masquerading as Twitter’s own log-in site and asked them to enter their user names and passwords. On Saturday, Twitter warned its users about the phishing scheme and advised them to change their passwords.

The phishing scheme is worrying for many Twitter users, since many people use the same passwords across various online accounts that contain personal and account information, like Amazon.com, PayPal and Web e-mail accounts.

Mr. Stone said that in January, the company is planning to introduce a private beta version of OAuth, an authentication tool that will allow members to use third-party applications that require private member information to operate.

Comments are no longer being accepted.

I love gadgets and things, and so I rarely say things like this, Twitter is one technology that I hope goes away. We weren’t stupid enough before?

I’m back to typing now. Oops. I’m going to sneeze. Sorry. I’m going to get a glass of water. Twitter you again in a second …
Dave

Got some ice for the water while I dashed through the kitchen. The cat wants something. I’ll Twitter back in a minute …
Dave

The government is gonna be getting strong authentication:
//www.nytimes.com/2008/12/09/technology/09security.html?ref=technology

It’s time the Internet got it too. Next thing you know everyone’s Facebook accounts will be getting hacked. Oh wait, that’s already happening:
//www.examiner.com/x-264-Celebrity-News-Examiner~y2008m12d2-Oh-no-they-didnt-Facebook-disabled-Lindsay-Lohan-because-they-thought-she-was-a-fake

The Internet is not very valuable if anyone, from anywhere, can get into your account. Only needing a password, it’s simple to do this…

I think Nigel Tufnel’s problem is that Twitter tweets don’t just go up to 11. They go up to 140 (characters) and offer infinite pithy possibilities. I grade his non-instructive comment a D-minor, which is the saddest of all grades, really.

Nigel Tufnel…I love it!! But I have to agree-it’s such a fine line between stupid, and clever.

Twitter = Banal

Dave – What happend – I’m worried – Are u ok ?

Reading the New York Times. Someone just knocked on the door. I’ll Twitter back in a sec….BRB

I have never figured out what Twitter is for or why people use it. Does that make me old? After all I only own 5 computers, 1 IPaq and a Blackberry.

The guy who did this should be offered a job and a prize by twitter so he can help them keep it safe from future attacks.

Twitter Twitter Little Hacking Star,
How I wonder what you are,

Phishing our password in the online sky,
You think you are smart, but you wont get Far.

//www.decisionstats.com

Twittering isn’t all about the one-way blogging of one’s latest activity; people have found other ways to use this service. One such way is the formation of instant-support communities around particular issues. Take weight loss, for example. A circle of friends provides members with immediate support “on-call,” such as helping a member to stay away from the dessert at a restaurant, or providing empathy to someone who notifies the group that s/he has fallen off the wagon. Twitter users are a creative bunch.

It’s always the same problem. People are stupid enough to use only one password for everything and when any of their (online) identities gets hacked they have reason enough to panic.

Why is it so hard for most people to recognize the risk and choose different passwords? Even if they write them down and store them in a safe place, that’s still much safer than using just one password. And besides, there’s enough handy software tools to solve part of the problem: remembering all those passwords and keep them safe. For example, Bruce Schneier’s Password Safe or KeePass and alike programs allow to store passwords in an encrypted database that is unlocked with one master password. Users just have to remember one password to unlock the rest of their passwords which should be as random and long as possible.

Let’s hope enough people suffer consequences from yet another security problem so awareness increases and finally people learn.

Does Password Safe work on multiple platforms? How do I sync my password db’s across multiple machines?

See the whole problem with identity management, for me at least, is that I use multiple machines throughout the day. Right now I’m on the macbook pro, later I’ll be on a windows XP box and maybe after that I’ll be working on code on the linux box. The problem is that I access secure sites from all of these machines.

Password management is a nightmare. I don’t see much solution except some kind of central identity authority, but I don’t trust anyone to operate that, so we are left with what is obviously a broken system.

The comments here are hysterical. Funnier than the Onion.

Thank you, Dave Armstrong and Matt !

p.s. Problem is some twitter users probably read your posts and didn’t realize they were meant to be sarcastic.

Regarding the password management problem, there are software systems that encrypt a database of pwds, but then store them on a flash key that these days are less obtrusive than a real physical key. If the key is lost, no problem (ideally) since the pwds are strongly encrypted + it is easy to make a backup from time to time of the encrypted database. I keep my pwds on a key that is part of my normal key chain and keep them encrypted with 256-bit encryption.

As an IT professional, I can assure you that, when you pronounce “user”, the “L” is silent. Mostly…

Twitter: the name says it all.

Get a life.