Small Fish, Big Pond

Tech Cruch has revealed the specifics of the Twitter leak/crack and there isn’t really anything new (previous posts here and here. It’s basically simple searching social networks of the net to gather data on people so you can crack their info. The timeline of the crack is pretty cool though:

1. HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.
2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.
5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text. HC now also had control of Twitter’s domain names at GoDaddy.
6. Even at this point, Twitter had absolutely no idea they had been compromised.

Pretty interesting. A lot of people point out that the hack was all through initially hacking email and that the Google Cloud was never compromised directly (thus cloud computing is secure). The fact that the data was this easy to get even when the Cloud is secure only proves how vulnerable cloud computing is. If the servers with proprietary information were kept on an internal LAN more security measures could have been brought to bear and MUCH more would be needed besides simple login name and password.

What this attack really proves is that this new web 2.0 social networking world allows strangers to create nearly complete profiles of us simply by aggregating information we post about ourselves. It’s an identity thieves’ paradise and were all happy to divulge all of our personal life onto the internet.

The future is going to be a lot more open, and for many people that may not be a good thing. If you do a lot of online social networking always assume you have a bunch of stalkers and post accordingly.