If your understanding of the word “tweet” extends as far as bird chirping, then you probably haven’t heard about the social phenomenon Twitter.  Twitter is a short-message social network that allows members to post 140 character musings online. As of the end of May 2009, Twitter had more than 11.5 million registered users.  So when Twitter was hacked this month by alias “Hacker Croll,” it raised alarms right across the web community. Hacker Croll was able to grab 300 private company documents and then proceeded to reveal how he obtained them.

The method Hacker Croll used, known as “cracking” doesn’t rely on mastermind strategy as much as it does a system vulnerability or meathead move from the victim’s end.  In this case, it involved several slip-ups.  One of them, many of us are guilty of: using one password across several online accounts.  Though it may make life easier for us, it makes the profession of a hacker that much easier.

How Hacker Croll accomplished the breach serves as a lesson for all Internet users. One gateway was public information made available through public search engines and social network sites. He built profiles on Twitter employees, accumulating basic information such as email addresses, birth dates, names of pets, and children’s names. He then began testing access to accounts by using the information as answers to common security questions.

Another backdoor avenue was secondary e-mail addresses connected with email accounts of victims.  Though secondary email accounts are used as a security measure to reset passwords of other email accounts, it can also be a major security snag if the secondary account is deactivated and left registered as the alternate email address.  Anyone could reregister the inactive email address and from there, reset the password of the connected email account, and gain full access to all your emails.

This is exactly what Hacker Croll managed to do with one Twitter employee.  Worst yet, he was able to search the employee’s Gmail account and find passwords from the employee’s other active services.  The passwords he found were the same passwords used across several of  the employee’s business and personal accounts, allowing for a mass hack attack if desired.

For the staff of Twitter, the incident created acute embarrassment. “If you’ve ever used the same password on more than one service, you’ve made the same mistake that led to this theft,” states the Twitter blog site.  The blog goes on to point out “it’s a web-wide issue.”

Twitter is absolutely right. Most of us can be hacked. We use repeat passwords.  We post phone numbers, birth dates, even family histories with mother’s maiden name sometimes clearly spelled out as we share information with friends and friends of friends on social networks. Sometimes however, you don’t know who your “friends” are.

So lesson learned, here’s an action plan:

1.    Be selective and protective of the information you share for online registrations and social networks.

2.    Do not use any publicly available information as answers to your account’s security questions.

3.    Check your security settings on all of these sites and on your online email services such as Gmail, Yahoo, Windows Live Messenger, Skype, etc.

4.    Do not register or keep deactivated email accounts as your secondary email addresses for email accounts.

5.    Get into the habit of using multiple passwords. If you cannot remember the passwords you create then consider using password managers like Clipperz, KeePass or Yubico.

6.    Get into the habit of creating strong passwords.  If you’re having trouble, you can use password generators lke GRC or Strong Password Generator.

7.    Change your passwords on a regular basis.

Sources:
Paul, Ian, “Could you be hacked like Twitter?” July 21, 2009, PCWorld, http://www.msnbc.msn.com/id/32043926/ns/technology_and_science-tech_and_gadgets/“Someone Call Security,” July 16, 2009, http://blog.twitter.com/

Posted in Internet Safety | guides, news, social media, social networks | |