Saturday, January 10, 2009

your password's in the dictionary? anybody can look it up

I know you're not unsavvy enough to write your password on the back of your ATM card as one fellow I met did. (Admittedly, he was new to New York.) But chances are, to make it easier to remember, you've chosen a password that appears in the pages of Webster's. So?

Turns out that a "dictionary attack" is the most common, easiest-to-pull-off kind of hacking. It's why power Twitter-user Obama sent out thousands of tweets Monday urging supporters to try for $500 of free gas. And why Fox News announced that host Bill O'Reilly "is gay." And Rick Sanchez from CNN tweeted "I am high on crack right now might not be coming into work today."

Last weekend, an 18-year old hacker who's been perpetrating cyber-hoaxes since he was 15, turned his attention to Twitter, the micro-blogging service he hadn't heard of until seeing someone mention it on YouTube. (Further confirming rampant suspicion that Twitter is not yet embraced by Millenials, sorry Biz.) YouTube, on the other hand, was a service with which GMZ (his code name) was intimately familiar. Last year he hacked the YouTube account of teen idol Miley Cyrus (Hannah Montana) and posted that she'd been killed in a car accident.

Using a self-authored dictionary attacker, GMZ tried to guess the passwords of several of Twitter's most popular users. He let the program run overnight and when he checked results Monday around 11 AM, he discovered he'd gotten into an account for someone named Crystal. He didn't know that she was a member of Twitter's support staff (who must have known better than to trust the security of her account to "happiness".) "I thought she was just a really popular member" he later told Wired. But after delving into her account, he realized that by using the tools Crystal had access to, he could change any Twitter user's password.

Excitedly, he posted a message to Digital Gangster, a forum for hackers (who knew there was one?) offering free access to any Twitter account. To prove he had access, he posted a video of his hack to YouTube. Twenty hackers immediately asked for access to Obama's account; he "awarded" it to five. He also filled requests for access to Britney Spears' account, as well as the official feeds for Facebook, CBS News, Fox News , the accounts of CNN correspondent Rick Sanchez and Digg founder Kevin Rose, and other celebrities. He compromised 33 high-profile accounts in the two hours before Twitter figured out what was happening and shut him down.

According to Twitter, the violated accounts were almost immediately closed and restored within hours. Still. A few minutes of stolen Twitter Time can do a lifetime of damage. Consider the ramifications of updating followers as Britney Spears inadvertantly did: posting the dimensions of your, ahem, Vagina Monolgue.

Do what IT technicians needle you to do: use passwords that contain both lower-case and upper-case letters, as well as numbers or special characters. In researching this, I can't tell you how many times a popup invited me to Get any password for just $9.99!

No comments: