Twitter got hacked, so can you.
Recently many people saw a funny picture when they went to Twitter. Places like TechCrunch and others thought something really bad had happened (a full system breach) but in the end no real data was comprimised. What had actually happened was an attack something most people don’t even know is part of the equation – DNS.
If you want a better understanding of DNS I’d point you to the wikipedia article on it but here is the quick layman version. All computers on the internet are found by their IP address which is fine for computers but would be nasty for people to remember. So instead domains were created that allows you to put a more meaningful name to the address. DNS servers act as the middleman of the process by giving your computer the proper IP address when you request a certain domain. This all happens behind the scenes and most people don’t even know this is really going on.
What happened in the case of Twitter, their account with their DNS provider got comprimised from an account reset. When the attackers had control of their account, they pointed all of Twitters domains to point to another site all together. So effectively to everyone going to the site it looked like it was hacked.
Attacks like this happen all the time, not only with DNS but in this case it got a lot of press because of who’s site was taken down. But the same type of attacks are done to people’s email and other accounts where people can easily reset the password if they know a few key details or have access to the email account the password reset is sent to.
So in the end what can we do about this? Well not really much. Whomever you have your DNS controlled through is where the vulnerability may be. You can always look to use one that doesn’t allow these kinds of resets or has other means for contacting you about password resets. If you are tech savy and run your own servers you may want to host your own DNS, though then you have to keep up with patching your own to keep yourself protected from other attacks. For most simple small sites I use the one provided by the domain registrar but for a few of my high traffic sites I’m looking at a few options currently that will give me a lot more flexability.
If you would would like more info on the specifics of the Twitter attack you can read about them here and here.
There are a lot more issues that can happen with DNS and I will save them for another day. Hopefully this helps clear up what happened to some, if you have any questions about anything I said feel free to ask.
Author Info: Richard Orelup
Surely, If you’re going to hack twitter – you can come up with a much better creative solution than that!
AG
Yeah, but sadly creativity doesn’t change it’s effectiveness. And sadly most of us aren’t twitter so dealing with these issues can be a real pain and mean the site is down for days till it gets fixed.
Non-hacking related, I recently helped someone move their domain from one registrar to another and that was a giant nightmare. Whenever I put in a ticket about the issue I would get the auto response that they would get back to me in 24 hours. 2 support tickets and 32 hours later they resolved the issue on their end (with the second ticket as well saying 24 hours when really they didn’t fix it the first time instead of giving me direct access to someone to get it resolved with the first.) Luckily I had my own DNS server to move them to but they were still without email for 12 hours because of the issue. Namesecure is who the issue was with for those wondering.
I bring this up only that for most of us if something similar to Twitter happened to us there is a chance our site could be down for days while it gets addressed which sucks because it is 100% out of our control.
I’d be amazed, but Twitter is the same place that had an administrative password that was “password”.
You can tell that hacker was not a graphic designer by any stretch of the imagination!
Humor aside, really? Twitter’s admin password was “password?” That just blows my mind.
It’s no worse than Facebook formerly having a master password (one that would work with ay account) that was “Chuck Norris.”
I swear, developers these days….
Actually Facebook’s wasn’t that bad.
http://therumpus.net/2010/01/conversations-about-the-internet-5-anonymous-facebook-employee/2/
The password wasn’t what you just wrote but actually a written with a form like 1337. This wouldn’t have been a simple brute force attack away from being broken. The real thing you have to realize, this was an internal only password. You had to be on Facebooks network to use it.
This is a pretty common occurrence and needs to be there when you are working with tons of accounts, especially of people that you can’t just go look off the screen of to see what’s wrong. You need to see what they are looking at exactly. By having this locked down to internal use only (by network not personnel) there was extremely minimal chance that this would have been found out or somehow compromised.
Oh I know all this, but to me it’s a privacy concern. Every Facebook employee had this password, and you just don’t know what they could/would do with it. I’ve done enough developing to know that if one person is having problems, others are having them too.
Plus as objective as people try to be, there are some that just can’t be that way. And if they have a password that can be used for vengeance or otherwise, they will.
It’s not the system, it’s the people. The faceless Facebook people.
Did you read the above mentioned article?
I did indeed, days ago.
Okay, then you should know your comment
But the article clearly layout this.
As well it is discussed how people were fired because of this. And later on they discuss how they reworked the system to add more tracking to it.
This stuff was discussed and addresses the privacy concerns you sited.
There is a whole other privacy portion to this that I’ve tried to start writing about here but this is already pretty long. May become a post another day – though not here as it’s not really creativity related