Tuesday, January 6, 2009

Hacking Obama

What were these guys thinking? Someone somewhere broke into Obama's Twitter account. And for good measure they also broke into Britney Spears' account (the last time I saw Obama and Spears in the same headline was in those bizarre political ads by the McCain campaign).

It takes some serious chutzpah to hack any account belonging to the future Commander in Chief. Why would someone pull off this kind of stunt? According to the Washington Post, Obama's compromised account was used to send some spam involving a survey. Other accounts were used to send out some pretty stupid messages about sex and drugs (which I will not reprint in an attempt to keep this post PG). It seems like Obama's account was spared that fate for some reason, but there are probably some folks in the Secret Service who will nonetheless not be amused by this entire incident.

The prankish nature of the attack makes me think that it did not require much sophistication. According to the official Twitter blog these individuals "hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can't remember or get stuck." This is the soft underbelly of most web services - you can turn your production environment into a fortress with WAFs and IDSs and what not, but you are only as secure as your help desk.

Password resets are the Achilles' Heel of today's authentication infrastructure. Banks have known this for years and have relatively strict password reset procedures (and in many countries locked Internet accounts can only be reset by walking into a branch) . But banks are in a fairly unique position - they usually have a close relationship with the customer, know a lot about them, and perhaps most importantly operate in an industry where strict security is expected. Services like Twitter are meant to be fun and can't impose those kind of requirements on their customer base. Heck, any one can set up a Twitter account in someone else's name.

It's hard to tell in this case if a back-end help desk server or portal was hacked, or if the logic of the password reset process was exploited. The latter could be done with zero technical skill (a la Sarah "I-met-my-husband-at-Wasilla-High" Palin's Yahoo email hack). Breaking into a server would involve either a lot more technical skill or a poorly configured server. Twitter hasn't revealed much about the breach so it's hard to tell which one it is. They are also still reeling from an apparently unrelated phishing attack over the weekend.

President-elect Obama is the first President 2.0 (who could have even dreamt of something like Twitter when Clinton was in office and Al Gore was just beginning to invent the Internet?). It will be very interesting to see how seriously the authorities take this incident. A failure to track down the criminals would be pretty scary - if the next President's account isn't safe, whose is?

2 comments:

  1. al3x twitter answer -
    http://al3x.net/2009/01/12/the-thing-about-security.html

    ReplyDelete
  2. ten security tips for social networking sites http://threatchaos.com/2009/01/ten-security-measures-for-social-networking-sites/

    ReplyDelete