Frankly Speaking: Twitter hack was so 1983

IDG News Service — Mon, 12 Jan 2009 12:14:18 -0800

Please tell me this isn't happening in 2009: Last week, an 18-year-old student reportedly used a password-guessing program to get into the account of a Twitter employee (see story). From there, the teen cracker hijacked the accounts of President-elect Barack Obama, Britney Spears, Fox News and 30 other Twitter users.

A password-guessing program? That is so 1983.

According to Wired blogger Kim Zetter, who tracked down the cracker calling himself "GMZ" and interviewed him via e-mail, the crack was a marvel of old-school simplicity. GMZ noticed that one Twitter user named "Crystal" was following a lot of Twitter feeds. GMZ went to the Twitter log-in page, typed in Crystal's name, pointed his homebrew guessing program at the password field, and went to bed.

When he checked the next morning, he discovered the correct password was happiness -- and he was in.

He also discovered that Crystal wasn't just a Twitter user. She was a support employee, and her account had access to an administrative tool that could reset the password for any Twitter user. GMZ says he didn't access any other accounts himself -- but he did give access to fellow hackers.

Twitter regained control only after several hours.

Scary, isn't it? Not that Obama and Fox News had phony messages sent out on their Twitter feeds -- that turned out to be prankster-level stuff. What's scary is that systems administrators ignored so much basic password security on a system with millions of users.

You don't let your employees pick easily guessable passwords like happiness. You don't allow anyone to keep trying to log in for hours after repeated password failures. And you don't use the same log-in interface for powerful employee accounts that you use for ordinary customers. You just don't.

The idea that sysadmins could be so sloppy that they'd get hit by this kind of '80s-era hack is mind-boggling -- right?

Hold that thought.

Now consider this: We're entering the second full year of a recession. When it comes to staffing, we've cut the fat, we've cut the muscle, and we're starting to saw away at bone. That means in even the best of corporate IT shops, we're starting to cut corners.

There's always too much to do in IT. It's all about choosing priorities. Operations -- keeping everything running -- is always at the top of the list. Support -- helping out individual users with problems -- is usually next. These two things have big constituencies on the business side because, if they fail, things will happen and business people will notice. And then they'll howl.

But security doesn't have a big constituency. If we cut corners on security, no one may notice, because nothing bad may happen right away.

No one on the business side will howl until something does happen. And it's likely to be something very, very bad.

We don't know how Twitter, a start-up with 31 employees, got sloppy with password security. But it's not hard to imagine how it could happen in a big corporate IT shop. A little too much corner-cutting in the face of way too much work is all it would take.

That means we need to be vigilant even on simple security -- and even when there's no demand for it from the business side. We have to keep passwords hard to guess, lock out repeated log-in attempts and keep powerful IT accounts especially secure.

Because it is 2009, brutal economy and all. But if we slip up on something as simple as password security, it could feel like 1983 all over again.

Frank Hayes is Computerworld's senior news columnist. Contact him at frank_hayes@computerworld.com.

This version of the story originally appeared in Computerworld's print edition.

Got something to add? Let us know in the article comments.