Happy Twitter Dictionary Attacks
I guess, most of you that follows some technical or security related sites have heard about the Twitter hack that happend in the very beginning of this week, but how could this happen? The answer is kinda simple and you can get it from the subject: it was a dictionary attack of course. Here’s a short summary taken from the Wired Blog:
An 18-year-old hacker with a history of celebrity pranks has admitted to Monday’s hijacking of multiple high-profile Twitter accounts, including President-Elect Barack Obama’s, and the official feed for Fox News.
The hacker, who goes by the handle GMZ, told Threat Level on Tuesday he gained entry to Twitter’s administrative control panel by pointing an automated password-guesser at a popular user’s account. The user turned out to be a member of Twitter’s support staff, who’d chosen the weak password “happiness.”
Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.
“I feel it’s another case of administrators not putting forth effort toward one of the most obvious and overused security flaws,” he wrote in an IM interview. “I’m sure they find it difficult to admit it.”
For sure it’s always a bad idea to have such a easily guessable password — especially as an administrator or support staff member — but the main problem here was that Twitter allowed unlimited, rapidly fired login attempts what definitly is never a good idea.
As Bruce Schneier figuered out in his analysis of 34,000 MySpace passwords captured from a pishing attack in late 2006, the average MySpace user has an 8 character alphanumeric password. At least they are alphanumeric you may think, that’s correct, until you find out that 28 percent of those alphanumerics were all lowercase with a single final digit and two-thirds of that digit was 1. That’s pretty scary.
Brute force attacks aren’t really rocket science, actually they are for dummies. So even those scary MySpace passwords — eight characters, all lowercase and ending in 1, would require 8 billion login attempts.
26^7 x 10^1 = 8,031,810,176
At one attempt per second, it would take ~250 years per user to crack one of those passwords by pure brute force.
But for a dictionary attack like the one that has been used in the Twitter-case? That’s a completely different story. The Oxford Dictionary for example contains around 171,000 words. As you might imagine, the average person only uses a tiny fraction of those words, by some estimates somewhere between 10 and 40 thousand. Let’s assume our one login attempt per second again, than we can try each single word in the Oxford English Dictionary in less than two days.
So the last thing you want, is to offer unlimited login attempts to an attacker. All you need is one user with a weak password to provide attackers a toehold to your boxes. The ironically thing about the Twitter-case, the attacker hit the jackpot: the user with the weakest password happend to be a member of the Twitter administrative staff who choose: happiness.
