Simple, brute-force dictionary attack was used on Twitter
Kevin Spiess - Wednesday, January 7th, 2009 | 1:52PM (PT)
I thought this was 2009
You probably heard about the huge hacker assault on Twitter, earlier this week. The accounts belonging to Barrack Obama, Britney Spears, Fox News and many others were broken into, and then defaced in appreciably juvenile ways. For example, Bill O'Reilly "is gay" according to his Tweeted messages he sent out, on Monday.
Wired magazine got in contact with the hacker behind the Twitter escapades. At first, it was one person who gained access to the administration accounts of the system. From there, the hacker offered free accounts to anyone who wanted them, on a forum called Digital Gangster.
As it turns out, hacking into Twitter was much easier than many probably suspected. In fact, the hacker -- whose goes by identity GMZ -- used one of the oldest tricks in the book: a brute-force dictionary attack. He found out that Twitter did not report or lock out any I.P addresses that had any number of failed password attempts, so he wrote his own little program to feed words from a dictionary, into the password field for an administration user named Crystal, one at a time, in quick succession.
The password turned out to be 'happiness.' The people who pay Crystal's salary were probably not all that happy to find out she used such a weak password.
Being a cool hacker dude that he is, GMZ posted a video showing everyone that he did indeed sneak into Twitter's innards:
GMZ has also been responsible for gaining access to Miley Cyrus's YouTube account, the SayNow account of Selena Gomez, and other various celebrity accounts over various websites. He is 18 and is pursuing game development and has so far evaded prosecution for his horrible and heinous crimes.
For further information, follow the link below to Wired's Danger Room.
This is horrible crime? I swear you news people are reporting this like GMZ hacked into the IRS and gave everyone rebate checks. With all the stuff going on in this world, the media choose 3 days to talk about freeking twitter.
I agree with killer, this was a trial error method. What a stupidly simple password... why not throw in a number and several symbols while you're at it?
ehh...saying "I thought this was 2009" and applying it to either brute force methodology or simple passwords is kinda lame. Unless you were being sarcastic in which case you can ignore this little rant.
Brute force, especially dictionary attacks are very simple to do but not the most efficient due to the time constraints it takes. But they *do* work and are still popular methods. It's not like it's out dated and is a shock that omg it's 2009 and people are still doing this?!
As for simple passwords not *everyone* is going to be the savviest when it comes to technology, no matter what year it is. Her employers can't be upset with her as it is their own liability to ensure that all employees are knowledgeable on retaining secure passwords, not to write them down, etc, etc. Also, it is a systems admin error by not logging / tracking security issues such as this.
The reason I said the 2009 thing was that I thought, these days, any major website had either a: a limit of false passwords you can put it in before the system either reports you , or at least, has a limit which once broken doesn't allow you to log in for a few minutes; and to a lesser extent b: most administrators would not use such a weak password (of course this is wishful thinking.)
Allowing your system to be open to brute force attacks, which pretty much any person with a basic programming knowledge can exploit, is not very 2009, in regards to security, in my opinion.
I'm surprised that such a major website would be open to a brute force attack. I thought a most basic-level security precaution was to limit the amount of login tries someone could have in a short amount of time.
- This news story is archived and is closed to new comments now -
forums
RSS Feeds
Damn news people. They are behind water fluoridation.
i mean....he practicly did this by trial and error
"I thought this was America"
Brute force, especially dictionary attacks are very simple to do but not the most efficient due to the time constraints it takes. But they *do* work and are still popular methods. It's not like it's out dated and is a shock that omg it's 2009 and people are still doing this?!
As for simple passwords not *everyone* is going to be the savviest when it comes to technology, no matter what year it is. Her employers can't be upset with her as it is their own liability to ensure that all employees are knowledgeable on retaining secure passwords, not to write them down, etc, etc. Also, it is a systems admin error by not logging / tracking security issues such as this.
Allowing your system to be open to brute force attacks, which pretty much any person with a basic programming knowledge can exploit, is not very 2009, in regards to security, in my opinion.
I'm surprised that such a major website would be open to a brute force attack. I thought a most basic-level security precaution was to limit the amount of login tries someone could have in a short amount of time.