Following the publicized hacks of ‘big’ accounts (Britney Spears, Barack Obama, Fox News) on the social networking site Twitter, Sophos is calling on Twitter to enforce stronger password security (though, really, every company should enforce strong password standards of its users).

An 18-year-old with a history of celebrity pranks has admitted to hacking several high-profile Twitter accounts. The hacker, GMZ, says he was able to use an automated password-guesser to do a “brute force” attack to guess the password of a Twitter user. Since Twitter allowed an unlimited number of login attempts (a poor security tactic), the hack was easy. The password of one account was as simple as “happiness”, a very insecure password.

Although he didn’t realize it at first, he’d hacked into a Twitter staffer, and that opened up the ability to reset the password on any Twitter account. For fun, he asked other hackers if they wanted access to any Twitter account and posted a video he made of his hack:

DMZ then filled requests to access several high profile accounts, including Barack Obama’s account and Britney Spears’ account. Those accounts were then hijacked and they sent fake messages, as demonstrated here. DMZ was in Twitter for a couple of hours before his access was blocked by Twitter.

Twitter says they are doing a full security review and are already at work to strengthen the sign-in process. This security issue came immediately on the heels of a Twitter phishing scam.

This piece of news has prompted Bruce Schneier to write a great article reminding us that technology is only part of the solution to security issues. The article talks mostly about the threats of impersonation, not web security, but it’s a great read.

BTW, if you are a Twitter user, you can follow Absolute Software news at: twitter.com/absolutecorp.

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • Digg
  • StumbleUpon
  • Technorati