Inside Cyber Warfare - Jeffrey Carr [65]
Croll tried to access a Twitter employee’s Gmail account. He opted for emailing the forgotten password to a secondary email address. Gmail provides users with a clue as to which email address they had picked by obscuring the first part but revealing the service (***********@hotmail.com). Once he saw it was a Hotmail account, Croll went to Hotmail and attempted to log in with the same username. Here is where luck stepped in: Hotmail’s response to Croll’s login attempt was that the account was no longer active. Croll immediately re-registered the account with a password that he picked, then went back to Gmail and requested that the forgotten password be emailed to the secondary account, which Croll now owned. Gmail reset the password and sent out a new one to the Hotmail account, thus giving Croll full access to a Twitter employee’s personal email.
His next task was to discover the original password and reset it so that the employee would never suspect that her email account had been hacked. Thanks to Gmail’s default of storing every email ever received by its members, Croll eventually found a welcome letter from another online service that, for the member’s benefit, fully disclosed her username and password. Recognizing that 99% of web users stick with the same password for everything, he reset the Gmail password to the one he just discovered, and then waited for the Twitter employee to access her Gmail account. Sure enough, the employee soon signed in, sent a few emails, and signed out, never suspecting a thing.
Now armed with a valid username and password, Croll dug further into the employee’s Gmail archives until he discovered that Twitter used Google Apps for domains as their corporate email solution. Croll logged in with his stolen employee username and password and began searching through all of that employee’s company emails, downloading attachments, and, in the process, discovered the usernames and passwords for at least three senior Twitter executives, including CEO and Founder Evan Williams and Co-founder Biz Stone, whose email accounts he promptly logged into as well.
Croll didn’t stop there either. He continued to expand his exploitation of Twitter data by logging into the AT&T website for cell phone records and iTunes for credit card information. (According to the TechCrunch article, iTunes has a security flaw that allows users to see their credit card numbers in plain text.)
The end result can be seen online, as TechCrunch published some of the stolen information, and the rest will probably find its way online eventually through other channels.
Although this real-life example of computer network exploitation (CNE) did not involve a government or military website, the essential process is the same. Had this been a successful SQL injection attack instead of a pure social engineering attack, all of the usernames and passwords would have been discovered in a matter of minutes and a full dump of the contents of the company’s database would have occurred.
Twitter may soon become the world’s largest SMS-based channel of communication. It is already being exploited by the intelligence services of numerous nations, thanks to the publicity that it has received during the Iran election protests and last year’s Mumbai terror attacks. One of the many take-aways from this unfortunate event is that the users of social software applications (Twitter, Facebook, etc.) should immediately institute strong passwords and usernames and change them frequently, and each user should be more cognizant of the amount of personal data that he reveals in cyberspace.
Automating the Process
The advent of social software and its rapid popularity