Twitter users have come under attack from scammers once again, and the microblogging site has asked several users to reset their passwords.
This latest attempt came through torrent file-sharing sites that contained hidden security exploits and backdoors.
Opinion is divided as to whether these security holes were the result of bad coding or, as Twitter claims, were deliberately created so the coder could later activate them.
The Attack According to Twitter
Twitter noticed a “sudden surge” in followers of a few accounts over the five-day period leading up to Tuesday, Del Harvey, the microblogging site’s director of trust and safety, wrote on its blog.
It pushed out a password reset to users following those accounts and began investigating.
It seems, according to Harvey, that over the last few years, a coder has been creating torrent sites that require a login and password, as well as forums set up for torrent site usage. The coder sells these to people who want to start their own download sites.
Torrents are tiny files created for use by BitTorrent clients. BitTorrent is a peer-to-peer file-sharing protocol for transferring large amounts of data over the Internet. Torrents must first be downloaded from various Web sites, then loaded into a BitTorrent client. From there, the client will communicate with other BitTorrent applications around the Internet and download the larger target file onto the user’s computer while simultaneously sharing it with other users looking for the same data.
The sites and forums created by the allegedly crooked coder are riddled with security exploits and backdoors. The coder would wait until the forums and sites sold and amassed a large number of members, then activated the security holes to get the usernames, email addresses and passwords of their members, Harvey claimed.
The forums themselves may have been hacked. “Additional exploits to gain admin root on forums that weren’t created by this person also appear to have been utilized,” Harvey wrote.
Twitter hasn’t identified all the forums involved, and Harvey said it probably won’t be able to. However, he issued a warning to users: “As a general rule, if you’ve signed up for a torrent forum or torrent site built by a third party, you should probably change your password there,” he wrote.
It’s the Password, Stupid
The root of the hacking problem is users’ tendency to employ one username and password over multiple sites. For example, a survey conducted by Trusteer found that 73 percent of users employ their online banking passwords with at least one non-financial Web site, and 47 percent of users share both their online banking user ID and password with at least one non-financial Web site.
“I have no reason to doubt that people do the same thing with their Twitter passwords and user IDs,” Randy Abrams, director of technical education at ESET, told TechNewsWorld.
Users should employ different passwords for each online service they sign up for, according to Twitter’s Harvey. That, however, is more easily said than done, said Wolfgang Kandek, chief technology officer at Qualys.
“People are overwhelmed with the number of passwords they have to use,” Kandek told TechNewsWorld. “At Qualys alone, I have probably 10 different systems I interact with — my email, human resources, the benefits system — all of which require different passwords and usernames.”
Why Twitter? Why Anyone?
Twitter is not a banking site, and users don’t normally store extremely sensitive information like Social Security numbers in their profiles. So what interest would a profit-driven hacker have in busting into other people’s Twitter accounts?
One motive may be a practice known as “spitting” — essentially the Twitter version of spam. If a hacker can access others’ Twitter accounts, they can tweet links to malicious Web pages to that person’s trusted contacts, as well as start following massive numbers of other Twitter users in hopes that they’ll follow back, thus expanding the pool of potential spam victims.
Other reasons may have nothing to do with Twitter per se. People who use the same username/password combo for a torrent site and Twitter might also use it for more sensitive matters like bank accounts, a prime target for hackers.
Who Did What How?
It’s not yet clear whether the security holes in the torrent forums were created maliciously or they were the result of poor coding.
Twitter claims they were created deliberately by a crook, a view ESET’s Abrams agrees with. “Remember, a non-malicious guy made millions of dollars selling pet rocks,” he pointed out. “How hard is it to imagine someone thinking of getting people to give him their usernames and passwords by just setting up a site to offer them stolen stuff that didn’t cost him anything?” Many torrent sites enable the illegal sharing of copyrighted material such as music and movies.
However, it’s possible the security holes in the torrent sites could have been created through poor coding. “It’s a little too early to tell whether it was really malicious or just a mistake,” Dave Marcus, vice president of threat research at McAfee Labs, told TechNewsWorld. “I find that claim a little dubious because the number of free BitTorrent sites that don’t require user registration and login way outstrips the number that do require these.”
Prefab Sites Could be Dangerous
The attack on Twitter points to another problem that might become endemic soon: the increasing use of pre-built applications and sites by people who want to make money online.
“A lot of entrepreneurs are looking to make their fortune on the Web but may not have the technical knowhow or the time and patience to build their own sites or applications,” Graham Cluley, senior technology consultant at Sophos, told TechNewsWorld. “They are likely to acquire a prefabricated Web site, whether it be for searching torrents, online dating or a message forum.”
That problem might become worse over time. “Why should people have to build their own Web sites rather than acquiring the pieces and simply giving them a paint job?” Cluley asked. “Imagine if we all had to build our own television sets or cars instead of buying them.”
Companies offering online services need to think about ways to further improve security, Qualys’ Kandek said. “Twitter could argue that this latest attack has nothing to do with it and, strictly speaking, it would be right,” he pointed out. “But in terms of the Internet ecosystem, security is a real problem we all need to work to solve.”
One solution to this problem could be for companies that provide services to use two-factor authentication. This combines something a user knows, such as a username and password, and something the user has, such as a token or mobile phone.
“The token is one of the most powerful solutions to the security problem I’ve seen to date,” Qualys’ Kandek said.