NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > InfoSec News> 2009-q1

[ISN] Weak Password Brings 'Happiness' to Twitter Hacker

From: InfoSec News (alertsinfosecnews.org)
Date: Wed Jan 07 2009 - 00:10:16 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://blog.wired.com/27bstroke6/2009/01/professed-twitt.html

By Kim Zetter
Threat Level
Wired.com
January 06, 2009

An 18-year-old hacker with a history of celebrity pranks has admitted to
Monday's hijacking of multiple high-profile Twitter accounts, including
President-Elect Barack Obama's, and the official feed for Fox News.

The hacker, who goes by the handle GMZ, told Threat Level on Tuesday he
gained entry to Twitter's administrative control panel by pointing an
automated password-guesser at a popular user's account. The user turned
out to be a member of Twitter's support staff, who'd chosen the weak
password "happiness."

Cracking the site was easy, because Twitter allowed an unlimited number
of rapid-fire log-in attempts.

"I feel it's another case of administrators not putting forth effort
toward one of the most obvious and overused security flaws," he wrote in
an IM interview. "I'm sure they find it difficult to admit it."

The hacker identified himself only as an 18-year-old student on the East
Coast. He agreed to an interview with Threat Level on Tuesday after
other hackers implicated him in the attack.

The intrusion began unfolding Sunday night, when GMZ randomly targeted
the Twitter account belonging to a woman identified as "Crystal." He
found Crystal only because her name had popped up repeatedly as a
follower on a number of Twitter feeds. "I thought she was just a really
popular member," he said.

Using a tool he authored himself, he launched a dictionary attack
against the account, automatically trying English words. He let the
program run overnight, and when he checked the results Monday morning at
around 11:00 a.m. Eastern Time, he found he was in Crystal's account.

[...]

_______________________________________________
Please help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]