Brute force attack on Twitter

Wired Threat Level has posted an interview with the hacker who recently broke into several high profile twitter accounts, such as Fox News, and Barack Obama. Since we know how much you all love twitter, we thought you might want to learn more about it. Apparently he used a brute force method to get into a member of the support team. The password was “happiness” which was cracked pretty quickly. This might be a good time to review your own strategies to prevent brute force attacks.

Comments

  1. zub says:

    that’s a dictionary attack, not quite the same as brute force

  2. happypinguin says:

    blacklisting IPs works too but watch
    out for possible denial of service!

    The best thing is to enforce a minimum
    password strength for all users.
    Problem solved.

  3. JKB says:

    s/hacker/cracker/

  4. ex-parrot says:

    imo, DenyHosts is a better solution for rate-limiting SSH on Linux and *BSD systems.

  5. TJHooker says:

    happiness as a password. Whoever allowed that on a server they administered should be banned from ever working in the IT industry. That’s blatantly dumb.

  6. TJHooker says:

    Also on another note: 4chan types use stupidity like this and social engineering to break into accounts. It’s not software vulnerabilities by no means.

    I seen one case about a year ago where there where some people from there working as unpaid staff on a anime RPG site, and they where leaking informatin about accounts that where causing frequent defacements. They’re probably still there.

  7. Anonymous says:

    4chan, hackers on steroids

  8. Drew says:

    first palin now this, this is awesome no one is safe from hackers. you know if your famous its pretty much inevitable that you will get hacked it seems.

  9. TJHooker says:

    @#7: Maybe under some other ideology. The majority of them have no software engineering skills. They exploit stupidity; under your statement that insinuates the stupid people are in the social majority. Kind of makes sense I guess.

    The most skilled person on 4chan probably runs metasploit or milworm modules. Which apparently fail because they got into myspace and a lot of other places by trivial means- such as weak passwords.

  10. Shadyman says:

    @jkb:

    It looks like you forgot the ‘g’ at the end. The comments still seem to be unchanged.

    s/hacker/cracker/g

    Fixed it for you :)

  11. the game says:

    internet hate machine

  12. Jake D. Hipster says:

    “Since we know how much you all love twitter,”

    Nice :)
    I like that.

  13. Coderer says:

    It’s *so easy* to prevent brute-forcing, yet few do — @TJ, who said “it’s not software vulnerability”… yes, yes it is. Three (/four/five) retries, then you’re locked out for an hour. Bam, I’ve solved your problem, where’s my big fat check?

  14. tecNik says:

    Twtter example:
    “Today as I was walking down I was frustrated about the number of cameras, rfid’s, etc that track my every move….”

    irony-zing.

    I keeps my knifes sharp incase I meet anyone that twitters about updating there blog. =/

  15. tecNik says:

    Tw[i/a]tter example:
    “Today as I was walking down [address] I was frustrated about the number of cameras, rfid’s, etc that track my every move….”

    irony-zing.

    I keeps my knifes sharp incase I meet anyone that twitters about updating there blog. =/

    (Excuse the double post > tags messed it up and with no edit…)

  16. steve says:

    @shadyman

    I thought for sure no one else would get that sed joke.

    sed -e ‘s/hacker/cracker/g’

  17. monster says:

    my passwords are all as brute-force proof as possible, i have all my passwords set to zzzzzzzzzzzzzzzzzzzzz

  18. bencoder says:

    Coderer: Awesome… so if I want to lock someone out of an account all I need to do is make a script to enter a fake password every hour or so.

  19. IceBrain says:

    The best method is what PHPBB uses, imho: if you fail 3 password guesses you have to enter a captcha along with the password. The process would slow down so much that a good password would take days to find.

    You could also, after 10 or 15 bad guesses, disable the login for that account and send an email with an activation link.

    Even a dictionary attack would probably fail to find ‘happiness’ with just 10 tries.

  20. c0smic says:

    ahhaha .. i think i need to update my dictionary list .. “happiness” will be top 10 in the que .. lol ..

  21. coffee says:

    did the Twitter Admin change his password to “sadness” after he was hacked? haha

  22. kfcguy says:

    More entertaining version at
    youtube.com/watch?v=AVMW3Dq2KSY

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 91,851 other followers