[youtube=http://www.youtube.com/watch?v=IKNbggNJMVI]
Wired Threat Level has posted an interview with the hacker who recently broke into several high profile twitter accounts, such as Fox News, and Barack Obama. Since we know how much you all love twitter, we thought you might want to learn more about it. Apparently he used a brute force method to get into a member of the support team. The password was “happiness” which was cracked pretty quickly. This might be a good time to review your own strategies to prevent brute force attacks.
that’s a dictionary attack, not quite the same as brute force
blacklisting IPs works too but watch
out for possible denial of service!
The best thing is to enforce a minimum
password strength for all users.
Problem solved.
s/hacker/cracker/
imo, DenyHosts is a better solution for rate-limiting SSH on Linux and *BSD systems.
happiness as a password. Whoever allowed that on a server they administered should be banned from ever working in the IT industry. That’s blatantly dumb.
Also on another note: 4chan types use stupidity like this and social engineering to break into accounts. It’s not software vulnerabilities by no means.
I seen one case about a year ago where there where some people from there working as unpaid staff on a anime RPG site, and they where leaking informatin about accounts that where causing frequent defacements. They’re probably still there.
4chan, hackers on steroids
first palin now this, this is awesome no one is safe from hackers. you know if your famous its pretty much inevitable that you will get hacked it seems.
@#7: Maybe under some other ideology. The majority of them have no software engineering skills. They exploit stupidity; under your statement that insinuates the stupid people are in the social majority. Kind of makes sense I guess.
The most skilled person on 4chan probably runs metasploit or milworm modules. Which apparently fail because they got into myspace and a lot of other places by trivial means- such as weak passwords.
@jkb:
It looks like you forgot the ‘g’ at the end. The comments still seem to be unchanged.
s/hacker/cracker/g
Fixed it for you :)
internet hate machine
“Since we know how much you all love twitter,”
Nice :)
I like that.
It’s *so easy* to prevent brute-forcing, yet few do — @TJ, who said “it’s not software vulnerability”… yes, yes it is. Three (/four/five) retries, then you’re locked out for an hour. Bam, I’ve solved your problem, where’s my big fat check?
Twtter example:
“Today as I was walking down I was frustrated about the number of cameras, rfid’s, etc that track my every move….”
irony-zing.
I keeps my knifes sharp incase I meet anyone that twitters about updating there blog. =/
Tw[i/a]tter example:
“Today as I was walking down [address] I was frustrated about the number of cameras, rfid’s, etc that track my every move….”
irony-zing.
I keeps my knifes sharp incase I meet anyone that twitters about updating there blog. =/
(Excuse the double post > tags messed it up and with no edit…)
@shadyman
I thought for sure no one else would get that sed joke.
sed -e ‘s/hacker/cracker/g’
my passwords are all as brute-force proof as possible, i have all my passwords set to zzzzzzzzzzzzzzzzzzzzz
Coderer: Awesome… so if I want to lock someone out of an account all I need to do is make a script to enter a fake password every hour or so.
The best method is what PHPBB uses, imho: if you fail 3 password guesses you have to enter a captcha along with the password. The process would slow down so much that a good password would take days to find.
You could also, after 10 or 15 bad guesses, disable the login for that account and send an email with an activation link.
Even a dictionary attack would probably fail to find ‘happiness’ with just 10 tries.
ahhaha .. i think i need to update my dictionary list .. “happiness” will be top 10 in the que .. lol ..
did the Twitter Admin change his password to “sadness” after he was hacked? haha
More entertaining version at
youtube.com/watch?v=AVMW3Dq2KSY