No Patch for Human Stupidity by Charlie Martin
It’s been a tough week for Internet security. There were several real problems that showed up — like the actual demonstration of an MD5 collision exploit — that then have been completely overwhelmed by the news of a two-headed attack on Twitter. The first was a good old-fashioned phishing expedition, followed by some use of compromised accounts to extend the attack; the second, a compromised password (“happiness”) that certainly resulted in significantly less happiness for at least one Twitter employee.
Of course, if you’re not keeping up with the idiosyncratic slang of Internet security, that whole paragraph might as well have been High Martian. So let’s deconstruct it a bit.
The really interesting, technically significant attack was revealed in a paper at the Chaos Communication Congress — http://events.ccc.de/congress/2008/Fahrplan/events/3023.en.html It’s been known for a few years that it was possible, in theory, to forge an MD5 signature, and to use it to attack some “secure” Internet connections. In this paper, an actual real-life attack was demonstrated, and even shown to be financially feasible. This caused some exceitement in the security world, but nothing really major; it means that some of the big vendors, like Verisign, need to make some changes. (It also means that you should be very careful about using some web services, especially ones that base their security on RapidSSL, but these are a minority.)
In the meantime, though, there was a much simpler and less interesting — and much more exciting — attack on Twitter. It started like this: you would see a Twitter message that said something like “LOL someone wrote a funny blog post about you” followed by an anonymous link to a BlogSpot blog. That anonymous link redirected you to a web site that showed you a perfectly ordinary-looking Twitter login page that demanded your user name and password. A very large number of people fell for it and gave the web page their username and password. Shortly after that, their Twitter contacts found themselves getting messages saying, you guessed it, “LOL someone wrote…”.
The shock and dismay — which makes for lots of twitter traffic, with warnings, retweeted warnings, rumors, bad advice, and re-retweeted corrections of the retweeted rumors and warnings — had barely started to die down when the official Fox News account announced “BREAKING: Bill O Riley is gay!” This was quickly followed by equally interesting announcements about Rick Sanchez at CNN, as well as from the Barack Obama official campaign account. At some point it became obvious that those accounts had been cracked as well; it eventually turned out to be a completely separate hack, someone who had simply found the user password for one of the Twitter tech people and use it to enjoy God-like privileges.
So what can we learn from all this? Computer security is in the news, first with a complicated technical attack that requires a good bit of technical skill, effort, and some supercomputer time to apply. In the mean time, someone in China managed to hack thousands of accounts with nothing more than a Twitter message and a web page, and some other guy embarrassed Twitter with nothing more complicated than obnoxious fan-boy determination. People typically don’t use smart passwords; and they don’t pay attention to where and when they’re asked for passwords.
Obviously, they need to. Everyone needs too. Me too, even though I’ve been dealing with computer security for twenty years and know perfectly well that passwords are always risky. But when you need a password for every account, every blog, and half the websites with interesting content, it’s almost impossible to come up with good passwords, and then remember them all — so we end up use dumb passwords . . .over and over.
Meanwhile, after a decade or more on the Web, most of us have long since stopped noticing when we are asked for user names and passwords, for social security numbers or our mother’s maiden names. Our fingers type them in long before our brain even notices. And as long as that happens, no network – and no on-line account – will ever be truly secure.