Twitter security breach leaks emails and passwords of 250,000 users

Twitter was very busy last night resetting passwords and revoking cookies, following a serious security breach that may have leaked the account data of about 250,000 users.

“Last night, we detected some very unusual access patterns that led us to identify unauthorized access attempts to Twitter user data,” said Bob Lord, Twitter’s director of information security.

According to Lord, Twitter was able to fully shut down the breach attack within moments of discovering it, but not before the attackers were able to make off with what he calls “limited user information,” including usernames, email addresses, session tokens, and encrypted passwords.

The encryption on such passwords is generally difficult to crack – but it’s not impossible, particularly if the attacker is familiar with the algorithm used to encrypt them, suggesting that it may have been an inside job.

As a precaution, Lord says Twitter has reset the passwords of all 250,000 affected accounts – which, he observes, is just “a small percentage” of the more than 140 million Twitter users worldwide.

If yours is one of the accounts involved, you’ll need to enter a new password the next time you login. Lord reminds all Twitter users to choose strong passwords – he recommends 10 or more characters, with a mix of letters, numbers, and symbols – because simpler passwords are easier to guess using brute-force methods.

In addition, he recommends against using the same password on multiple sites. Lord says Twitter’s investigation is ongoing, and that it’s taking the matter extremely seriously, particularly in light of recent attacks experienced by The New York Times and The Wall Street Journal.

“This attack wasn’t the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the internet safer for all users,” Lord added.

Although the attack took place last night, it seems to have no relationship to the outage that took Twitter offline for several hours on Thursday.

On the other hand however, Lord’s revelations do make rather cryptic mention of the U.S. Department of Homeland Security’s recent recommendation that users disable the Java plug-in in their browsers.

He mentions Java twice, in fact. While it’s true that the Java plug-in contains multiple known vulnerabilities and that numerous security experts have warned that it should be considered unsafe, the connection between Java and the attack Twitter experienced isn’t clear, and Twitter reps didn’t respond to our request for clarification.

In other internet news

About 71.2 percent of all exploits kits that attempt to inject malware into internet surfers’ computers were developed in Russia, and about 51.8 percent exploit rather older operating system vulnerabilities.

To be sure, Blackhole 2.0 is the most often used hacking rootkit, installed on thousands of websites to attack and takeover visitors’ computers.

However, it targets fewer software security holes than rival cybercrime kits. That’s according to a fresh report by managed security firm Solutionary.

Contrary to various hype that exploit kits target unpatched flaws in products, Solutionary found that the overall majority (59 percent) of exploited security vulnerabilities were more than two years old.

The company reviewed 26 commonly used malware kits and discovered code abusing security bugs dating as far back as 2004, evidence that older vulnerabilities continue to be mined for profit by cybercrooks.

Typically, criminal hackers compromise otherwise perfectly legitimate websites to plant hacking toolkits and distribute fake antivirus software, banking Trojans and other bad code.

Researchers at the security firm concluded that antivirus products cannot detect more than about 64 percent of malware being distributed, a finding that’s likely to be controversial in more ways than more.

The practical upshot to all of this is that system admins would be wise to regularly update their servers especially Windows Server 2003, 2008 and 2012, Adobe Flash, web browsers and Java code, rather than rely on security scanners to block any attacks that come their way.

“Exploit root kits largely focus on targeting end-user applications,” said Rob Kraus, a director of security research at Solutionary. “As a result, it’s absolutely critical that organizations pay close attention to security patch management and endpoint security controls in order to significantly lower the likelihood of a server compromise.”

In other internet security news

A large group of activists, privacy organizations, journalists and others have called upon Microsoft to be more forthright about when, why, and to whom it discloses its data about Skype users and their communications.

In an open letter published yesterday, the activist coalition argues that Microsoft’s statements about the confidentiality of Skype conversations have been “persistently unclear and confusing,” casting several doubts on the security and privacy of the Skype platform.

“Many users of the platform rely on Skype for so-called ‘secure communications’ – whether they are activists operating in countries governed by authoritarian regimes, journalists communicating with sensitive sources, or users who wish to talk privately in confidence with business associates, family, or friends,” the letter explains.

Among the group’s numerous concerns is that although Skype was founded in Europe, its acquisition by a U.S.-based company may mean it is now subject to different eavesdropping and data-disclosure requirements than it was before.

The coalition group claims that both Microsoft and Skype have refused to answer several questions about what kinds of user data the service retains, whether it discloses such data to governments, and whether Skype conversations can be intercepted in any manner.

The letter calls upon Microsoft to publish a regular transparency report outlining what kind of data Skype collects, what third parties might be able to intercept or retain, and how Skype interprets its responsibilities under the laws that pertain to it.

Additionally, it asks for quantitative data about when, why, and how Skype shares data with third parties, including governments.

As the letter points out, several other companies already provide such reports, including Google, Twitter, and Google’s most recent report showed that government requests for user data from online companies have increased 70 percent since mid-2010.

Microsoft acquired Skype in 2011 for $8.5 billion and has since been working to make the service a key pillar of its communications strategy. Most recently, Microsoft announced that it would shut down its Windows Live Messenger service in March and urged all current Messenger users to switch to Skype.

As could be expected, Microsoft’s strong-arm tactics haven’t pleased Messenger fans, but they’ve impressed privacy advocates even less, given the ambiguity about what information Skype discloses.

“On the eve of Microsoft’s integration of Skype into many of its key software and services, the time has come for the company to publicly document Skype’s security and privacy practices,” the open letter reads.

The letter is co-signed by a total of 61 individuals and 45 organizations, including such groups as the AIDS Policy Project, Cyber Arabs, DotConnectAfrica, the Egyptian Initiative for Personal Rights, the Electronic Frontier Foundation (EFF), Reporters Without Borders, the Thai Netizen Network, and the Tibet Action Institute.

“Microsoft has an ongoing commitment to collaborate with advocates, industry partners and governments worldwide to develop solutions and promote effective public policies that help protect people’s online safety and privacy,” the company said in an emailed statement.

In other internet security news

Kaspersky Labs said today that it has discovered yet another global spying campaign that targets numerous governmental agencies, political groups, universities and research institutions.

On the same level as the memorable ‘Flame Malware’ Kaspersky and a number of Cyber Emergency Response Teams (CERTs) discovered the malware, known as ‘Rocra or Red October’ which mostly targets institutions based in Eastern Europe, former USSR members and countries in Central Asia.

Kaspersky Labs says that Red October has been gathering a lot of data and intelligence from “mobile devices, computer systems and network equipment” and is currently still active. Data is gathered and sent to multiple command-and-control servers which the security firm says rivals the complex nature of Flame.

The malware is sent via a spear-phishing email which, according to Kaspersky, targets carefully-selected victims within an organization such as a government agency or the like. Containing at least three different exploits in Microsoft Excel and Word, once downloaded, the infected files drop a trojan on the affected computer which then scans the local network or the PC’s hard drive to detect if any other devices are vulnerable to the same security hole.

By simply dropping modules that can complete a number of tasks, usually as .dll libraries, an infected computer obeys various commands sent by the command center and then immediately discards the evidence.

Separated in to “persistent” and “one-time” tasks, the malware is able to spy and steal in a number of ways, including:

  1. Waiting for a MS Office or PDF document and executing a malicious payload embedded in that document
  2. Creating one-way covert channels of communication
  3. Recording keystrokes and making screenshots
  4. Retrieve e-mail messages and attachments
  5. Collect general software and hardware environment information
  6. Extracting browsing history from Chrome, Firefox, IE and Opera
  7. Last but not least, it can save passwords
  8. Extracting Windows account hashes
  9. Extract Outlook account information
  10. Performing network scans, then dump config data from Cisco devices when available
  11. Some .exe tasks remain on the system while waiting for the correct environment. For example, waiting for a phone to connect. Microsoft’s Windows Phone 8, Nokia smartphones and even the iPhone are all said to be vulnerable.

Engineered specifically to steal encrypted files and even those that have been deleted from a victim’s computer, the malware — named after the novel movie “The Hunt for Red October” — has several key features which suggests it may be state-sponsored, although there is no official word on this yet.

And it gets worse. A lot worse… Among some of the features of Red October, there is a resurrection module within the malware which keeps the infection hidden and disguised as a plugin for a program such as Microsoft Office, which can then reincarnate the infection after its removal.

Additionally, Red October doesn’t simply focus on standard computers, but is also able to infect and steal information from mobile devices, hijacking information from external storage drives, accessing FTP servers and stealing information from a number of email databases.

In order to control the network of infection, Kaspersky says that over sixty domain names and several different servers, hosted in various countries, are employed. In order to keep the main command center secret, the C&C infrastructure works as a huge network of proxies.

Kaspersky believes that the cyberattackers have been active for a minimum of at least five years, based on domain name registration dates and various timestamps, and the firm “strongly believes” that the origins of the malware are Russian.

This high-profile network may suggest that state sponsorship could be involved. As Kaspersky Labs notes: “The data stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states.”

“Such data could be traded in the underground and sold to the highest bidder, which can be of course, anywhere. Any information harvested, including stolen credentials or confidential data, is stored for later use. For example, if an attacker needs to guess a password in another location, it is possible that harvested data could provide clues, creating an espionage network full of intelligence that hackers can refer to in need,” says Kapersky.

After at least five years of activity, Kapersky believes that at least 5 terabytes of confidential information could easily have been stolen.

“Since 2008, the attackers collected information from hundreds of high profile victims although it’s unknown how the data was used so far. However, it’s possible that the information was sold on the black market, or used directly,” Kaspersky warns.

The overall majority of infections are based in Russia, although Kazakhstan, Azerbaijan, the U.S. and even Italy have all reported a few cases already. The exploits also appear to have Chinese origins, whereas the malware modules may have a Russian background.

Red October was first brought to Kaspersky’s attention in October 2012 after a tip of of an anonymous source. A full report on the spying campaign is due to be published this week. We will keep you posted.

In other internet security news

Political and hactivist collective group Anonymous has managed to hack into some of MIT’s websites earlier this morning in protest against the role computer crime laws and U.S. prosecutors may have played in the suicide of Aaron Swartz on Friday.

Twenty-six year old Internet activist Aaron Swartz was found hanged in his apartment in New York on Friday, having taken his own life at such a young age. He was under indictment for computer and wire fraud, facing fines and over thirty years in federal prison, and some are now blaming strict computer laws and the U.S. justice system for his untimely death.

Anonymous posted its message in red on a black background, claiming that Swartz’s prosecution was unjust and his actions were political activism, not criminal activities.

“Whether or not the government contributed to his suicide, the government’s prosecution of Swartz was a grotesque miscarriage of justice, a distorted and perverse shadow of the justice that Aaron died fighting for,” the message read.

“The situation Aaron found himself in highlights the injustice of U.S. computer crime laws, particularly their punishment regimes and the highly-questionable justice of pre-trial bargaining. Aaron’s act was undoubtedly political activism, and it had some very tragic consequences: his own death.”

Swartz was arrested in 2011 after allegedly using a laptop stashed at MIT to access J-STOR, an archive of academic journals, with a custom Python script and downloading 4.8 million articles. J-STOR charges for the documents, meaning the value of the articles amounted to a few millions of dollars.

Although J-STOR wasn’t interested in pressing charges, the U.S. government nevertheless proceeded with the indictment just the same. Swartz’s lawyer, Elliot Peters, was attempting to negotiate a plea bargain with prosecutors, but they remained insistent that he would have to spend time in prison.

Downloading the articles was part of Swartz’s campaign for free information online. He had pulled a similar stunt in 2008, when he snatched about 21 percent of U.S. court documents stored online and made them freely available to anyone, a bit similar to what Wiki Leaks did in 2010 and 2011.

While Swartz was suffering from severe depression, his family has attributed some of the blame for his death to his experiences of the U.S. criminal justice system. The Swartz family said in a statement that the justice system in the United States is “rife with intimidation and prosecutorial overreach”.

For its part, MIT has said that it will investigate how it handled the network breach and its role in Swartz’s prosecution. The Anonymous hackers were careful to say that they didn’t blame MIT, even apologizing for hijacking the university’s websites.

Anonymous called on the U.S. government to see the tragedy as a basis to reform computer crime and intellectual property laws and commit to a “free and unfettered internet for everybody”.

Get a great Linux dedicated server for less than $5 a month!

« « Cleawire keeps an ear to the ground with both Sprint and Dish Networks | Restructured bootloader allows any Linux version to be launched on PCs » »

It's only fair to share...
Email this to someoneShare on FacebookTweet about this on TwitterShare on Google+Share on LinkedInPin on Pinterest