Modern Graffiti

I've said before that attackers provide great insight into the evolving uses of technology. For the past decade or so the digital equivalent of graffiti has been website defacements. The past week has seen thousands of primarily Israeli sites defaced as a result of the current Israeli/Palestinian conflict. Defacements are the low hanging fruit of web security as it requires minimal skill to succeed. When your target isn't specific (i.e. any Israeli website), given the sorry state of web security, it is trivial to find a vulnerable victim using freely available scanning tools. For this reason, defacements tend to be the domain of script kiddies and are used for the same reason that physical graffiti is used - to get a message across, be it political, religious or just mischevious. However, as communication mediums are evolving, so too are the chosen targets for electronic graffiti, as was demonstrated this week by two very public attacks, on Twitter and the popular MacRumors live blog.

Twitter saw 33 'celebrity' accounts hacked with content added that was either meant to be mischevious, such as the breaking Fox News report on Bill O’Reilly's sexual preference, or intended to generate revenue as did several which included links to affiliate sites. 'GMZ' a member of the Digital Gangster forum was reportedly responsible for the attacks and used a simple dictionary attack on the Twitter administrator account of a user named 'Crystal'. The attacks succeeded because Twitter did not lock out successive failed login attempts - something they have now implemented.

The MacRumors hack came at a most inopportune time - during live coverage of the annual Macworld Expo keynote. At 9:24 am, an unintended post, which obviously caught the bloggers by surprise, suddenly announced that Steve Jobs had died. Shortly thereafter the entire live blog had to be shut down as the attackers eventually began flooding the blog with unwanted comments. Details of how the attack succeeded have not emerged but rumors suggest that this too resulted from guessed/stolen password credentials. Comments on the 4chan forum also suggest that members from that community were involved in the attack. That is the same forum where details of the attack on Sarah Palin's email account first emerged.

What should we learn from this? From a technology perspective, eyeballs are moving toward real-time content. Our society has long sought instant gratification and micro-blogging services such as Twitter are benefitting. What's more real-time than a quick comment from my phone letting the world know what I'm doing at every second of my exciting life that I'm sure people simply can't live without. From a security perspective it's sad to see that after decades we're still using the single factor authentication provided by passwords for sensitive accounts. To make matters worse, these passwords were obviously implemented with poor policies and perhaps even shared. These accounts deserved to be hacked and the attackers (hopefully) taught Twitter and MacRumors a needed and embarassing public lesson. Let's hope they learn.

- michael