Saturday, April 27, 2013

Living Social Hack and AP Twitter Account Hacked


The website, LivingSocial, a daily deals site, was hacked late yesterday.  The original report came from AllThingsD.com, and includes the text of an e-mail the CEO sent to staff and now the public. No credit card data or merchant financial information was accessed, which must mean that they stored them on a separate server.  The cyberattack affected 50 million users (all users except those in Korea, Thailand, Indonesia and the Phillipines, which use different services with separate servers).  The attackers netted millions of user names, birthdates, e-mail and passwords.

The website now greets users with an announcement of the attack, and recommendation that users change their passwords.  The announcement notes that passwords are coded, and the CEO's e-mail says they have been "hashed and salted."  This mean they use an algorithm to code, or "hash" the passwords. Salting means that each user who uses the same password would have their password "hashed" into a different coded version.  However, those with passwords which are too easy may make it easy for the hackers to guess, since the hashing algorithm is known.  Hackers can use an online dictionary and a computer to try to guess multiple passwords in just a few seconds.  But because multiple passwords set to "password" would each have a different hashed version, the hackers will have to devote considerably more time to cracking passwords.

CNN Money Tech reports that a different cyberattack on the Twitter account of the Associated Press.  The hackers in that case planted a false report that President Obama had been injured in two explosions at the White House.   AP suspended their Twitter account, with an announcement that the report was false. However, the attack shows up security weaknesses with Twitter, which had been discussed for some time by security analysts with concern.  Apparently, unlike Facebook and Dropbox, among other sites which offer the option, Twitter does not yet require a "two-step authentication" process.

A two-step authentication, done properly, requires a combination of two out of three types of information:
1.  Who you are (physical ID for instance, or fingerprint scan or facial recognition now on many laptops)
2. What you have (a gadget that generates a code, or a one-time password provided in a list by the website for users, for instance),
3.  What you know (passwords, mother's maiden name for a security question, for example)

For instance, a good two-step authentication procedure might require not only your password, but also an individually created key, which might be stored only on a user's phone. The user sends the secret key along with their password.  A lower tech alternative to the gadget code is the list of passwords provided separately to users. A user would input one of the codes and mark it off the list.  When a user runs low on the number of provided by the website, they request a new list.  As long as the two items are received within a short time (approximately 30 seconds), the system will accept the combination log-in.  The CNN article notes that Twitter had advertised for engineers to develop a two-step security process, but apparently this has not yet been implemented.

Another hack previously compromised Fox News' Twitter account. In that case, the hacked tweet was that President Obama had been assassinated. The recent fake tweet actually caused a brief downturn in the stockmarket. According to the CNN report,  Twitter's response to these and various other hacks on corporate Twitter accounts has been to urge more care.  What they need is to implement better security.

The decoration for this post is from Wikipedia, which notes it was designed in the late 1990's by Dagmar D'Surreal, as a logo for the PhreakNIC annual conference in Nashville, Tennessee. Many thanks to my son, Joe McKenzie, for technical explanations made easy.

No comments: