How the twitter attack happened ~ the short version

Here is the main story, http://www.techcrunch.com/..

Executive Summary: Hacker finds gmail address of employee. Goes to Gmail’s lost password function. Sees secondary email account is a hotmail account that is deactivated. Creates new hotmail account with that address. Recovers password. Changes password back for stealth. Then has access to Google Apps on the twitter.com domain.

Basically, here is what happened:

A young Frenchman named “Hacker Croll” got interested in web security, social engineering a few years ago. He is unemployed. He wanted to hack into Twitter.

• He starts doing web searches on Twitter, accumulating vast amounts of names and email addresses of Twitter employees
• From there he uses the “Forgot Password” on a Twitter employees gmail address.
• Unable to determine what it is by guessing, he asks for a hint. Gmail balances usability with security by offering users to have a second email account attached to the main email account in case of password resets. Gmail informs Hacker Croll that they sent a password reset to “******@h******.com”
• Hacker Croll guesses that it is probably a hotmail account, so uses the same username at hotmail.com to check the email address
• Hotmail recycles old usernames, so the username was deleted.
• Hacker Croll creates a new hotmail user account with the twitter employees username. Asks for the password reset from the Twitter Employee’s gmail and gets the reset.
• Hacker Croll then searches through the account and finds what the password was before he changed it, so he could reset it and not alert the Twitter Employee.

Now, he has completely shadowed a twitter employees account and has their ‘main’ reused password. He uses that password to gain access to Google Apps on the Twitter domain. There he hit the goldmine with emails, and email attachments. Then he took control of their personal email, work email, iTunes (iTunes has a security hole that you can see the complete credit card numbers), banking account information, ATT, MobileMe, Amazon, everywhere the person was a customer through the vast amount of emails he had control of.

Then the CEO of Twitter downplayed the attack, so Hacker Croll got offended and sent all of the documents to TechCrunch to prove the severity of the attack. Then, they published a wealth of internal Twitter memos, strategies, and other documents. Here is HC’s apology.

I would like to offer my personal apology to Twitter. I think this company has a great future ahead of it.

I did not do this to profit from the information. Security is an area that fascinated me for many years and I want to do my job. In my everyday life, I help people to guard against the dangers of the Internet. I learned the basic rules .. For example: Be careful where you click the files that you download and what you type on the keyboard. Ensure that the computer is equipped with effective protection against viruses, external attacks, spam, phishing … Upgrading the operating system, software commonly used … Remember to use passwords without any similarity between them. Remember to change them regularly … Never store confidential information on the computer …

I hope that my intervention will be repeated to show how easy it can be for a malicious person to gain access to sensitive information without too much knowledge.

Croll Hacker.

Here is Twitter’s Official Response:

Twitter, Even More Open Than We Wanted

About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked. From the personal account, we believe the hacker was able to gain information which allowed access to this employee’s Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company. Since then, we have performed a security audit and reminded everyone of the importance of personal security guidelines.

That begs to make you think about the balance between usability and security. The security as a whole is only as strong as its weakest link. Better check those secondary email addresses and ensure that they are just as safe and secure as your primary. Which reminds me, I need to go change some stuff… brb. :)

Twitter’s Internal strategy, http://www.techcrunch.com/…

The “Peanut Butter Manifesto” internal Yahoo Memo from back in the day, http://online.wsj.com/…

Where did all the interface designers come from?

Every week, sometimes a few times a week, I cruise related sites in an interesting way. I try to find an interesting story on one of the mob-media controlled sites, reddit or digg et al, and then from there I try to only click links without using the keyboard. I follow the rabbit hole from story to story in a sort of uncontrolled way. Its a great way to kill a an hour and also to go to sites that you usually wouldn’t find any other way.

The other day while following a design pathway through sites I started hitting nothing but “Interface Designer” websites. I’m not sure where all these people came from. Looking at their resumes it seems that most of them just got out of high school or are coming from unrelated fields. How does someone that has been an oil painter for 5 years now claim to be an interface designer. What sort of training or user experience background do they have? If you look at the examples or the recent projects of their sites, you see a few tiny sites they have designed but without much ‘interface’ involved.

That leads me to believe that “Interface Designer” is now the chic term for web designer. Why not call yourself a web designer? I think thats a pretty cool job title. It has been worn out over the years, granted. Everyone and their brother was a website designer in the late 90s. On asking them what they have done or what tools they use you find out that they are just starting and have bequeathed the title on themselves.

Will Interface Designer will be an ‘uncool’ term in a few years? Maybe.

Myspace, why do you do the things you do?

Come on guys (UX at Myspace), seriously. I have been gone a few years and it seems like you guys are throwing UX to the wind. There is absolutely no way I you tested this, or if you did, you ignored the results. Now, on to the show.

I got a spam/solicitation in my inbox from a random MySpace account. I used to work there and had several accounts, most fake, and most from different countries, language settings, regions. I had all of these when we were testing administration notices and mainly the legalities depending on the municipalities. Certain states don’t allow ______, and others do, etc. The email was the typical “Ron, see what your friends are up to.” It is their way of trying to show off the latest presence features they have implemented. I scroll to the bottom to find the unsubscribe link.

So, I click the link and what do I find? This contraption.

23 Clicks to unsubscribe from emails. No way to uncheck them all… or just to opt-out of everything at once. No, they need to ask for every single detail. The way to think of this is User Intention and User Experience.

User Intention : for some reason the user wants to stop getting atleast one type of email, but maybe all. Studies show that people that click on unsubscribe links REALLY want to get out of it all.

Return Path released a study about unsubscribe experiences and the effect they have on the customer, I’ll mention a few items out of it, because registration is required to view the full report.

1. Make it easy and painless: Include a link all email messages.  If necessary, make sure an automated message is sent that provides confirmation to the user but asks for nothing in return (unless it was a mistake).  Then – stop sending messages.
2. Email Confirmation: When users click on the unsubscribe link, they should be directed to a landing page on your web site.  The unsubscribe form should be auto-populated with their email address.  They should be able to change their email address, just in case they clicked through a forwarded message.
3. Email Change of Address: Occasionally users just want to get the email at a different address.  They may use an alternative address for all of the email subscriptions as a way to filter them from their personal or work messages.  Make it easy for them to change their address.  Include an option on the landing page to change their email instead of unsubscribing.
4. Stop sending messages: I know, this is repitive, but important.  Sometimes you have messages qued up and ready to go.  Someone may unsubscribe on Tuesday and get a message on Thursday, especially if your email service doesn’t automatically remove them.  If at all possible, create a way to stop this practice.  If not, then your unsubscribe confirmation email and webpage should mention this with the sincerest apologies.
5. Offer alternatives: Make it easy to unsubscribe.  Provide a link to an unsubscribe landing page that autopopulates their email address.  Then, give them options:
   • Change of Email Address
   • Frequency of future emails (once per month/quarter/year) – better one annual message that they’ve asked for than none at all
   • Types of future emails – only event announcements, surveys, etc.
6. Learn: Keep the process simple, but learn something about the user before they unsubscribe.  Add a quick survey of 1-3 questions.  Are they less interested in your organization now for some reason?  Were the messages never relevant to them?  Or do they just get too many emails?  All can help you better understand your users in the future.

Origins of CTRL ALT DEL

http://www.90percentofeverything.com/ has a post about the origins of the CTRL ALT DEL keystroke origins. I remember when I first saw this video many years ago and remember thinking about how so many things that are ingrained into the computer interface were developed by happenstance. Here is the video.