Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Saturday, February 02, 2013

Updating your Twitter Password Isn’t Enough

It happens so often that many of you probably ignore the newest reports of a bank or web service being hacked and personal information being stolen. Most news stations probably have a macro they can just fill in the variables that looks like “Today <X> was the victim of hackers. Information including name, passwords, credit card information, and <Y> for more than <N> customers was stolen and is now being sold online to other hacker groups.
wires

Most companies do little to notify customers and have a policy to reduce the severity perception of any attack. The common response is “No indication of customer data being abused has been reported”. In severe cases a company may offer free credit report monitoring for a year to their customers. Unfortunately, this typically requires you to sign up using a credit card and unless you remember to cancel you’ll automatically be renewed and charged for any future years.

Twitter says “attack was not the work of amateurs…”

Today, the public news report is that information from approximately 250,000 Twitter accounts was stolen. Twitter has taken action but I recommend you do more than just change your password. Even if you don’t use Twitter this attack may still affect you.

  1. Immediately try to sign on Twitter and change your password. If your account was compromised Twitter may have already changed your password and you won’t be able to sign on. Don’t keep trying to sign on or you may be blocked.  Even if you weren’t a victim, tell Twitter to send you a password reset link to your associated Email address.  Check your Email and create a new password that you’ll remember and is different than your current password.

  2. Important: If you used your Twitter password or even something similar on other services like Facebook, start going to all the other services you use and change your password. I know keeping track of passwords is hard but hackers know you share passwords.

    The bad guys have automated tools which are now trying to use your Twitter Email and password to access Facebook, Google+, Gmail, Pinterest, Microsoft Live, LinkedIn,  Instagram, WordPress, BlogSpot and even GoDaddy.

    When you reset your password be sure to verify all the email accounts and cell phone numbers which are associated with your account. A hacker will add contact information so they’ll be able to re-reset your password and no matter how many times you change your password, they’ll still have it.

  3. Just in case: Your Twitter account is associated with an Email address. Change the password on this Email account. While the attack will not expose your email password it may make the email known. Depending on your background you could become the target of future attacks and that email may be the key to many other desired accounts.

  4. Be Smart: Be wary of ALL messages you receive from your friends especially on Twitter but also on Facebook, Email and other online services. If your friend had their account stolen they’ll most likely be sending out phishing attempts or links that will infect you. If you receive anything suspicious notify your friend immediately by phone and share these tips.

  5. Twitter Apps: Even if Twitter changed your password you probably have accounts with one of the popular Twitter Apps.  You will need to update your new password on apps you may have forgotten are associated with Twitter.  Examples include,  “Twitter for Android”, “WeFollow”, “TwitPic”, “TweepsMap”, “Cert Me”, “Seesmic”, “Disqus”, “Pinterest.”

    See https://twitter.com/settings/applications to view your apps and clean up any unwanted application.

  6. Remember to change the password on other Twitter accounts you have. In my case, one of my Twitter accounts was compromised but others were not. While my BillP account was compromised, I was able to sign on to my WinPatrol Twitter account without being forced to change my password. Imagine if I had used the same password for both accounts.  Smile

I’m pleased Twitter has made this attack public and even better they are forcing a password change.  They risk losing customers but they risk a lot more if user accounts remained open.  

I received the following Email at 11:09 AM EST today letting me know of the attack even though the Twitter Blog reported the attack yesterday afternoon. It might be worth following @boblord, the Director of Information Security for Twitter or the official @Twitter company account.

twitter_header

Dear Twitter User:

As a precautionary security measure, we have reset your Twitter account password. Check your inbox for a separate email from Twitter with instructions on how to reset your password. If you don't see an email, you can go to
this page in our Help Center to request a password reset. More information is below.

We recently detected an attack on our systems in which the attackers may have had access to limited user information - specifically, your username, email address and an
encrypted/salted version of your password (not the actual letters and numbers in your password). Further information about the attack can be found in this blog post.

Since your password has been reset, your old password will not work when you try to log into Twitter. We strongly encourage you to take this opportunity to select a strong password - at least 10 (but more is better) characters and a mixture of upper and lowercase letters, numbers, and symbols - that you are not using for any other accounts or sites. Using the same password for multiple online accounts significantly increases your odds of being compromised.

For more information about making your Twitter and other Internet accounts more secure, read our
Help Center documentation or the FTC's guide on passwords.

This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to reset your password and publicize this attack while we still gather information. We are also helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.

Twitter

So, please take this report seriously and do the homework I assigned above. As I’ve pointed out, the impact of this exposure goes far beyond Twitter. I hope you all realize the danger of you or your friends using the same passwords for multiple log-ins.  Even though Twitter took drastic measures by forcing users to reset their password, many risks still exist due to this common behavior.

Share on Facebook


2 Comments:

Anonymous Anonymous said...

“Important: If you used your Twitter password or even something similar on other services like Facebook, start going to all the other services you use and change your password. I know keeping track of passwords is hard but hackers know you share passwords.”

What I am about to say is harsh…. With all the articles written about easy passwords in both the geek press and the rest of the media, anyone who still uses 12345678 as a password or anyone who still reuses passwords, deserves every hack they get.

Noone has to remember a single password.
There are many password managers that are free to download and use. You only have to remember one STRONG password. Each account you have must have STRONG, UNIQUE, LONG passwords. I use a 32-character password. If you don’t want to remember passwords, then write them down at home and only logon from home. If you want the convenience of logging in from your phone or another computer, then you must do work to keep your password safe.

A STRONG password is one with numbers, upper & lower case letters, and special characters. I realize that some websites are are lazy and won’t let you use long passwords or special character. You just have to go with the flow. The most important thing is to use UNIQUE passwords, at the very least.

11:46 AM  
Blogger Unknown said...

Here's the first problem. Even if you have a password like "hdeu&37vftkcr#SW6hk9!ghFY" it's no safer than "12345" if the service you are using gets hacked.

If you read my follow up blog post it makes a good argument for password managers although my main point is no matter what password you use, having fake security questions is now more important than complex passwords.

My problem with password managers is I try not to download any new programs for fear of 1) bad programming screwing up my system 2) Unwanted crapware like toolbars 3)downloading a different program because of download site redirection and 4) vulnerabilities in the program or other errors that give people access to all my passwords. Unless I write it myself I'm not likely to use a password manager.

I am on your side with being harsh and appreciate you taking the time to post your comment. I share your desire to smack people upside the head and make them take password management more seriously.

You're not the first I've heard say, "...anyone who still uses 12345678 as a password or anyone who still reuses passwords, deserves every hack they get."
While I understand this emotionally it really is important for all of us to continue being harsh and making an effort to teach those in need.
The fact is, we will suffer the results from people who are hacked because they fall for some trick or use a 12345 password. If their computer is taken over it will be use for Denial of Service attacks, sending out spam, sending out vulnerability attacks etc...
It's no different from encouraging friends and co-workers to stay away if they're sick.

So, I will continue to do what I can to teach people healthy password behavior because it's good for all of us.

Bill

12:04 PM  

Post a Comment

<< Home