

Monday Morning Madness  - bootload
http://blog.twitter.com/2009/01/monday-morning-madness.html

======
omarchowdhury
The hacking seems like it was motivated by profit.

See: <http://d.ioj.com/209937/pxkr3qeg24ds.jpg>

The perpetrator posted a link to a website where users fill out a simple
survey and enter their email address to get a prize. The perpetrator would get
$1.50 for each person that completes the survey. Seeing as how this was done
from Obama's legitimate Twitter account, it would be very easy for people to
believe it.

However, the advertising company that runs the survey has banned the hacker.
It really was a dumb thing to do: the URL itself contains his affiliate ID on
that advertising network - enough to get his name, full address, social
security number with simple cooperation from the advertising company (Copeac).

------
tptacek
You think someone might want to rename this story "Twitter's official response
to security breach"?

~~~
omarchowdhury
+1 for alliteration though.

------
bootload
_"... @coda I don't sympathise with @al3x. Twitter is basically walking around
bent over with no clothes on right now. They can fix that. ..."_ ~
<http://twitter.com/blaine/status/1096877937>

Knocked off for the night reading this message timely message by Blaine Cook .
Woke up reading the headline above by Biz Stone.

------
seldo
I'm really glad they point out that implementing OAuth would have done nothing
to prevent either the phishing attack earlier or this breach. People keep
waving OAuth around like it's some kind of panacea for security.

------
axod
"We'll put them back only when they're safe and secure."

I know it's easy to say it, but wouldn't it have been worth making sure those
admin tools were 100% secure to start with? Do they even need to be accessible
to anyone outside the company lan?

~~~
tptacek
How do you know if something is "100% secure"?

It looks like they did exactly the right thing, which was to make the support
tools out-of-band until they can resolve how to secure them long term.

~~~
axod
If the admin tools are behind a firewall, then I'd say they are 100% secure,
apart from obviously someone breaking in and using a machine in the company,
and assuming no other machine has been compromised. If external access is
required, then of course some sort of secure vpn, locked down to certain IPs
etc etc.

Of course we don't know the full facts of how they were able to access the
admin system, so it's all pure speculation. It just struck me as a funny
statement.

