Web Attack on Twitter Is Third Assault This Year

Saturday, December 19, 2009

An online attack Friday morning on Twitter was the result of the simplest of security breaches: someone got the password to enter the master directory of Twitter’s Internet addresses and then redirected users to an alternate site instead.

No user information appears to have been stolen in the attack. But the security breach — the third major one at Twitter this year — underscores the continuing weakness of the company’s systems as its micro-blogging service is becoming more important to business and even global politics.

The incident also highlights a basic vulnerability in the way life is lived as it becomes increasingly digital: With so much vital information stored on the Web, people are only as safe as their passwords.

During the assault, which security analysts said began about 1 a.m. and lasted roughly an hour, hackers tinkered with Twitter’s domain name servers, which are hosted by a Manchester, N.H., company called Dyn. When Web surfers tried to reach Twitter’s pages, they were sent instead to a site for the “Iranian Cyber Army,” which claimed responsibility for the attack.

The domain names were eventually fixed and redirected back to the correct servers at about 2 a.m., but because of time the reset took, Twitter’s Web site was not fully functional again until an hour later, according to Rod Rasmussen, president of Internet Identity, an Internet security company, who watched the attacks unfold in real time through a new technology his company is building.

Twitter, which is based in San Francisco, declined to discuss details of the attack, and it was not clear how its security was compromised.

But Dan Kaminsky, director of penetration testing with the security firm IOActive, said that “in terms of this sort” of domain name server attack, “this is easily one of the most common hacks.” He said that a recent report by Verizon Communications found that 61 percent of Internet security breaches happen through simple password failures.

Security specialists say it will be extremely difficult to determine who was behind the attack. There was some indication that the attack came from within the United States, but authorities are still investigating.

Beth Jones, a senior threat researcher at the Internet security firm Sophos, said the attack did not look very sophisticated and probably was not the effort of a Web terrorist or other professional. “It could have been any number of people doing it,” she said.

Ms. Jones said the incident may have been “hacktivism,” an attack with a social or political motivation. “The point could purely be just to prove the site is insecure,” she said.

Although the attack did not appear malicious, it easily could have been, Ms. Jones said.

“Instead of throwing up a banner to cover the site, what if it had been an exact replica of the home page?” she said. “If this attack had been a phishing page instead, who knows how many millions of credentials they could have gotten?”

The attack was another black eye for Twitter, which had two major security breaches this summer.

In July, the technology blog TechCrunch published internal Twitter documents that had been stolen by an unidentified hacker who apparently figured out an employee’s e-mail password.

In August, unidentified attackers bombarded several social networking sites, including Facebook, YouTube and Twitter, with millions of junk e-mail messages in an attempt to block the Web pages of a 34-year-old economics professor who was writing about a skirmish between Russia and the republic of Georgia. The other sites withstood the assault, one of the most common types of Internet attacks, but Twitter struggled with its service for days.

Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab, an Internet security company in Woburn, Mass., said the latest incident was an embarrassment to Twitter. “Even if it was the fault of the hosting company, Twitter has a track record this year of having weak passwords and being compromised,” he said.

In September, Twitter raised $100 million from investors, adding $55 million it had raised. Despite all that new money, “Twitter still doesn’t seem to invest all that much in security,” Mr. Schouwenberg said.

In a blog post Friday afternoon, Biz Stone, a co-founder of Twitter, confirmed that the hijacking occurred. “The motive for this attack appears to have been focused on defacing our site, not aimed at users,” he said. “We don’t believe any accounts were compromised.”

Mr. Stone and other company officials declined requests for interviews.



Post a Comment