Earlier this week, an Australian firm providing billing and support services to web hosting firms found that their web site had been destroyed, their Twitter account hacked, and 1.7G of data (including customer information and hashed passwords and credit card numbers had been posted to the Internets for the world to see.
You’d think that the hackers who went on this rampage must have been really clever and exploited some arcane vulnerability to gain access to all of this valuable data. Or maybe they used some uber-slick piece of malware to get the information. You’d be wrong.
What appears to have happened is that the attackers were able to figure out the answers to the “security questions” for the company’s lead developer and use this information to con the webhost running the company’s web site to provide him with the administration password. It appears that the admin password was also the corporate Twitter account password. Doh!
Lessons we can learn from this:
- Security questions suck as an authentication mechanism. Think about the last few times you had to establish security questions – how easy would it be to guess your answers by looking at your Facebook, LinkedIn, or Twitter accounts? If the information is not there, a quick browse throw people search web sites may yield the information.
- Using the same password for multiple sites is a bad idea. It appears that the same password was used for both the victim company’s server administration and corporate Twitter account.
What you can do to protect yourself and your company:
- Build yourself a legend. Come up with a set of (false) security question answers which cannot be guessed by attackers. For example, your first car could be a “1931 Bugatti Royale Kellner Coupe,” your first school could be “Harvard,” and the town you grew up in could be “Peoria” (or if you are really good, one of these places). Above all, don’t use answers that can be found on your social media profiles or by Googling yourself.
- Don’t use the same password for multiple sites. You don’t want the compromise of one password to lead to an attacker getting access to all of your stuff. Use a password manager like LastPass or Keepass to easily and securely save you (per site) passwords as well as the fake answers to your security questions.