French Hacker Played Guessing Game to Access Twitter Accounts
Many organizations rely on security questions as a way to identify the true owner of an account. However, the recent success of a young Frenchman with limited computer skills in gaining access to President Obama's Twitter account suggests it's a flawed approach. Preset security questions are not the best way to protect an account, said Parry Aftab, a privacy lawyer and executive director of WiredSafety.
03/26/10 9:35 AM PT
After months of investigation by police and the FBI, a French hacker accused of breaking into the Twitter accounts of President Barack Obama and singer Britney Spears was arrested earlier this week.
Francois Cousteix, a 25-year-old unemployed man from central France who is known online as "Hacker Croll," is also accused of breaking into Twitter administrators' accounts and copying confidential data -- an attack that was acknowledged by Twitter cofounder Biz Stone last summer.
Cousteix has confessed to the hacks and now must appear in court in Clermont-Ferrand on June 24. If convicted, he faces the possibility of two years in prison and a 30,000 euros (US$40,226) fine.
Twitter did not respond by press time to TechNewsWorld's request for comment.
Guessing the Answers
Cousteix frequently perpetrated his attacks simply by guessing the answers to the security questions on his victims' accounts and then using that information to change their Twitter passwords, AFP reported.
He also often posted electronic copies of the pages he hacked into as proof of his successful attacks, according to reports.
Though Cousteix didn't attempt to profit financially from his Twitter attacks, he was already known to police for minor scams amounting to some 15,000 euros ($20,111), AFP reported.
'The Thrill of the Hack'
In this case, Hacker Croll's motivation appears to be primarily bragging rights.
"The sheer audacity of this hacker to crack into President Obama's account shows that hackers love the thrill of the hack, the possibility to delve into something forbidden," Washington, D.C., technology attorney Raymond Van Dyke told TechNewsWorld.
"Hackers love the thrill of the chase, overcoming barriers and entering the private world of others -- even President Obama's Twitter account is not secure against these culprits," Van Dyke added.
Potential Reputation Damage
Whether or not he used his access for malicious purposes, Hacker Croll's feat raises the question of what might have happened.
"On the face of it, access to someone's Twitter account isn't much of a big deal," Keith R. Crosley, director of market development with Proofpoint, told TechNewsWorld. "In most cases, people are using Twitter as a public posting mechanism and everyone can see what you are posting and who your contacts are."
Nevertheless, a compromised Twitter account can be a problem, Crosley asserted.
"First, of course, hacked accounts could be used to send messages -- of many different kinds -- that could cause confusion about the poster or damage that person's reputation," he pointed out.
"Secondly, and more insidiously, the hacked account could be used to send a seemingly innocuous message that contains a link to malware or a malware distribution site designed to steal more information or passwords," Crosley noted. "Since followers may view the message as trustworthy, since they feel they 'know' the sender, this can be a very effective vector for dissemination of such attacks."
Finally, "having full access to the hacked account would give access to direct messages sent and received by the actual owner, and these 'private' messages might contain information that the hacker would find more valuable," he added.
Figuring out a password on a site like Twitter could also give a hacker access to the user's accounts on other platforms, Crosley noted, since many users choose the same passwords on multiple sites.
'We Need to Stop Doing That'
Preset security questions are not the best way to protect an account, Parry Aftab, a privacy lawyer and executive director of WiredSafety, told TechNewsWorld.
"Most are answers to 20 typical questions -- your pet's name, your middle name, etc.," Aftab explained. "All someone needs to do is know a little about you."
For that reason, "we need to stop doing that," she asserted. "One thing I recommend to companies is to allow users to set their own security questions and come up with their own answers."
'Easily Searchable Information'
Security questions can be useful if they are just one part of a larger authentication system, such as one that ties the account login to a known IP address, among other measures, Crosley asserted.
"However, some types of security questions don't increase security," he added.
In password reminder or password reset systems, for example, "if users make a poor choice of password reminder questions and their answers, they may be putting their accounts at increased risk of getting hacked," he explained. "For example, the answers to many common reminder questions -- such as those about relative's names, one's birthplace, etc. -- might be easily gathered by looking at a Facebook profile or other easily searchable information."
Until more companies redesign their security systems, Aftab recommends that users answer preset security questions as if they were someone else -- their sister or their best friend, for example. That way, the answers can be remembered easily, but hackers would have a much harder time guessing them.
Users should also avoid using the same password on multiple accounts, Crosley stressed; they should also change the passwords on particularly critical accounts frequently.
Password management tools like KeePass can also help solve many password problems, he noted.
Perhaps most important of all to realize, however, is that "it is *not* safe to keep usernames and passwords in a text or Word file on your desktop," Crosley warned. "Many types of malware easily find such files and exploit what they find."