Twitter Is Nuts : Considering Two-Factor Authentication

 

Okay so it looks from this post that Twitter is at least considering two-factor authentication since it had a security breach in which 250,000 user accounts were compromised. During the breach Bob Lord revealed that passwords and salts were taken but they didn’t think that they could be cracked but just as a “precaution” they were resetting them.

“The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.
For that reason we felt that it was important to publicise this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.”  – Bob Lord (Director of Information Security @ Twitter )

 

Of course, those of you attending my security sessions last year remember that I was working on cracking algorithms using GPUs…. then later on this happened (Windows Passwords Cracked in 6 Hours with GPU Cluster) .  So the improbability of them cracking encrypted passwords doesn’t seem so improbable at all. One thing true hackers normally have is patience.

 

What is Two-Factor Authentication

Two-factor authentication adds on to the traditional reliance of username/password authentication with a second phase of entering a one time only password. This is typically referred to as the “something you know, something you have” scenario. The username/password being the “something you know” and typically a device(cell phone) being sent the one-time only password being the “something you have”. So it makes it highly unlikely that a hacker would get both your username/password and also your cell phone….unless they REALLY want to mug you to get it.

Additionally, they take care of (normally) the issue of using applications to access your account(like Outlook) by generating what is known as an application specific password. This is a password you would have the system generate(usually long and complex) that you would use for that application instead of your normal password. Then you can revoke/update the password application to application.

 

So now Twitter is considering two-factor authentication….sigh…and I am here just trying to yell “STOP THE MADNESS!”. Yes, that is right….just stop it! Two-factor authentication is great…just great when used in the right situation. So I thought it would be helpful to outline some of my thoughts on the subject….

 

All of this is pretty snazzy and protect against a lot of things but should it be used for everything like Twitter?

  • No, it’s Twitter for God’s sake!
  • No, you shouldn’t be using the same password for twitter that you use for your other accounts…period!
  • No, it’s Twitter for God’s sake!
  • No, hackers don’t necessarily care about cracking your Twitter password (see below)
  • No, it’s Twitter for God’s sake!
  • No, two-factor authentication doesn’t protect your from every scenario (see below)

 

So, now let’s look at some of the scenarios that even if Twitter had two-factor authentication doesn’t help a whole lot.

 

1. Hackers really want your email:  Yes, that’s right. A lot of the time hackers just want your email so that they can perform a phishing attack. Basically, it is the lazy hacker saying…oh I could go and try and try to crack these passwords or I could use something like Backtrack to generate a fake website and send you a “ZOMG! Your Twitter account was hacked and we need you to authenticate!”. This actually takes about 5 whole minutes with a tool like BackTrack and even goes out to Twitter to grab the HTML code to make a realistic login page. What they are aiming at is that you will then type in your username/password …. which is sent off to them and then they can use on whatever other sites they may have figured out that you have that may or may not use two-factor authentication.

2. Two-factor authentication doesn’t always work:  Yes, that’s right…. two-factor authentication does raise the bar for hackers to gain access but in certain instances you actually can help them out and they can skirt around it.. Please see here –>   Real-Time Hackers Foil Two-Factor Security

3. Hackers in this attack broke into the database: Yeah, normally in an hack you go through phases. Plan – Scan – Attack – Elevate – Persist. Pretty simple. So if I was to break into Twitter’s database somehow and gain access, remember even Lord thinks these attackers were sophisticated to some extent, I don’t just try to do SELECTs everywhere and try to leave. Oh no, I try to elevate my permissions to get as much of the good stuff as possible and if I can gain write permissions then it is off to the races. So Twitter saying “We’re going to implement two-factor authentication to protect our user’s data” doesn’t really so much protect the data if the attackers gain access to the source. If the phone number used by TFA is not stored correctly in the DB, then what is stopping them from doing a little UPDATE to send them to the burn phone is Moscow?

 

There are plenty of other examples I could use like your application specific passwords …or when you check the little box to tell Google or whomever to trust your computer for 30 days so you don’t have to be annoyed with the TFA – SMS scenario every time you try to access something.  What’s even worse is the case of man-in-the-middle attacks where they could make you go through the whole process of getting the one-time token…and the whole time they are intercepting your traffic and passing it on. So you are literally helping them to break into your own account….and I could go on and on.

The main point of all of this is not that two-factor authentication is not normally secure. It is! However, I think that everyone needs to take a deep breath before we start running around and screaming “The internet is broken! Two-factor authentication EVERYWHERE!”. Let’s keep it for the stuff that we really need it for like the email accounts that we use for our uber important stuff and not our non-important stuff like Twitter.

What do you think?  Do you want two-factor authentication for Twitter?

 

Cheers!
AJ

Leave a Reply

Your email address will not be published. Required fields are marked *