Security Weekly 44: Twitter, Passwords, Suffering
On May 3, Twitter asked all its users to change their password. The reason for this was not a hacker attack, as it usually happens, but a certain glitch in the system of recording events. Outside, the passwords were not visible, but due to incorrect settings in the log, they were written in clear.
The internal investigation conducted by the company excluded the possibility of unlawful use of openly stored passwords by anyone – whether it be an employee of the company or a third party. According to Reuters, in the internal logs for several months managed to write passwords of more than 330 million users.
CTO Twitter Parag Agrawal revealed a little more details on his blog. Passwords in Twitter are hashed using the bcrypt algorithm. Because of an error, passwords were written to the log before the hashing process was completed, and stored therein in clear form. After the problem was discovered (a few weeks ago) the logs were worn out. In addition, Twitter “introduces measures to prevent such cases in the future.”
Well, with whom it does not happen! Each development team has similar skeletons in the closet, and even worse. It would be interesting to see exactly what the “Twitter” log looks like and what is stored there (aside from passwords), but no one is going to disclose such details. The proactive position of Twitter is that they recommended all users to change the password, instead of silently waiting for “and suddenly carry” – is commendable. However, there were some shoals.
Ask the user why he changed the password after he asked to do it – well, at least strange. But that is not all.
The same CTO Twitter wrote that his company kindly provided the opportunity for users to make a measured decision: whether to change the password. And that Twitter was not required to disclose information about the problem.
Then the truth had to apologize, as Agraval was immediately put on a pompous arrogance: from the Lord’s shoulder they informed, you look! It is not excluded that they were not required by law. Okay, not everything went smoothly. Another important thing here is that the risks related to information security are better disclosed right away, as soon as they appear. For this respect, it would be nice for a respected public to react to such messages in a different way.
It coincided that this week there was a lot of other news about passwords. The day before Twitter, the recommendation to change the password was sent to GitHub users:
- And the set of words in the messages of the two companies coincided almost completely. GitHub also has bcrypt, also passwords in plain text in the logs and also no one was hurt. I even had to introduce a new formulation. Instead of “we do not store passwords in clear text,” it now says “we do not store passwords intentionally in the clear.”
Oh yes, on May 3, there was a world day of passwords. Then everything is clear. The Register ironically renamed it “a day of terrible advice,” and not for nothing. Here, for example, the canonically harmful advice from the Nutella twitter and the reaction to it:
- The Twenty thousand users with Nutella password. LogMeIn conducted a survey and found that 59% of users use the same password for various services for a long time. The remaining 41% of passwords are changed, but half the time less often than once a year. Recommendations of the same Twitter about the leak are quite reasonable: use strong passwords, do not use one password many times, enable multifactor authentication, use the password manager. But you can not say that many people follow these recommendations.
Our favorite TV series “Latay Specter and Meltdown” continues. As the expert Crowdstrike Alex Ionescu, released in January by Microsoft, the patch against Meltdown can easily be circumvented. By the way, several researchers are preparing to publish eight new vulnerabilities, similar to the Specter. There are no technical details yet, we are looking forward to it.
In 2014, “Laboratory” published a study on the vulnerability in the anti-theft software and hardware system Computrace for laptops. Last week, Arbor Networks discovered live samples of the LoJack program (part of Computrace) with malicious modifications, allegedly distributed by the APT group Fancy Bear.
And for dessert. The researcher from BitDefender has found a way to bring down any system on Windows 10 by plugging a prepared flash drive into the computer. Microsoft refused to repair the vulnerability, defining it as uncritical (since physical access is required).