Michael Arrington has a fairly close acquaintance with a 21-year old French hacker Hacker Croll. As we know, this guy hacked Twitter and gave Michael 300 + pages of official documents, which he gradually publish online. These guys are true friends and chat online every day. By the way, if anyone knows, Michael Arrington on education - a lawyer, so he certainly knows what he does, and is not afraid of lawsuits (perhaps with Twitter'om have already agreed that we can publish and what not).
From recent posts on TechCrunch, we can learn all about the Hacker Croll (HC), including where he worked earlier in his France is doing right now (just looking for a new job), when I began to be interested in hacking, how to start why hacked Twitter and (most interesting) - in detail - how the hacking was carried out. At this point in detail.
- A hacker had a standard work, which precedes the breaking of any corporate network. Search for open source and making a list of employees, their job, email addresses, birth dates and personal information, including names of wives and dogs. All this is easy to find on social networks.
- HC gained access to the mailbox of one of the Gmail staff Twitter, use the password to the backup email address. The fact is that as a backup has been specified already sealed box on Hotmail. HC just registered it, ordered a letter, and clicked on a link that generates a new password. So he went into Gmail.
- HC began to search the archive of letters to find an indication of what was formerly the password for Gmail. He managed to find this information, and he changed the password on the old to the mailbox owner did not think the burglary.
- HC used the same password to log into corporate e-mail Google Apps for your domain, and it turned out. They found the real reservoir of sensitive corporate data - in text messages, but especially in the attachment.
- HC use the information and the selection of passwords to access personal and work mailboxes of other employees Twitter.
- HC used the same combination of user names and passwords for access to the services of AT & T, MobileMe, Amazon, iTunes and others. In which case, he restored the password in the mail, good access to the mailboxes he already had. ITunes security hole gave the hacker access to unencrypted credit card information of the account holder. Furthermore, HC had control of the domain names through the Twitter web interface host GoDaddy.
- Even at this stage, staff Twitter still had no idea that they are hacked.
As for the absolute carelessness executives in security - all that they say is true. One of the servers really was the password "password", and one of the founders of the company as a login to use his own name "Jack".
|