Thursday, January 28, 2010

I've Been Hacked

There comes a time in every security worker's life, that they get hacked. In fact, it usually happens more than once.

Now, for the necessary disclaimer. I work on security for Intel, not securing Intel, but developing devices that may someday go into chips that Intel sells to make you more secure. This blog, however, is only my own viewpoints and experiences, and is in no way an official Intel declaration, recommendation, or pronouncement. It's just me getting up on my soapbox and talking about what interests me, and what I've learned about being secure in a very open world.

Sometimes, like around April 1st, it happens because one of your co-workers decides that they want to amuse you. I got some very clever emacs macros 1 year, that changed the way the screen looked to put the status bar on the other side. I actually decided I liked emacs better that way and kept them there.

Other times, one gets hacked because one has tightened the security of something enough and someone actually does break in. I used to have a very nice Unix system for the software company I own, but which I had to administrate for myself.. I left that system too open and I got root-kitted. After that, I bought a nice firewall, and tightened up the permissions on the systems ports and was safe until I retired that machine.

Well, given the rash of facebook and twitter attacks going on last fall, I figured I was about due for another learning experience. It was never really clear what perpetrated the attacks, although the koobface virus and some suspicious IQ test links sent via DM were the top suspects. However, we were never certain that the problem was resolved and that the threat had dissipated. In fact, it is quite likely still a threat, just not an active one.

So, when I turned on my tweetdeck session and saw the note that I had tagged @barackobama using this web based twitter service, I feared the worst. Here is a wonderful twitter service, that I had been using and now my account there had been hacked. Moreover, since the account is based upon my twitter credentials, those had probably been hacked too.

Remembering the preceding viruses, I immediately tweeted out that my id had been hacked and not to follow any links I had sent. I then went about turning things off.

  1. I closed all windows except those I needed to turn things off.
  2. I revoked the service's access to my twitter account from a machine where I hadn't been running the service.
  3. I changed my twitter password.
  4. I closed my last twitter session and went to a machine where I hadn't been running it and logged in and them immediately changed the password again.
  5. I then felt secure enough to turn twitter back on.

By that time, the problem had been tracked down. It wasn't a virus that had hacked me. I was actually reporting a problem to the folks at the service and they had logged into my account there to check out the problem, but had forgotten to log out and the practical joke had been played there.

And, there lies the real moral of this story. In the end, most of our trust has to be in people. It was a person who forgot to log out of my account. It was a person who saw that as an opportunity to play a joke. All of the characters in this story were people. That is true in most security incidents. It usually isn't some very clever program that causes a security breach. It is usually some persons action, logging into a web site that one shouldn't have. Posting their vacation itinerary on their facebook wall. Choosing 123456 as their password.

Fortunately, this incident was more illustrative than dangerous. Plus, to live successfully, one must trust some people. Therefore, in the end, I decided I still trust the folks at the service. Although, I did ask them to read this entry, so that they can think about how to be more careful with other people's data.

However, when one encounters what looks like a hack attempt, one cannot be too careful. Taking immediate action to prevent the problem from getting worse was the prudent thing to do. I'm happy that the incident appeared to be more in my head than reality, but I'm still glad I didn't let it get out-of-hand, and would have been more so had I really been hacked by someone malicious.

Epilog

After writing this description, I had some additional exchanges with the fine folks at the service who explained what actually happened as opposed to what I perceived, I include some of that here:

Fair enough, but you have to know that I wasn't playing any kind of "joke" on you ... I was multi-tasking and trying very hard to help a valued user. And NOBODY else had access to your account --- the @barakobama "tag" was just the next thing I did in our service and I failed to notice that I was spoofed in as you via our system.

I readily admit the mistake and the tone of your post is very fair so I have no qualm.

I have not, however, figured out the issue you're having ... and I have to "spoof" your account to do so. Just as an FYI, I don't have ANY ACCESS to your Twitter account. We use Twitter to authenticate you but the resulting cookies are written to your computer (same as Twitter) and NEVER save that information on our end.

We know some applications do keep credentials and we see this as the type of grave threat you describe. And I personally only allow two applications access to my Twitter account (Our service being one.)

Anyway, when I diagnose your RT issue I will be more cautious, I promise.

Thanks for sharing and for being as generous as possible with your written commentary. We hope to keep you as a regular user, and we hope you continue to find value in our service.