Security Week 16: Twitter passwords, misery

On May 3, Twitter asked all its users to change their password ( news ). The reason for this was not a hacker attack, as is usually the case, but a glitch in the event registration system. Outside the passwords were not visible, but due to incorrect settings in the log they were recorded in clear text.

An internal investigation conducted by the company ruled out the possibility of unauthorized use of openly stored passwords by anyone - no matter if it was an employee of the company or a third party. According to Reuters, over several months, over 330 million users have managed to write passwords to internal logs.

CTO Twitter Parag Agraval revealed a little more detail on his blog . Twitter passwords are hashed using the bcrypt algorithm. Due to the error, the passwords were recorded in the log until the hashing process was completed, and were stored there in the open form. After finding the problem (a few weeks ago) the logs were wiped. In addition, Twitter "introduces measures to prevent such incidents in the future."

Well, who does not happen! Each development team has similar skeletons in the closet, and even worse. It would be interesting to see exactly how the Twitter log looks and what is stored there (besides passwords), but no one is going to disclose such details. Twitter’s proactive position - what they recommended for all users to change their password, instead of silently waiting for “what if it blows over” is commendable. However, it was not without jambs.
')

To ask the user why he changed the password after you asked him to do it - well, at least strange. But that is not all.


The same CTO Twitter wrote that his company kindly provided users with an opportunity to make an informed decision: whether to change the password. And that Twitter was not obliged to disclose information about the problem.


Then the truth had to apologize, as Agrawala immediately put on a look of pompous arrogance: they informed you from the master's shoulder, you look! It is possible that they were not required by law. Okay, not everything went smoothly. Here something else is important: it is better to disclose the risks in terms of information security as soon as they appear. For this respected public, it would be nice to react a bit differently to such messages. Not in the style of "beloved, vseropropalo, as they used to." Calm: found, repaired. Well done.

Coincidentally, this week was a lot of other news about passwords. The day before Twitter, the recommendation to change the password was sent to GitHub users:


Moreover, the set of words in the messages of two companies coincided almost completely. GitHub also has bcrypt, also clear text passwords in the logs and no one was hurt either. I even had to introduce a new wording. Instead of "we do not store passwords in clear text" now it says "we do not store passwords in the open form intentionally ."

Oh yeah, May 3rd was World Password Day . Then everything is clear. The Register with irony renamed it “the day of terrible advice”, and for good reason. Here, for example, canonically harmful advice from Twitter Nutella and the reaction to it:


20 thousand users with a password Nutella, mda. Well noted praznik! LogMein conducted a survey and found that 59% of users use the same password on different services for a long time. The remaining 41% change passwords, but in half the cases less than once a year. The recommendations of the same Twitter regarding the leak are quite reasonable: use strong passwords, do not use one password many times, turn on multifactor authentication, use a password manager. But it cannot be said that many people follow these guidelines.

One line
Our favorite series "Lat Specter and Meltdown" continues. As Crowdstrike expert Alex Ionescu found out , Microsoft’s patch against Meltdown in January can be easily circumvented. By the way, several researchers are preparing to unveil eight new vulnerabilities, similar to Specter. There are no technical details yet, we are looking forward to it .

In 2014, the Laboratory published a study on vulnerability in the anti-theft software-hardware system Computrace for laptops. Last week, Arbor Networks found live samples of LoJack (part of Computrace) with malicious modifications allegedly distributed by the Fancy Bear APT group.

And for dessert. A BitDefender researcher found a way to crash any system on Windows 10 by inserting a prepared USB flash drive into a computer. Microsoft refused to fix the vulnerability, defining it as noncritical (since physical access is required).

Disclaimer. The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.