There's a news item out at the moment about how a French man has been arrested for a host of Twitter account attacks including the accounts of US President Obama and Britney Spears. It seems the hacks were carried out in April last year and the arrest came about after collaboration between the US FBI and French authorities. The suspect didn't do anything malicious with the information he came across, he simply took some screen shots of the information and posted them on the Internet.
It seems the suspect had no formal computer training, but gained access to various Twitter accounts by pretending to be a site administrator and guessing passwords through information he had gathered. He is now awaiting trial and could be fined up to US$40,000 and jailed for up to two years.
I think this is a prudent time to remind our readers to NOT choose passwords that can be easily guessed. Don't choose the name of your pet, which you have photos of along with a caption stating his or her name, on your Facebook page. The same thing goes with your frirend's and family's names, your school names, etc. In fact, as we've said before don't choose words that can be found in the dictionary. And make your passwords long, and mix it up with upper and lower case letters, and use special characters. You should know the drill by now….
And just a reminder about one of Randy's favourite recommendations when you are asked to provide answers to security questions that you'll be asked if you have forgotten your password in order to have your password reset. Randy's suggestion is to use intentionally incorrect information. Picking a theme for the answers may help here. For example, if your Mother's maiden name is "Smith", maybe use "Cleopatra". For your first pet's name, maybe use "Death Adder". If your high school was "Franklin High", use "Cairo High". You get the idea. Make the answers completely irrelevant to your real life. That way, if an attacker has gathered information about you and your life from MySpace, Facebook, etc the real answers to the questions that will allow your password to be reset will not be the correct answers the application requires. Of course, you need to make sure you remember what answers you set up – and that's where a theme might help – but doing this would make your account far more secure.
We keep bringing up this point, but it needs to be brought up on a semi-regular basis. Change your passwords often, use difficult to guess and long passwords, and don't use real answers for your password questions.
If you do that, that's a good chance you won't end up looking like a twit with egg on your face!
Senior Cybercrime Research Analyst
Author ESET Research, We Live Security