Comments on: Twitter Admin + Obama + Britney Hacked http://countermeasures.trendmicro.eu/twitter-admin-obama-britney-hacked/ Trend Micro’s Rik Ferguson blogs about current security issues. Thu, 02 Feb 2012 11:11:25 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Alex http://countermeasures.trendmicro.eu/twitter-admin-obama-britney-hacked/comment-page-1/#comment-704 Alex Mon, 25 May 2009 04:24:54 +0000 http://countermeasures.trendmicro.eu/?p=529#comment-704 Please wake up dear folks. There's no real identity in the cloud yet. Only trust information found on the internet as long as you double check it. Please wake up dear folks.
There’s no real identity in the cloud yet.
Only trust information found on the internet as long as you double check it.

]]> By: Rik Ferguson http://countermeasures.trendmicro.eu/twitter-admin-obama-britney-hacked/comment-page-1/#comment-521 Rik Ferguson Thu, 07 May 2009 07:38:47 +0000 http://countermeasures.trendmicro.eu/?p=529#comment-521 Hi Floris, Thanks for commenting. The point I was making in the post was this. I realise that the site owners will have full db access but certain data itmes should not be available to read in the clear. In the same way that reputable sites will not be able to read passwords in clear text I whould like to see personal information like telephone numbers on social networking sites similarly protected. Should there be a proiblem with functionality associated witht his sensitie data, then the values can be reset and re-entered, but I can't hink of a reason why they need to be read by the site or db admins. The "become" function bothers me really because of an asusmption I am making. I am assuming that the "become" function allows the admin the full capabilities of the account holder. I would argue that in sites that rely on trust and personal interaction, that the functionality on offer to Admins through means like this should be restricted so that they are unable to, for example, post publicly as the person they have "become". Hi Floris,

Thanks for commenting. The point I was making in the post was this. I realise that the site owners will have full db access but certain data itmes should not be available to read in the clear. In the same way that reputable sites will not be able to read passwords in clear text I whould like to see personal information like telephone numbers on social networking sites similarly protected. Should there be a proiblem with functionality associated witht his sensitie data, then the values can be reset and re-entered, but I can’t hink of a reason why they need to be read by the site or db admins.

The “become” function bothers me really because of an asusmption I am making. I am assuming that the “become” function allows the admin the full capabilities of the account holder. I would argue that in sites that rely on trust and personal interaction, that the functionality on offer to Admins through means like this should be restricted so that they are unable to, for example, post publicly as the person they have “become”.

]]> By: Floris Fiedeldij Dop http://countermeasures.trendmicro.eu/twitter-admin-obama-britney-hacked/comment-page-1/#comment-493 Floris Fiedeldij Dop Tue, 05 May 2009 13:25:48 +0000 http://countermeasures.trendmicro.eu/?p=529#comment-493 Rik, Regardless, the people who run twitter have full access to the database, so the 'become' is just a simpler way to achieve complicated steps via a browser interface. Without the link, and the function to support it, it would just require an alternative method via the console and manual commands. That companies decide to give this to all their staff members, vs just their trusted senior staff, is what the concern should be about. Rik,

Regardless, the people who run twitter have full access to the database, so the ‘become’ is just a simpler way to achieve complicated steps via a browser interface. Without the link, and the function to support it, it would just require an alternative method via the console and manual commands. That companies decide to give this to all their staff members, vs just their trusted senior staff, is what the concern should be about.

]]> By: Rik Ferguson http://countermeasures.trendmicro.eu/twitter-admin-obama-britney-hacked/comment-page-1/#comment-438 Rik Ferguson Fri, 01 May 2009 18:46:40 +0000 http://countermeasures.trendmicro.eu/?p=529#comment-438 Thanks for that Zeno, it's not a function I came across in my years of tech support :) I can see its usefulness in tracking down anomalous behaviour within a single user account definitely, but would have to question the decision to leave it implemented on an internet facing system where you literally are what you post. Thanks for that Zeno, it’s not a function I came across in my years of tech support :) I can see its usefulness in tracking down anomalous behaviour within a single user account definitely, but would have to question the decision to leave it implemented on an internet facing system where you literally are what you post.

]]> By: Zeno Popovici http://countermeasures.trendmicro.eu/twitter-admin-obama-britney-hacked/comment-page-1/#comment-428 Zeno Popovici Fri, 01 May 2009 13:20:41 +0000 http://countermeasures.trendmicro.eu/?p=529#comment-428 The "Become" function is implemented in many applications and is being used to track down user problems which cannot be tracked down using other methods. As I worked 3 years on user support with a series of such systems, this function is absoluteley necesarry in some situations. Password in not known by the admin and confidentiality is kept by strict regulation of how and when this function is used. The “Become” function is implemented in many applications and is being used to track down user problems which cannot be tracked down using other methods. As I worked 3 years on user support with a series of such systems, this function is absoluteley necesarry in some situations. Password in not known by the admin and confidentiality is kept by strict regulation of how and when this function is used.

]]> By: Rik Ferguson http://countermeasures.trendmicro.eu/twitter-admin-obama-britney-hacked/comment-page-1/#comment-423 Rik Ferguson Fri, 01 May 2009 10:14:21 +0000 http://countermeasures.trendmicro.eu/?p=529#comment-423 Yes sir it is, post duly updated thank you. I had mistakenly pulled it from the thread on the board discussing the newest compromise. I try to put all things Britney out of my mind ASAP. Yes sir it is, post duly updated thank you. I had mistakenly pulled it from the thread on the board discussing the newest compromise. I try to put all things Britney out of my mind ASAP.

]]> By: Graham Cluley, Sophos http://countermeasures.trendmicro.eu/twitter-admin-obama-britney-hacked/comment-page-1/#comment-422 Graham Cluley, Sophos Fri, 01 May 2009 10:05:36 +0000 http://countermeasures.trendmicro.eu/?p=529#comment-422 Isn't that Britney tweet about the size and sharpness of her la-di-dah, from the hack that occurred in January? http://www.sophos.com/blogs/gc/g/2009/01/05/britney-spears-twitter-account-phished/ and http://www.sophos.com/blogs/gc/g/2009/01/05/twitter-britney-barack-rick-fox-news-phished-hacked/ for details. Cheers Graham Isn’t that Britney tweet about the size and sharpness of her la-di-dah, from the hack that occurred in January?

http://www.sophos.com/blogs/gc/g/2009/01/05/britney-spears-twitter-account-phished/

and

http://www.sophos.com/blogs/gc/g/2009/01/05/twitter-britney-barack-rick-fox-news-phished-hacked/

for details.

Cheers
Graham

]]>