Mitigating Pwnage

Yesterday I got pwnd.Specifically, my Twitter account was compromised.

derby jentropy 1337Jenny being 1337 - Photo courtesy of David Costa Photography

I know what you're thinking. "But you're Jentropy, and Jentropy is 1337. What could have pwnd her?" Was it a coordinated effort from a team of government sponsored hackers? Was it a an exploit of a 0 day vulnerability in a piece of experimental hardware that she was using? No, it was none of those things. It was a phising worm. Yeah, one of those scripts that pwns children and those too technologically inept to find the any key on their keyboard.

reasons one is pwndLeft: What did not happen to Jenny. Right: What tricked Jenny.

How did this happen? I let my guard down. I've never been exploited before, even in the years when I hung out in circles where we spent most of our time trying to pwn each other. All it took was one moment of carelessness. Did I mention yet that how embarrassed I am?

Anyway, it's time for a post mortem. This way, hopefully my screw up can help someone else. The root cause is obvious, but damage was minimal, so something must have worked. Here's what I do to mitigate the damage these situations cause:

  • Different passwords everywhere - Never reuse passwords anywhere. The first thing an attacker will try is logging into other services with the same credentials.
  • Strong passwords - There are many ways to create strong passwords. Pick one and use it.
  • multi-factor authentication - If a service offers to SMS you codes or mail you a code generator for login, take advantage of it. If you can authenticate using an identity provider that provides multi-factor authentication, use them.
  • Tidy things up - Regularly clean up authentication cruft including one time use passwords and authorized apps. If you're not using them, deauthorize them.
  • Limit account creation - Each account you create is a vulnerability. Avoid creating accounts when possible.
  • Have a plan - Be ready for problems. When they happen, know where to go to reset all of your important credentials. Be prepared to lock things down for awhile.

There are also things service providers can do.

  • Provide multi-factor authentication - Provide it, and promote it to your users.
  • Support other identity providers - Allow users to sign in with their preferred identity provider such as Facebook or Google.
  • Shoot first, ask questions later - Twitter suspended my account at the first signs of trouble. That was awesome. Having to reset a password is a lot less trouble than cleanup from an exploit.

And finally, if you suspect a friend has been compromised, help them!

  • Alert them right away, but don't expect a response - I'm sure they appreciate the prompt alerts, but keep in mind they're busy cleaning up the mess. It's also possible that dozens or hundreds of other people have also alerted them.
  • Don't judge - I'm sure that you would never have fallen for the same trick, but don't get smug about it. We all have moments of weakness whether they be from a bit too much wine or just a really frantic day. I'm sure your friend has fended off similar attacks numerous times. Cut them some slack, they really need it right now.