Wednesday, June 01, 2011

A Weiner Schnitzel

Congressional member and famous womanizer, Anthony Weiner was caught sexting a picture of his penis to a coed via Twitter. He claims it was a prankster who did it, by hacking his account. Indeed, the guy who broke the story, @PatriotUSA76, has also been Twitter-stalking the congressman for the last month. What’s the likely truth?

It’s impossible to say. Celebrities famous for their womanizing are frequently caught sexting pictures. At the same time, hackers frequently break into celebrity accounts and cause mischief. The back-story (the womanizing, the stalking) supports either conclusion equally.

The people who know are Twitter (and the FBI, if they can convince Twitter to divulge the data). If the sexted tweets had the same IP address and application ID, then it’s likely the congressman is guilty. If they are different, then the congressman is likely the victim of a prank.

The website that broke the story stressed the fact that congressman’s account is “verified”, implying that this verify all tweets come from him and not a hacker. This is an incorrect interpretation. What Twitter “verifies” is that it was congressman Weiner who created the account. Anybody can lie, and pretend to be a celebrity -- the verification process verifies that the account actually belongs to the celebrity in question. But it says nothing about whether a hacker has broken into the account and spoofed tweets.

If it was a hack, how would that work? Well, that depends upon exactly what was hacked. It could have been his “password”, his “account”, his “connection”, his “computer”, or Twitter’s “servers”. I describe how each might be hacked below:

Hacking the password

The most common hack is simply stealing a person’s password. The hacker does something, like send a convincing e-mail to the person, and asks for the password. Those who are unskilled with computers, or simply unwary, can easily be tricked into divulging their password.

With the password, the hacker can then log on just like the victim, at the same time, from another computer. Twitter can easily detect this in their logs, because the offending tweet will come from a different Internet address.

On the other hand, when hackers do this, they typically change the old password, locking out the owner from his own account. In order to get the account back, the owner has to call Twitter and prove to them that he owns the account, and to reset the password.

In the Weiner case, the password wasn’t reset, suggesting the hacker didn’t have the password.

If this was the problem, Weiner can fix it by simply changing his password.

Hacking the account

Twitter allows other applications to access your Twitter account. It uses a technique whereby the application gets access, but does not use your password. When this happens, the account holder is given a prompt like the one pictured below:

Hackers trick people to give access to their account using the same tricks as disclosing passwords, in order to trick the wary who would otherwise not disclose their password.

If this happened, Twitter would see that offending tweet would have a different Internet address, and that it had authenticated through this mechanism.

Weiner can fix this by going into his “profile” and list everything that he has “authorized” to have access to his account, and “deuathorize” everything.

Hacking the connection

A common WiFi hacking trick these days is hijacking somebody’s Twitter connection. A hacker can sit next to their victim at Starbucks, or the airport. When they log onto Twitter, the hacker invisibly shares that session.

The hacker doesn’t discover the password, nor can the hacker change the password. But, the hacker can post tweets.

Several celebrities have fallen victim to this technique recently.

When this happens, Twitter will see that that the offending tweet comes from the same Internet address (that of the WiFi hotspot) as the normal tweets. However, they will probably appear to come from a different application, such as a different browser version.

A truly malicious hacker could attempt to replicate entirely the connection, and make the evidence (in Twitter’s logs) identical, but that would take extra effort a hacker is unlikely to bother with.

But, if the hacker and the victim both used MacBooks, which tend to have small variation among laptops, there is a greater likelihood that the application versions are the same by accident.

Weiner can prevent this from happening again by going into his Twitter profile and turning on “SSL” encryption. He would also have to pay attention, and not proceed with a login if there were any SSL errors (most people proceed anyway, allow hackers to hijack their connections).

Hacking the computer

Hackers spend a lot of time breaking into desktops and laptops, usually by “drive by exploits”. The either trick you into running a “virus” program, or they take advantage of a bug in the software (the browser, or Adobe Flash and Acrobate) to plant a virus on your machine. They can then remotely control that virus.

The problem with “drive by exploits” is that the hacker doesn’t know who he’s broken into. What hackers usually do is just including the computer in a “botnet” that remotely controls thousands of machines to send spam. They don’t care who owns the computer, nor do they (typically) do things like send tweets.

However, hackers frequently install “keyloggers” as part of their viruses. Keyloggers can capture the password as a user types it in, which could then be used as described above.

A hacker who controls a computer can do anything that the owner can do, include move the mouse, click on web browser, and type in a tweet. To Twitter, it would appear identical to the real user, because as far as anybody can tell, it is the real user in control of his machine. However, in this case, the offending tweet happened at roughly the same time as other tweets from the congressman: it is likely he would have noticed the mouse moving and things happening at that time.

The solution to this threat is to make sure the browser and Adobe Flash and Acrobat Reader applications automatically update to the latest versions. In addition, if using Windows, I would recommend upgrading to the latest version (Windows 7) and use any browser other than Internet Explorer.

By the way, something that also happens is simply that people leave their computers unattended. Somebody else in the office could have walked up to the computer, noticed an open Twitter connection, and pranked the congressman. At my old office, we would call this "baggy pantsing" somebody. You should always set your computer to go to screensaver/login after a few minutes, and when you get up from your computer, hit , which pops the up the login screen to resume the session.

Hacking the server

It’s also possible that Twitter’s servers themselves were hacked. Similar things have happened recently, such as the famous case of Sony Playstation and Gawker servers being hacked. In this case, all the evidence of the Tweet could be whatever the hacker wanted it to be.

However, it’s unlikely that a hacker who had successfully hacked his way in would be satisfied with forging a single tweet. It is more likely that the hacker would have downloaded the entire database of passwords and e-mail accounts, and used those for spam and further hacking.

A similar scenario is that the hacker broke into somebody else's servers. The congressman may have used the same password for his Gawker or Playstation account (assuming he had one), which would allow the hackers who stole those passwords to get into his Twitter account.

The best way to protect against this threat is, for important accounts, to never reuse passwords. The password you use for Twitter should be used for nothing other than Twitter. The password you use for your e-mail should be used for nothing other than that one e-mail account.


It is impossible for us to conclude that the Congressman did, or did not, send the tweets. But Twitter has the evidence. The FBI is unlikely to open a case for this, because the financial impact is less than $15,000, so they aren’t going to get the evidence out of Twitter.

Assuming it was a hack, I would guess the most likely scenario is that the hacker got his password somehow. My second guess would be that the hacker hijacked his connection.

The fact that the account was “verified” as belonging to Congressman Weiner has nothing to with whether it was hacked.

Other evidence

There are a lot of funny things in this case. For example, the congressman has said that he can't confirm the picture is not of him: maybe it is, maybe it isn't. The coed says she's never had an inappropriate conversation with the congressman. The most obvious question would be "...but has she had any conversation with him" (and the answer is "yes", they exchanged tweets, but nothing salacious, just about his appearance on a TV show in that area).

This sort of stuff looks bad for the congressman, but here's the thing: hackers attacks are usually à propos. If a hacker broke into his computer, found pictures of him, and a conversation with a coed, the most logical prank would be to sext the picture to the coed.

Law Enforcement

CNN asks (but does not answer): why hasn't Wiener gotten the FBI involved?

One answer is, of course, is that if he's guilty, he can't. Lies like "it wasn't me, but a hacker" and "the photo isn't of me" would be felony obstruction of justice. He knows this, and would keep far away from the FBI.

Another plausible answer is that he's guilty of something else, such as having an affair. This sort of thing would come out in an FBI investigation. This theory could explain why he refuses to deny the photo is of him -- yes, he could be hacked, but on the other hand, that photo is really of him sent to another woman, and he can't lie about it because of the obstruction of justice problem mentioned above. Remember that Scooter Libby was found guilty of obstruction of justice in the Valerie Plame affair, even though he was innocent of the crime for which he was accused.

Yet another reason is that he's innocent, and understands the difference between his computer being hacked, and his personal Twitter account. He has consistently describe the incident as a "prank" and an "account hack"; he's never described it as a "computer" hack. He worked on a recent cybersecurity bill, so he might understand the difference. When a congressman's computer gets hacked, that's important enough for the FBI to look into. When a personal Twitter account gets hacked because somebody chose a guessable password, that really isn't worthwhile investigating.

Is the image a hoax?

The DailyKos claims they have proof that the photograph itself, and the content on, is a hoax.

That's nonsense. Wiener admits that the event happened.

Second of all, it's typical conspiracy theory that asks questions, but provides no answers, implying that the only explanation is a conspiracy. For example, it points out that while the hidden EXIF information of the photograph means it came from Wiener's Blackberry Bold mobile phone, but that the phone doesn't take pictures of the size posted to YFrog, 800x600. There's a reason for that: when you transfer a picture off a Blackberry, you are given the option to send the full size image, or a smaller size, such as 800x600. While the EXIF info doesn't match a full size photograph, it corresponds exactly to the shrunk size that people typically used to transfer from their phones. The point is: it's the sort of detail conspiracy theorists want to believe in, but not one rational people would consider.

Thirdly, if you wanted to investigate the authenticity of the photo, such as whether things were photoshopped to look bigger, there are lots of good ways of doing it. Dr. Neal Krawetz has a blog, where he does this sort of analysis. It's fascinating. To the right, I show an example of this called "error level analysis". If this image had been photoshopped, we'd see the manipulated parts stand out from the random data. However, if this image had been resized, or resaved at a different compression level, the error level analysis would be completely destroyed, so the lack of results we see here don't prove it wasn't photoshopped. Since sites like Yfrog reprocess pictures, the fact that it's been resaved destroying error level information isn't surprising.

Another useful tool is JPEGsnoop. It can possibly fingerprint which software saved the image last, such as which camera took the picture, or which Photoshop version was used to manipulate the picture. Unfortunately, it has the fingerprint of the IJG software -- the most popular JPEG compression code, used in lots of products. The iPhone uses that library, and produces that signature when saving files. Looking around on the web, so does the Blackberry (which is identified in the EXIF data). It's a good program to compare the raw JPEG information with other 800x600 sized photos taken from Blackberries.


Update: If I had to bet money, I'd probably bet on "guilty" rather than "pranked". But I wouldn't give better odds than 50%/50%.


Albatross said...

Weiner is one of the most outspoken critics of the Republicans, frequently mocking them with their own words in Congressional testimony. If they were going to target someone for embarrassing character assassination, it would be Weiner. So means, motive, and opportunity... and an MO that includes James O'Keefe and Andrew Breitbart. I don't find it at all difficult to believe this is staged.

Robert Graham said...

Character assassination is about exploiting a person's weaknesses, not attacking their strengths. His womanizing made an inviting target.

Although, most hacking is "crime of opportunity" rather than some sort preplanned conspiracy theory. I doubt it was some carefully planned character assassination.

SydOracle said...

In the 'hacking the password' you suggest that "they typically change the old password". That isn't necessarily true of (web/imap) email accounts where it can be more useful to continually read someones email without their knowledge. Private/direct messages on twitter might also be sufficiently interesting for someone to choose not to change a password.

Not applicable in this case, of course, since the rogue tweet publicizes the hack

Robert Graham said...

Good point Gary. I was specifically referring to cases where the hacker make himself known. A good example is that of Greg Evans, where the false tweets stayed up for weeks because the password was changed, and Evans could not remove them.

Richard Bejtlich said...

Good analysis Rob. I've got a question and wonder what you think. Remember that W said his "FB" was "hacked"? I wonder if that photo was part of his FB photo collection? Could someone have stolen the photo from FB via the method revealed at AusCERT by @cmlh? I'm not convinced W sent a Tweet -- it might be a forgery as some of W's defenders have claimed. This might explain why W is acting oddly; it IS his photo, but originally from FB? Thank you.

Robert Graham said...

Good point, Richard.

I didn't want to discuss probable scenarios so much as point out the fact that almost certainly Twitter knows the truth.

It seems likely that it really is a photo of him (whether or not he was the one who sent it), although since he's widely described as a womanizer, I'm not sure that paints him a worse light.