SAN FRANCISCO – Twitter has been hacked, sort of. Actually, the Google Apps account used by Twitter employees was hacked, which led to the deeper compromise of the Twitter corporate network and the unauthorized release of data regarding the company’s growth plans and credit card numbers of several employees.
It’s believed that a hacker named Croll used the automated password reset system of Google Apps to gain access to a wiki used by Twitter employees. Once into the wiki and Gmail account, the hacker got all the information he needed to access other Twitter accounts, including the e-mail of the wife of CEO Evan Williams.
Some security analysts and bloggers say this will bring into question the security of both the malware-plagued Twitter network and Google Apps. In reality, this incident should bring into question the password management particularly in the cloud computing era.
“Our observations suggest that a number of companies and their staff are being forced down the cloud computing route and are having to adapt their IT security systems on the fly,” said Andy Cordial, managing director at Origin Storage, a division of Level 3 Communications. “We have had concerns about this rate of change in the business sector for some time and, with all the data breaches occurring on the cloud front, it’s obvious that the chickens are now coming home to roost.”
Many companies are using free online applications such as Google Apps, Zoho and Box.net for team collaboration and transferring data. Accounts are simple to set up and use, making them an ideal, lightweight alternative to expensive, proprietary systems such as Microsoft’s Office and SharePoint or IBM’s Lotus Notes. But simple and free often mean that such systems are designed for consumers first, enterprises second. Even the cloud-based applications being sold through the channel have the same basic password reset systems as the public versions.
Croll was able to break into the Twitter employee’s Google Apps account by guessing the secret question challenge in the automated password reset. This is when a password reset system asks you to verify your identity by asking a question that only you should know the answer, such as your mother’s maiden name, pet’s name or place of birth. Such systems have been around for years, but are increasingly less effective in the social networking age. Users are including copious amounts of information about themselves in their Facebook, MySpace and LinkedIn profiles, making it easier for hackers to guess the correct answers of these reset questions.
Cordial and others suggest that encryption of data stored and in transit are an effective means of protecting against such a hack. Even if the hacker is able to reset a password and gain access, he won’t be able to access the encrypted data, they say. It’s a flawed argument, since encryption is typically dependent upon user passwords, too. If hacker is able to reset a public password, he’ll likely be able to access encryption keys. This is because users are not savvy and often use the same passwords across multiple applications.
Some security experts will say strong passwords are needed, such as the tried-and-true eight-character, mixed alphanumeric password standard. In a paper presented at a 2007 Usenix conference, Microsoft researchers Dinei Florencio and Cormac Herley questioned the wisdom and utility of strong passwords. Given that the average enterprise user has eight to 12 unique identities each requiring a password users forced into strong passwords and frequent password updates are more likely to use the same passwords across multiple applications, they wrote. Further, strong passwords and frequent password expirations force many users to write down and share their passwords, thus diminishing their strength and effectiveness.
a>>
