|
IT Developments
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Lessons from Twitter's security breach
- From: Brian Warkoczeski
- Date: Thu Jul 16 12:22:18 2009
Lessons from Twitter's security breach
by Josh Lowensohn and Caroline McCarthy
July 15, 2009
www.cnet.com
Twitter's latest security hole has less to do with its users than it
does with its staff, but lessons can be learned on both sides.
In the case of Jason Goldman, who is currently Twitter's director of
product management, the simplicity of Yahoo's password recovery system
was enough to let a hacker get in and gain information from a number of
other sites, including access to other Twitter staff's personal accounts.
The aftermath of the hack, which took place in May, is just now coming
to fruition. Documents that a hacker by the alias of Hacker Croll
recovered from Goldman's account and others (including Twitter
co-founder Evan Williams) could be a treasure trove of inside
information about the company and its plans.
While Croll was planning to release the entire batch publicly (and at
once), tech blog TechCrunch posted news late Tuesday that it had
received them and was considering posting the details of at least some
of them.
Although it seems that Twitter has been thrust into this situation a bit
unfairly, a hack along these lines could have happened to the executives
of more Web companies than anybody would like to admit. What it really
highlights is the extreme interconnectedness of the social Web: with
the likes of e-mail contact importing and data-portability services like
Facebook Connect now commonplace, a savvy hacker can have access to
multiple accounts simply by accessing one.
A post Wednesday on Twitter's official blog highlights just how
far-reaching this can be.
http://blog.twitter.com/2009/07/twitter-even-more-open-than-we-wanted.html
"About a month ago, an administrative employee here at Twitter was
targeted and her personal email account was hacked," the post from
co-founder Biz Stone read. "From the personal account, we believe the
hacker was able to gain information which allowed access to this
employee's Google Apps account which contained Docs, Calendars, and
other Google Apps Twitter relies on for sharing notes, spreadsheets,
ideas, financial details and more within the company."
Following that attack, Twitter conducted a security audit, and Stone's
post says that there was not a security vulnerability in Google Apps and
that Twitter continues to use the suite internally. A separate hack
targeted the account of CEO Evan Williams' wife, and from that some of
Williams' personal accounts were accessed as well, Stone explained.
But Twitter is front and center in the news these days, and is now
talked about as a communications protocol as much as a Web start-up. Not
only does that make it a particularly appealing target, but also that
the reverberation in the media will be all the more sensational and
lasting. And this isn't the first Twitter security panic to hit the
press by any means. A number of celebrities' accounts were hacked in
January, which the company blamed on an "individual" hacker rather than
any of the various phishing scams that had been popping up occasionally
on the microblogging service.
Security of Web apps under fire
Despite the breach, Twitter's executives say they have faith in the
cloud and securing data online.
"This is more about Twitter being in enough of a spotlight that folks
who work here can become targets," Stone's post read. "This isn't about
any flaw in web apps, it speaks to the importance of following good
personal security guidelines such as choosing strong passwords."
Stone added that Twitter is communicating with its legal counsel--the
company just hired former Google lawyer Alexander Macgillivray,
conveniently--to figure out how to deal not only with the hacker but
with people who share or publish the documents in question.
As for the log-ins though, it's a wake-up call to the importance of a
good password, and having systems in place that make it hard for the
wrong people to get in. And not all systems are created equal.
For instance, gaining access to someone's Yahoo account (which is how
this all started) can be simple if you have access to one of their other
e-mail accounts. Yahoo's process for password retrieval has several
steps, with the primary one being the option to send a password reset to
another e-mail account it has on file. There's also the option to say
you can't access that e-mail account, which is likely the route the
hacker went. Doing this takes you to a page where you have to answer a
secret question (usually a pet name), the answer of which is penned
during the account sign-up process.
|
|
|
