Twitter Hack Puts Spotlight on Password WeaknessesBy Lawrence Walsh | Posted 2009-07-16 Email Print
News Analysis: A hacker was able to access Twitter's corporate network by tricking the password reset system for Google Apps. Security pundits are pointing to weaknesses in Google apps, but the incident should put more focus on password policies and management, in general.
Twitter has been hacked, sort of. Actually, the Google Apps account used by Twitter employees was hacked, which led to the deeper compromise of the Twitter corporate network and the unauthorized release of data regarding the company’s growth plans and credit card numbers of several employees.
It’s believed that a hacker named Croll used the automated password reset system of Google Apps to gain access to a wiki used by Twitter employees. Once into the wiki and Gmail account, the hacker got all the information he needed to access other Twitter accounts, including the e-mail of the wife of CEO Evan Williams.
Some security analysts and bloggers say this will bring into question the security of both the malware-plagued Twitter network and Google Apps. In reality, this incident should bring into question the password management—particularly in the cloud computing era.
"Our observations suggest that a number of companies and their staff are being forced down the cloud computing route and are having to adapt their IT security systems on the fly," said Andy Cordial, managing director at Origin Storage, a division of Level 3 Communications. "We have had concerns about this rate of change in the business sector for some time and, with all the data breaches occurring on the cloud front, it's obvious that the chickens are now coming home to roost."
Many companies are using free online applications such as Google Apps, Zoho and Box.net for team collaboration and transferring data. Accounts are simple to set up and use, making them an ideal, lightweight alternative to expensive, proprietary systems such as Microsoft’s Office and SharePoint or IBM’s Lotus Notes. But simple and free often mean that such systems are designed for consumers first, enterprises second. Even the cloud-based applications being sold through the channel have the same basic password reset systems as the public versions.
Croll was able to break into the Twitter employee’s Google Apps account by guessing the secret question challenge in the automated password reset. This is when a password reset system asks you to verify your identity by asking a question that only you should know the answer, such as your mother’s maiden name, pet’s name or place of birth. Such systems have been around for years, but are increasingly less effective in the social networking age. Users are including copious amounts of information about themselves in their Facebook, MySpace and LinkedIn profiles, making it easier for hackers to guess the correct answers of these reset questions.
Cordial and others suggest that encryption of data—stored and in transit—are an effective means of protecting against such a hack. Even if the hacker is able to reset a password and gain access, he won’t be able to access the encrypted data, they say. It’s a flawed argument, since encryption is typically dependent upon user passwords, too. If hacker is able to reset a public password, he’ll likely be able to access encryption keys. This is because users are not savvy and often use the same passwords across multiple applications.
Some security experts will say strong passwords are needed, such as the tried-and-true eight-character, mixed alphanumeric password standard. In a paper presented at a 2007 Usenix conference, Microsoft researchers Dinei Florencio and Cormac Herley questioned the wisdom and utility of strong passwords. Given that the average enterprise user has eight to 12 unique identities—each requiring a password—users forced into strong passwords and frequent password updates are more likely to use the same passwords across multiple applications, they wrote. Further, strong passwords and frequent password expirations force many users to write down and share their passwords, thus diminishing their strength and effectiveness.
The exponentially increasing frequency of phishing and keylogging attacks is making it easier for hackers to capture even strong passwords. Users are commonly asked to create password-protected accounts on Websites for everything from whitepapers to flowers for their spouses; they have become so accustomed to creating passwords that it's second nature now to surrender passwords when asked by phishers. Worse, users often reuse the same passwords across multiple private and public accounts, which means a hacker can gain access to multiple accounts if he cracks just one account.
Solution providers should use the Twitter/Google hack as an example of the consequences of poor password management and user awareness, and recommend the following to their accounts.
1. Always Use Strong Passwords. Regardless of what Florencio and Herley say, strong passwords are far better than ever using your children’s name, phone number or favorite color as a password. With those, it’s easier just to guess the password than even guessing the challenge question in an automated reset system. Strong passwords are an inconvenience for users, which means they’re a greater hindrance to hackers.
2. Nonsynchronized Passwords. As a matter of policy, businesses should tell users to not use the same passwords across multiple accounts. Further, users shouldn’t use corporate passwords on public accounts, such as for Gmail or any online services. Using the same password across multiple accounts and domains, regardless of strength, creates a single point of failure; if one is compromised, all accounts are compromised.
3. Lie to Reset Systems. Many password reset systems don’t give users the option of creating their own challenge questions. For those systems, users should give erroneous answers to questions such as place of birth and mother’s maiden name. By lying to the reset system, it will be harder for hackers to guess the correct response.
4. Encrypt Sensitive Data. Encryption is not a silver bullet, but it will slow down novice and casual hackers. Encrypted stored data will prevent prying eyes from uncovering sensitive and embarrassing information, such as Twitter’s plans to go from zero to $1.5 billion in revenue over the next few years.
5. Employ Multifactor Authentication. For the sensitive applications and data, users should be required to use multiple forms of authentication, such as tokens, certificates, biometrics and smartcards. Even if a hacker is able to get a user password, multifactor authentication should prevent him from accessing critical systems and data, since it is exceedingly hard to replicate a token or biometric signature.