Twitter has been hacked, sort of. Actually, the Google Apps account used by
Twitter employees was hacked, which led to the deeper compromise of the Twitter
corporate network and the unauthorized release of data regarding the companyâs
growth plans and credit card numbers of several employees.
Itâs believed that a hacker named Croll used the automated password reset
system of Google Apps to gain access to a wiki used by Twitter employees. Once
into the wiki and Gmail account, the hacker got all the information he needed
to access other Twitter accounts, including the e-mail of the wife of CEO
Evan Williams.
Some security analysts and bloggers say this will bring into question the
security of both the malware-plagued Twitter network and Google Apps. In reality,
this incident should bring into question the password managementâparticularly
in the cloud computing era.
"Our observations suggest that a number of companies and their staff
are being forced down the cloud computing route and are having to adapt their
IT security systems on the fly," said Andy Cordial, managing director at
Origin Storage, a division of Level 3 Communications. "We have had
concerns about this rate of change in the business sector for some time and,
with all the data breaches occurring on the cloud front, it’s obvious that the
chickens are now coming home to roost."
Many companies are using free online applications such as Google Apps, Zoho
and Box.net for team collaboration and transferring data. Accounts are simple
to set up and use, making them an ideal, lightweight alternative to expensive,
proprietary systems such as Microsoftâs Office and SharePoint or IBMâs
Lotus Notes. But simple and free often mean that such systems are designed for
consumers first, enterprises second. Even the cloud-based applications being
sold through the channel have the same basic password reset systems as the
public versions.
Croll was able to break into the Twitter employeeâs Google Apps account by
guessing the secret question challenge in the automated password reset. This is
when a password reset system asks you to verify your identity by asking a
question that only you should know the answer, such as your motherâs maiden
name, petâs name or place of birth. Such systems have been around for years, but
are increasingly less effective in the social networking age. Users are
including copious amounts of information about themselves in their Facebook,
MySpace and LinkedIn profiles, making it easier for hackers to guess the
correct answers of these reset questions.
Cordial and others suggest that encryption of dataâstored and in transitâare
an effective means of protecting against such a hack. Even if the hacker is
able to reset a password and gain access, he wonât be able to access the
encrypted data, they say. Itâs a flawed argument, since encryption is typically
dependent upon user passwords, too. If hacker is able to reset a public
password, heâll likely be able to access encryption keys. This is because users
are not savvy and often use the same passwords across multiple applications.
Some security experts will say strong passwords are needed, such as the
tried-and-true eight-character, mixed alphanumeric password standard. In a
paper presented at a 2007 Usenix conference, Microsoft
researchers Dinei Florencio and Cormac Herley questioned the wisdom and utility
of strong passwords. Given that the average enterprise user has eight
to 12 unique identitiesâeach requiring a passwordâusers forced into strong
passwords and frequent password updates are more likely to use the same
passwords across multiple applications, they wrote. Further, strong passwords
and frequent password expirations force many users to write down and share
their passwords, thus diminishing their strength and effectiveness.
The exponentially increasing frequency of phishing and keylogging attacks is
making it easier for hackers to capture even strong passwords. Users are
commonly asked to create password-protected accounts on Websites for everything
from whitepapers to flowers for their spouses; they have become so accustomed
to creating passwords that it’s second nature now to surrender passwords when
asked by phishers. Worse, users often reuse the same passwords across multiple
private and public accounts, which means a hacker can gain access to multiple
accounts if he cracks just one account.
Solution providers should use the Twitter/Google hack as an example of the
consequences of poor password management and user awareness, and recommend the
following to their accounts.
1. Always Use Strong Passwords. Regardless of what Florencio and
Herley say, strong passwords are far better than ever using your childrenâs
name, phone number or favorite color as a password. With those, itâs easier
just to guess the password than even guessing the challenge question in an
automated reset system. Strong passwords are an inconvenience for users, which
means theyâre a greater hindrance to hackers.
2. Nonsynchronized Passwords. As a matter of policy, businesses
should tell users to not use the same passwords across multiple accounts.
Further, users shouldnât use corporate passwords on public accounts, such as
for Gmail or any online services. Using the same password across multiple
accounts and domains, regardless of strength, creates a single point of
failure; if one is compromised, all accounts are compromised.
3. Lie to Reset Systems. Many password reset systems donât give users
the option of creating their own challenge questions. For those systems, users
should give erroneous answers to questions such as place of birth and motherâs
maiden name. By lying to the reset system, it will be harder for hackers to
guess the correct response.
4. Encrypt Sensitive Data. Encryption is not a silver bullet, but it
will slow down novice and casual hackers. Encrypted stored data will prevent
prying eyes from uncovering sensitive and embarrassing information, such as
Twitterâs plans to go from zero to $1.5 billion in revenue over the next few
years.
5. Employ Multifactor Authentication. For the sensitive
applications and data, users should be required to use multiple forms of
authentication, such as tokens, certificates, biometrics and smartcards. Even
if a hacker is able to get a user password, multifactor authentication should
prevent him from accessing critical systems and data, since it is exceedingly
hard to replicate a token or biometric signature.