Lessons learned from the Twitter account hack

By Ron Condon, U.K. Bureau Chief 23 Jul 2009 | SearchSecurity.com

Security UK News Digg This!     StumbleUpon     Del.icio.us

Fortunately for the popular social network and microblogging service, the Twitter account hack appears to be mild compared to the potential damage that could have taken place. It is believed the incident was designed more to demonstrate the skills of the hacker than to cause the company any extensive damage. The person behind the attack, known as Hacker Croll, accessed internal documents, including financial projections.

But can the case provide any lessons for other companies hoping not to fall prey to a similar attack? And does it raise serious new doubts about the security of cloud computing, as some have suggested, seeing as the attack was based on a compromised password that allowed access into a Twitter staff member's business Gmail account?

Chris Anley, a director at the NCC Group, said the focus on cloud computing is a distraction. "The hack has nothing to do with cloud computing, and is much more to do with policy and policy enforcement," he said.

How Hacker Croll got into Twitter * Hacker Croll profiled the company and gathered a series of email addresses. * He found the Gmail address of someone working at Twitter. He then asked to reset password, which can be done without logging on. * Gmail sent the password to the specified secondary email account (with most details blanked out, but with the domain name as h******.com). * He guessed it was a hotmail account and guessed the username to complete the address. This was an account that was no longer used so he registered it and set a new password, and read the Gmail password that had been sent. * The hacker was then able to get into the user's work hosted on Google Apps. He then used similar techniques to gain access to other accounts.

The Twitter account hack was made possible because the Twitter staff member used identical passwords to access separate Gmail and Hotmail accounts. According to TechCrunch reports, Hacker Croll reset the Gmail account password by answering personal questions meant to authenticate the employee. Once the attacker gained the password of one system, it was a simple step to guess the other and then find a way into other parts of the Twitter network.

Anley said the key to preventing similar hacks is to create clear policies and to enforce them. "I would suggest banning the use of external public systems, such as Hotmail accounts, on corporate systems, although that can be difficult to enforce."

It is essential to educate users about the consequences of poor security practices, he said. Passwords should not be reused across different accounts, and passwords should not be easy to guess.

But Nigel Stanley, an analyst with Bloor Research International Ltd, said the incident does have some lessons for those companies rushing into cloud computing. As he explained, when information is kept in the cloud and is designed to be accessed from anywhere, it is even more important to control who has access to it.

Without better password policies or more effective authentication, the cloud-based service becomes an easy target for malicious hackers. "Identity and access management is a big concern with cloud computing," he said. "You need robust systems in place to enable the user to securely access the data from wherever they are, and also to prevent illicit access. Organisations already find IAM difficult enough within their own corporate systems."

Cloud computing, he said, will make it even more important to efficiently provision and de-provision users. "Think of the problem of employees still having access to systems even after they've been fired," he said. "It's easy to be seduced by sexy technology, but if your password is compromised, then your security is blown."

Further security could be achieved by the use of two-factor or multifactor authentication, Stanley said. "Smart CISOs could use a move to cloud computing as a good reason to ask for budget to introduce two-factor authentication."

Google, which is trying to become a major provider of in-the-cloud corporate services, has recognised the need for two-factor authentication and recently introduced support for it as well as for single sign-on.

Lessons to be learned * External email accounts can be dangerous, but hard to prevent. Discourage their use. * Have a firm policy and enforce it. * Educate users about consequences of poor security practices. * Don't use the same password for multiple resources. * Don't reuse passwords. Use long passwords with digits and symbols. * Try using a theme for multiple passwords -- but make sure it's one that helps you remember the passwords, while being difficult for a hacker to guess. * Try some form of multifactor authentication.

According to Eran Feigenbaum, Google's director of enterprise security, 1.75m businesses have now signed up for Google Apps, the company's suite of cloud-based office applications, and 3,000 new businesses are joining every day. But he acknowledged at a recent meeting in London that "only a very small percentage" of them so far use two-factor authentication.

And according to Yuval-Ben Itzhak, chief technology officer at security company Finjan Inc., that lack of basic security measures is leaving companies open to major threats.

"It's sad for Twitter, but their case is no different from what we see all the time in other organisations. Most of the cases are never publicised," he said.

"Hackers are attacking businesses in general, either through the browser, or by sending infected PDF files, or instructing you to go to specific sites. In just the last week, every day we have found around eight new hacker servers with, on average about 100,000 to 150,000 compromised PCs. That's around a million new compromised PCs every day."

That is just the tip of the iceberg, and the scale of the problem is much larger. Many assume that Twitter and other Web-based social networking and cloud computing services are fun and safe, he said, "but that is a very naïve approach."

Tags: Security for Cloud Computing and Hosted Services,  Data Protection Solutions and Strategy,  Security Policies and User Awareness,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security for Cloud Computing and Hosted Services Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation Cloud Security Alliance releases updated guidance Cloud computing data security starts with internal strategy, experts say Secure cloud computing: a contradiction in terms? Barracuda acquires Purewire expanding Web security reach McAfee, Verizon Business partner to develop cloud security services Security challenges with cloud computing services How to build a managed security service-level agreement Cloud computing network security best practices Data Protection Solutions and Strategy No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Creating and enforcing a clear-desk policy Safend expands data leakage prevention product to plug more gaps Jericho Forum to provide customers with good security questions to ask Verizon report goes deep inside data breach investigations U.K. police arrest two in connection with Zeus Trojan How to detect if machines have been infected with Trojans, keyloggers Security Policies and User Awareness Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Cut down on calls to help desk with cybersecurity awareness training Layoffs prompt insider threat fears, cybersecurity survey finds How to write an information security policy Essential guide: Pandemic planning for H1N1 How to prevent phishing attacks with social engineering tests Complacent consumers allow cybercrime, phishing attacks to flourish

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary