A hack into Twitter’s back-end productivity applications earlier this month is raising some serious questions — not only about password system security itself, but also about some consequences of network intrusion that may have been unforeseen.
About a month ago, a hacker was able to access a Twitter employee’s personal email account, according to a blog post by Twitter cofounder Biz Stone. Once there, the hacker struck the mother lode: access to the employee’s Google Apps account, which contained Docs, Calendars and other Google Apps that Twitter uses for sharing notes, spreadsheets, ideas, financial details and so on.
The hacker then went on to peddle this information to various news outlets and other blogs, and some of the purloined content was eventually posted. TechCrunch actually gave its readers a heads up that it had received the stolen information. None of it was embarrassing, but much of it was very interesting, said TechCrunch founder Michael Arrington. That was followed by a bombardment of reader comments debating the pros and cons of publishing any of the material.
Twitter’s Stone himself posted a comment obliquely suggesting that any organization that published the content might be running afoul of the law.
“We are in touch with our legal counsel about what this theft means for Twitter, the hacker, and anyone who accepts and subsequently shares or publishes these stolen documents,” wrote Stone. “We’re not sure yet exactly what the implications are for folks who choose to get involved at this point, but when we learn more and are able to share more, we will.”
New Hack, New Lessons
As far as hacks go, this one was relatively benign. There was no identity theft or intellectual property theft. Neither customer records nor financial data were compromised, a point Stone emphasized in his post.
As all security violations inevitably do, though, this particular episode raises the question: What — if anything — is safe online? That the exposure apparently resulted from a Google Apps intrusion raises questions about cloud security — and, more fundamentally, password security.
This episode does not reflect negatively on cloud security, argued Keith Crosley, director of market development for Proofpoint.
“I was having a discussion over email earlier this morning where people were asking me if this was an example that suggested cloud computing is innately less secure than on-premises approaches — particularly to email,” Crosley told the E-Commerce Times.
“I don’t believe this is the case. Even if an enterprise doesn’t outsource its email to a SaaS solution like Google Apps, many, if not most, organizations make some sort of Web access to corporate email available.”
A breach of the corporate email system could happen in those cases just as easily as one could breach a Gmail/Google Apps account, he said.
“All the hacker would have to know or guess is the address to access the OWA system and execute a successful social engineering or brute force attack on an account or accounts.”
The weak link was probably the password security, speculated Michael Leland, CTO of NitroSecurity.
“Many companies implement policies that require the use of strong passwords, but these policies are difficult to enforce,” he told the E-Commerce Times. “The good news is that there are ways to prevent this type of thing.”
Using deep packet inspection to monitor application and protocol activity for default passwords or weak passwords, is one, he suggested.
All too often, consumers reuse the same password for multiple Web sites, observed Dennis Hurst, senior security engineer for HP software and solutions, and founding member of the Cloud Security Alliance.
“Hackers know this, and they will break into the insecure Web sites to obtain your password and then use it on secure Web sites,” Hurst told the E-Commerce Times.
Companies need to require that a password be strong enough to thwart efforts to break into a system, but it must be memorable enough so that it doesn’t need to be written down, he said.
There is also a lesson about cloud security to learn from this as well, Hurst added.
Security departments that think they have time to develop a strong cloud computing and security strategy need to realize that they probably already have applications in the cloud, including Twitter. “IT and security departments need to develop specific policies around cloud computing,” he said.
Legal Ramifications
Stone’s oblique references to legal action also bear examining. At first glance it would seem that the First Amendment would provide some cover to publications.
That’s not necessarily the case, warned Gaida Zirkelbach, an attorney withGunster’s technology practice.
If the publishers knew the information was obtained through illegal means, then Twitter may have some valid claims, she told the E-Commerce Times. “By publishing the information, they may have contributed to the illegal conduct.”
In several articles I’ve seen the Twitter execs dismiss blame that people might want to put on Google. Most likely the user that got "hacked" was using a weak password that involved publicly available information.