Last week it was widely reported that this past May, someone going by the name of Hacker Croll got into the personal email systems of various Twitter Inc. employees and gained access to several of these employees’ Internet services, including Gmail, Google Apps, GoDaddy, Paypal, and a number of other accounts.
The hacker stole several confidential documents (more than 300 in total), many living in Google Docs and relating to Twitter’s financials, business plans, and other inside information about the company.
The story has naturally called into question the security of Twitter, Google Apps, and the cloud in general. However, as pointed out by Biz Stone in his blog, this particular incident didn’t really have anything to do with vulnerabilities of Twitter or Google Apps per se; rather, it came down to the poor practices of Internet users.
It’s generally believed that because no network system is completely secure, if a hacker wants to get you, you’ll be gotten. In this case, as in others, the vulnerability was the way humans behave on the Internet, and the hack was pretty simple.
As reported by TechCrunch last weekend, Hacker Croll used search engines to systematically build a mosaic of information that included Twitter employees’ names, job titles, email addresses, birth dates, pets’ names, and other seemingly innocuous information bits. However, once this data was consolidated, the hacker became very dangerous.
Because Twitter is an online company that stores most of its corporate information assets in the cloud and has a culture of sharing everything, one entry point was all the hacker needed to pull down a gold mine of confidential data.
Since Internet services use a username/password authentication system, and the username is easy to guess (often a person’s email addresses or truncated email address), the hacker used Gmail’s password recovery mechanism to reset the password and gain access to each user’s Gmail account.
He or she then reset that retrieved password back to its original state so the user was unaware of the breach. This was done by searching the user’s inbox and finding the original password from some random Web service that sent the password in clear text. Because 98 percent of all Internet users apply the same username/password across all Web services, the hacker now had access to virtually all user accounts.
What can we learn from this incident? First, the convenience of inexpensive (often free) Web services and their natural openness is in opposition to highly secure systems. While one individual system may have reasonable security, bad user practices exponentially increase users' exposure across the Internet. Using the same username/password combination across Web services exposes users, as does combining work and personal information. Further, selecting answers to secret questions that are publicly accessible (e.g., on Facebook) or easy to answer is not sound.
On a broader scale for corporate systems, users should consider
two-factor authentication systems. Your business may depend on it.
— David Vellante spent 15 years at IDC and is a founder of The Wikibon Project. He can be reached on Twitter at @dvellante.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
