Lessons learned from the Twitter account hack

Fortunately for the popular social network and microblogging service, the Twitter account hack appears to be mild compared to the potential damage that could have taken place. It is believed the incident was designed more to demonstrate the skills of the hacker than to cause the company any extensive damage. The person behind the attack, known as Hacker Croll, accessed internal documents, including financial projections.

Download this free guide

UK IT Priorities 2018 survey results

Download this e-guide to discover the results of our 2018 UK IT Priorities survey, where IT leaders shared with us what they are going to be investing in over the coming 12 months.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

But can the case provide any lessons for other companies hoping not to fall prey to a similar attack? And does it raise serious new doubts about the security of cloud computing, as some have suggested, seeing as the attack was based on a compromised password that allowed access into a Twitter staff member's business Gmail account?

Chris Anley, a director at the NCC Group, said the focus on cloud computing is a distraction. "The hack has nothing to do with cloud computing, and is much more to do with policy and policy enforcement," he said.

How Hacker Croll got into Twitter * Hacker Croll profiled the company and gathered a series of email addresses. * He found the Gmail address of someone working at Twitter. He then asked to reset password, which can be done without logging on. * Gmail sent the password to the specified secondary email account (with most details blanked out, but with the domain name as h******.com). * He guessed it was a hotmail account and guessed the username to complete the address. This was an account that was no longer used so he registered it and set a new password, and read the Gmail password that had been sent. * The hacker was then able to get into the user's work hosted on Google Apps. He then used similar techniques to gain access to other accounts.

Anley said the key to preventing similar hacks is to create clear policies and to enforce them. "I would suggest banning the use of external public systems, such as Hotmail accounts, on corporate systems, although that can be difficult to enforce."

It is essential to educate users about the consequences of poor security practices, he said. Passwords should not be reused across different accounts, and passwords should not be easy to guess.

But Nigel Stanley, an analyst with Bloor Research International Ltd, said the incident does have some lessons for those companies rushing into cloud computing. As he explained, when information is kept in the cloud and is designed to be accessed from anywhere, it is even more important to control who has access to it.

Without better password policies or more effective authentication, the cloud-based service becomes an easy target for malicious hackers. "Identity and access management is a big concern with cloud computing," he said. "You need robust systems in place to enable the user to securely access the data from wherever they are, and also to prevent illicit access. Organisations already find IAM difficult enough within their own corporate systems."

Cloud computing, he said, will make it even more important to efficiently provision and de-provision users. "Think of the problem of employees still having access to systems even after they've been fired," he said. "It's easy to be seduced by sexy technology, but if your password is compromised, then your security is blown."

Further security could be achieved by the use of two-factor or multifactor authentication, Stanley said. "Smart CISOs could use a move to cloud computing as a good reason to ask for budget to introduce two-factor authentication."

Google, which is trying to become a major provider of in-the-cloud corporate services, has recognised the need for two-factor authentication and recently introduced support for it as well as for single sign-on.

Lessons to be learned * External email accounts can be dangerous, but hard to prevent. Discourage their use. * Have a firm policy and enforce it. * Educate users about consequences of poor security practices. * Don't use the same password for multiple resources. * Don't reuse passwords. Use long passwords with digits and symbols. * Try using a theme for multiple passwords -- but make sure it's one that helps you remember the passwords, while being difficult for a hacker to guess. * Try some form of multifactor authentication.

And according to Yuval-Ben Itzhak, chief technology officer at security company Finjan Inc., that lack of basic security measures is leaving companies open to major threats.

"It's sad for Twitter, but their case is no different from what we see all the time in other organisations. Most of the cases are never publicised," he said.

"Hackers are attacking businesses in general, either through the browser, or by sending infected PDF files, or instructing you to go to specific sites. In just the last week, every day we have found around eight new hacker servers with, on average about 100,000 to 150,000 compromised PCs. That's around a million new compromised PCs every day."

That is just the tip of the iceberg, and the scale of the problem is much larger. Many assume that Twitter and other Web-based social networking and cloud computing services are fun and safe, he said, "but that is a very naïve approach."