Lessons learned from the Twitter account hack
The recent Twitter hack provides some lessons for other companies that need to protect confidential, internal documents.
Fortunately for the popular social network and microblogging service, the Twitter account hack appears to be mild compared to the potential damage that could have taken place. It is believed the incident was designed more to demonstrate the skills of the hacker than to cause the company any extensive damage. The person behind the attack, known as Hacker Croll, accessed internal documents, including financial projections.
But can the case provide any lessons for other companies hoping not to fall prey to a similar attack? And does it raise serious new doubts about the security of cloud computing, as some have suggested, seeing as the attack was based on a compromised password that allowed access into a Twitter staff member's business Gmail account?
Chris Anley, a director at the NCC Group, said the focus on cloud computing is a distraction. "The hack has nothing to do with cloud computing, and is much more to do with policy and policy enforcement," he said.
![]() |
||||
|
![]() |
|||
![]() |
Anley said the key to preventing similar hacks is to create clear policies and to enforce them. "I would suggest banning the use of external public systems, such as Hotmail accounts, on corporate systems, although that can be difficult to enforce."
It is essential to educate users about the consequences of poor security practices, he said. Passwords should not be reused across different accounts, and passwords should not be easy to guess.
But Nigel Stanley, an analyst with Bloor Research International Ltd, said the incident does have some lessons for those companies rushing into cloud computing. As he explained, when information is kept in the cloud and is designed to be accessed from anywhere, it is even more important to control who has access to it.
Without better password policies or more effective authentication, the cloud-based service becomes an easy target for malicious hackers. "Identity and access management is a big concern with cloud computing," he said. "You need robust systems in place to enable the user to securely access the data from wherever they are, and also to prevent illicit access. Organisations already find IAM difficult enough within their own corporate systems."
Cloud computing, he said, will make it even more important to efficiently provision and de-provision users. "Think of the problem of employees still having access to systems even after they've been fired," he said. "It's easy to be seduced by sexy technology, but if your password is compromised, then your security is blown."
Further security could be achieved by the use of two-factor or multifactor authentication, Stanley said. "Smart CISOs could use a move to cloud computing as a good reason to ask for budget to introduce two-factor authentication."
Google, which is trying to become a major provider of in-the-cloud corporate services, has recognised the need for two-factor authentication and recently introduced support for it as well as for single sign-on.
![]() |
||||
|
![]() |
|||
![]() |
And according to Yuval-Ben Itzhak, chief technology officer at security company Finjan Inc., that lack of basic security measures is leaving companies open to major threats.
"It's sad for Twitter, but their case is no different from what we see all the time in other organisations. Most of the cases are never publicised," he said.
"Hackers are attacking businesses in general, either through the browser, or by sending infected PDF files, or instructing you to go to specific sites. In just the last week, every day we have found around eight new hacker servers with, on average about 100,000 to 150,000 compromised PCs. That's around a million new compromised PCs every day."
That is just the tip of the iceberg, and the scale of the problem is much larger. Many assume that Twitter and other Web-based social networking and cloud computing services are fun and safe, he said, "but that is a very naïve approach."