Lessons learned from the Twitter account hack

The recent Twitter hack provides some lessons for other companies that need to protect confidential, internal documents.

Last week's hack of Twitter, in which company documents were stolen and later published on the Internet, has highlighted the debate about the ethics of publishing stolen material.

Fortunately for the popular social network and microblogging service, the Twitter account hack appears to be mild compared to the potential damage that could have taken place. It is believed the incident was designed more to demonstrate the skills of the hacker than to cause the company any extensive damage. The person behind the attack, known as Hacker Croll, accessed internal documents, including financial projections.

But can the case provide any lessons for other companies hoping not to fall prey to a similar attack? And does it raise serious new doubts about the security of cloud computing, as some have suggested, seeing as the attack was based on a compromised password that allowed access into a Twitter staff member's business Gmail account?

Chris Anley, a director at the NCC Group, said the focus on cloud computing is a distraction. "The hack has nothing to do with cloud computing, and is much more to do with policy and policy enforcement," he said.

How Hacker Croll got into Twitter

* Hacker Croll profiled the company and gathered a series of email addresses.

* He found the Gmail address of someone working at Twitter. He then asked to reset password, which can be done without logging on.

* Gmail sent the password to the specified secondary email account (with most details blanked out, but with the domain name as h******.com).

* He guessed it was a hotmail account and guessed the username to complete the address. This was an account that was no longer used so he registered it and set a new password, and read the Gmail password that had been sent.

* The hacker was then able to get into the user's work hosted on Google Apps. He then used similar techniques to gain access to other accounts.
The Twitter account hack was made possible because the Twitter staff member used identical passwords to access separate Gmail and Hotmail accounts. According to TechCrunch reports, Hacker Croll reset the Gmail account password by answering personal questions meant to authenticate the employee. Once the attacker gained the password of one system, it was a simple step to guess the other and then find a way into other parts of the Twitter network.

Anley said the key to preventing similar hacks is to create clear policies and to enforce them. "I would suggest banning the use of external public systems, such as Hotmail accounts, on corporate systems, although that can be difficult to enforce."

It is essential to educate users about the consequences of poor security practices, he said. Passwords should not be reused across different accounts, and passwords should not be easy to guess.

But Nigel Stanley, an analyst with Bloor Research International Ltd, said the incident does have some lessons for those companies rushing into cloud computing. As he explained, when information is kept in the cloud and is designed to be accessed from anywhere, it is even more important to control who has access to it.

Without better password policies or more effective authentication, the cloud-based service becomes an easy target for malicious hackers. "Identity and access management is a big concern with cloud computing," he said. "You need robust systems in place to enable the user to securely access the data from wherever they are, and also to prevent illicit access. Organisations already find IAM difficult enough within their own corporate systems."

Cloud computing, he said, will make it even more important to efficiently provision and de-provision users. "Think of the problem of employees still having access to systems even after they've been fired," he said. "It's easy to be seduced by sexy technology, but if your password is compromised, then your security is blown."

Further security could be achieved by the use of two-factor or multifactor authentication, Stanley said. "Smart CISOs could use a move to cloud computing as a good reason to ask for budget to introduce two-factor authentication."

Google, which is trying to become a major provider of in-the-cloud corporate services, has recognised the need for two-factor authentication and recently introduced support for it as well as for single sign-on.

Lessons to be learned

* External email accounts can be dangerous, but hard to prevent. Discourage their use.

* Have a firm policy and enforce it.

* Educate users about consequences of poor security practices.

* Don't use the same password for multiple resources.

* Don't reuse passwords. Use long passwords with digits and symbols.

* Try using a theme for multiple passwords -- but make sure it's one that helps you remember the passwords, while being difficult for a hacker to guess.

* Try some form of multifactor authentication.
According to Eran Feigenbaum, Google's director of enterprise security, 1.75m businesses have now signed up for Google Apps, the company's suite of cloud-based office applications, and 3,000 new businesses are joining every day. But he acknowledged at a recent meeting in London that "only a very small percentage" of them so far use two-factor authentication.

And according to Yuval-Ben Itzhak, chief technology officer at security company Finjan Inc., that lack of basic security measures is leaving companies open to major threats.

"It's sad for Twitter, but their case is no different from what we see all the time in other organisations. Most of the cases are never publicised," he said.

"Hackers are attacking businesses in general, either through the browser, or by sending infected PDF files, or instructing you to go to specific sites. In just the last week, every day we have found around eight new hacker servers with, on average about 100,000 to 150,000 compromised PCs. That's around a million new compromised PCs every day."

That is just the tip of the iceberg, and the scale of the problem is much larger. Many assume that Twitter and other Web-based social networking and cloud computing services are fun and safe, he said, "but that is a very naïve approach."

Read more on Security policy and user awareness