A recent attack on the private e-mail account of an administrative employee at Twitter led to company data being compromised. But despite the focus on password strength and cloud computing, the security risk lies in the area of password recovery and security best practices.
aftermath of the latest
, much has been written about password strength and the risks
of cloud computing. But when it comes to the two most recent hacks targeting
Twitter employees, there are other issues involved.
password strength in and of itself means nothing if someone can reset your
password. So was the case about a month ago, when an attacker going by the name
"Hacker Croll" abused the password recovery feature of an employee's
private e-mail account to get access. From there, Croll was able to get
information that allowed access to the employee's Google Apps account, which
contained Docs, Calendars and other Google apps Twitter relies on for sharing
notes, spreadsheets and other information.
Croll got access to an
employee's Yahoo account
and got the password to the employee's Twitter administrative
account. With it, Croll posted 13 screenshots of the microblogging service's
administrative panel-including internal details for accounts belonging to a
number of high-profile individuals, including Britney Spears.
"We saw an attack
like this last year with the Sarah
on Yahoo as well," noted Mark Diodati, an analyst with the
Burton Group. "So to us it's the insufficiency of that knowledge-based
authentication, mom's-maiden-name thing that set this whole thing up to begin
Both Google and Yahoo
allow users to create their own security questions, something that has been
cited in the past as being more secure than providing a few generic questions
for users to choose from. Google also announced a feature last year where users
could view the time of last activity on their Gmail and whether another session
is currently open. The information also includes the form of access-mobile or
PC, for example-and the IP address, said Google Engineering Director Macduff
Then, of course, there is
the question of why, in the April situation, the person's Twitter password was
in their private e-mail account in the first place. That's bad news, Diodati
"That has nothing to do
with strength of passwords; that's just plain old bad security to send
passwords on e-mail," he said.
When it comes to password
, Twitter seems to be behind the time compared with other companies
that have been selling software as a service to enterprises for years, opined
Gartner analyst John Pescatore.
"Years ago Salesforce.com
had to offer more than just reusable passwords/shared secrets for access to
data stored on sf.com," Pescatore said. "It had 'IP address restriction'-I
could force my Salesforce to VPN into HQ and then get to sf.com from there.
That was sort of draconian-they should have also added support for SecurID
tokens, since many companies require those for all remote access. But that was
an example of a business-class service [sf.com] going beyond reusable passwords
and having to deal with password reset and the like."
Though some of the
concerns have been raised regarding the security of Google Apps, Hughes notes
that users cannot reset their passwords without communicating directly with
their domain administrator. There is no password recovery feature for
"Early this year we introduced
the ability for Google Apps administrators to set minimum password length
requirements that apply to all of their domain's accounts," he said.
"Administrators can also view password strength indicators for each user in
their domain to identify passwords that may be of sufficient length but that
may be weak for other reasons, such as words that can be pulled directly from
Google has also supported
SAML Single Sign On since 2006.
"This breach indicates, at the very least, that traditional
password protection practices were not being followed," blogged Secerno CTO
Steve Moyle. "For every organization that holds
information that could be deemed embarrassing if made public, Twitter serves as
reminder that open does not mean secure and the protection needs to come from the
appropriate care at the level of the data itself."