|
|
|
Twitter Attack Bigger Than Password Strength, Cloud Security Talk
By: Brian Prince
2009-07-16
Article Rating:  / 3
There are 1 user comments on this Network Security & Hardware story.
A recent attack on the private e-mail account of an administrative employee at Twitter led to company data being compromised. But despite the focus on password strength and cloud computing, the security risk lies in the area of password recovery and security best practices.In the
aftermath of the latest
Twitter breach, much has been written about password strength and the risks
of cloud computing. But when it comes to the two most recent hacks targeting
Twitter employees, there are other issues involved.
After all,
password strength in and of itself means nothing if someone can reset your
password. So was the case about a month ago, when an attacker going by the name
"Hacker Croll" abused the password recovery feature of an employees
private e-mail account to get access. From there, Croll was able to get
information that allowed access to the employees Google Apps account, which
contained Docs, Calendars and other Google apps Twitter relies on for sharing
notes, spreadsheets and other information.
Croll got access to an
employees Yahoo account
in April and got the password to the employees Twitter administrative
account. With it, Croll posted 13 screenshots of the microblogging services
administrative panelincluding internal details for accounts belonging to a
number of high-profile individuals, including Britney Spears.
"We saw an attack
like this last year with the Sarah
Palin account on Yahoo as well, noted Mark Diodati, an analyst with the
Burton Group. So to us its the insufficiency of that knowledge-based
authentication, moms-maiden-name thing that set this whole thing up to begin
with.
Both Google and Yahoo
allow users to create their own security questions, something that has been
cited in the past as being more secure than providing a few generic questions
for users to choose from. Google also announced a feature last year where users
could view the time of last activity on their Gmail and whether another session
is currently open. The information also includes the form of accessmobile or
PC, for exampleand the IP address, said Google Engineering Director Macduff
Hughes.
Then, of course, there is
the question of why, in the April situation, the persons Twitter password was
in their private e-mail account in the first place. Thats bad news, Diodati
said.
That has nothing to do
with strength of passwords; thats just plain old bad security to send
passwords on e-mail, he said.
When it comes to password
security, Twitter seems to be behind the time compared with other companies
that have been selling software as a service to enterprises for years, opined
Gartner analyst John Pescatore.
Years ago Salesforce.com
had to offer more than just reusable passwords/shared secrets for access to
data stored on sf.com, Pescatore said. It had 'IP address restriction'I
could force my Salesforce to VPN into HQ and then get to sf.com from there.
That was sort of draconianthey should have also added support for SecurID
tokens, since many companies require those for all remote access. But that was
an example of a business-class service [sf.com] going beyond reusable passwords
and having to deal with password reset and the like.
Though some of the
concerns have been raised regarding the security of Google Apps, Hughes notes
that users cannot reset their passwords without communicating directly with
their domain administrator. There is no password recovery feature for
individual users.
"Early this year we introduced
the ability for Google Apps administrators to set minimum password length
requirements that apply to all of their domain's accounts, he said.
Administrators can also view password strength indicators for each user in
their domain to identify passwords that may be of sufficient length but that
may be weak for other reasons, such as words that can be pulled directly from
the dictionary.
Google has also supported
SAML Single Sign On since 2006.
This breach indicates, at the very least, that traditional
password protection practices were not being followed, blogged Secerno CTO
Steve Moyle. For every organization that holds
information that could be deemed embarrassing if made public, Twitter serves as
reminder that open does not mean secure and the protection needs to come from the
appropriate care at the level of the data itself."
|
|
�������x}r۸j�9km�]mGJɶhŶ,%^:U*$)|ɜ
7](ɗLf$e$�n4���Iș3&9)ٝ Oo-z��IjÛP�BeFAU�M7
J�Զ�O7�R�5v��:!�M�����f*7x� ���#�D�PL5
ƚI�]ٚc�6�h2)X��m$(��+rZ'�|5[��6m��(GL��Ż?�K��E!wO�C�(>rP
/TGYn�Sqca/De_X�HY�b[�Ay4��5i��;����zq;L�Z&QuVV��ڮq�8]�b#0+#O3�c奨�H�aP`\ 9t}�
E�J;vy�%Mi�FfQ%p'z:tm3C�"����k>�NZCZ�Sˆ辥{$�)5�< \g4"�1lp<�E9$�7��:\ڨяZIOl+wRA#�ס,ۏ`e[YW�x�wgy@fj�b�t�� KJ�z�cn>Lj�Z�uL|:j�-�EӝfؖqSth(�͡V*Z]Q�Kru_)�:oE]`[©;}{c4�~)UU�ewyY !��mݹ��Wඒk%m�s|uO}vF�6y��6tx+ȯ7ND_j��QEVKi�h/�ZH�
�?,'N{���#x�Z�j/4E;J
KHS�Ә=
(����N,#�uG�Ҿ路.:6鷏�]uڧH>߉ecby
1�=T�r�Jw3Bz��,��ק'O�םuvISCR|BCjBәcYquU寯~�6O|�SR?�*�:aZ+}I-Eb{|&�J]~<:�$ץcY>韐��C��J�ݖE�L_*X_�KQ
S%fh�XՀ�?$eR2|[&r,�
߰f\S@k�7'h,if5Mn
"d�>Li�,.ϬF��p-AhF�@Lt�&�H�)5?�*b.L2<|)=:`i�1TE0�{Yt"FɺN�}W�%M��1F|r+�̤ `Q%M���
'� 8S$Juu3p�@W-]rNԖڂ1S|}M㞖�\z댛VU.�.>{ֻ6Lq��D�
͜Z�,�'1!��&B~�aZ&4B
7q�XlEN\'1nUC\�f;aM�r"Vv�6`�zT4fS w$mrn)�RЛv!s9n!�x�+ePL�g<)*[h73D�2筶
�挧M,31r@uOSjS͘�T�3(Q2�-C+�L)E+)i�SX-h�O�m�=klYo)�,JI��T*{°յ�Z)퉟E�Y
m-؋W�7�tjQtT�0P*��TdmցdXNJ�(J>}]bH'^$ôkQ&�u��|�pŶ��f/UKW+@�d�#k'zESZ2e6k�V
[�٠C�b�eܡQӿ��Ȩ/lĖCfx9�bǮ�Awm<_D�d|:���h*� )!�\o� �N(>A۰�XzThj]Mmbf0 0q�0d}I�:pJ�]aY3:-�{ŅaWhI3Wk4GUM8`ފ�Dڃ��2��F�4ÑeH�V!{W+�Z"@z2V&H~�6��=2.eX"PX.>mR\v1'9Yw�HFmdB
�_w;$!U7fTSDq!
VD��r@uߘ@g��ѐ!a�s:�_xHE"}�[+pp����L���U.)L0�:�K�j
+�,X������T�=;4⦼64�W݀�Ēj�:,G�5f>P{Ǎ{nc�?T�^E�f,w{LRKz-A��ZUU+òZp"0ϸo��G�O zX '0�`dc+0\@탰w0p�/5K��2*<:�,7\W4Uud
XX 0�X�A,C{��Mt��AjY�,��t0Y,tOhp�
y߽m?R\_9ͨ1��4V��\8�./-�H)X��Gl7��F^@4T_/ҞuN�<#(9�^3�b�RD��iƱ;4bG gIi�
~p㉱VXB¿l7�B+E?e$�ߌcS
�*R'�kdǗNjW�RW66WΣO!�x8ݙY$(kR�}2U�+[[ ȵ� }0e*Tt�Y���?ﺪiT)���R*?�.}x63(K?g0MϦL:蓻_߯a]!+d�VB'�#=̓Oe�*r1=_�>�M=�
;LF;�P\=6w6FN@5# c� پ�{P� 4dx:W.PcWa�߇l¼h..]>:lf#-��n�õ^
�7f�q��"c'ۭC�/E�z��ԺfƥTj��W�PU"HA:e�rz�k�?pYoUU�NSF<:H�Sߐ@ڨrGh��]�+u{]fRv^Lٔ)_2|1S�e)KVYށ%�ZZ�C=,N
=X디Z=4¢Y Ģ*��Go&NU5:VJ'd"I�},Ke嵨:n1TʵRM()1C��螔4rh2jk��.�, �7�1�טs�9���t�
iz堺_),�r?1Jg؋�<��rqv�Ny�4�Ŧ,#O+C,6Au�q0ݎ�3�/4ڎu�.mj$2~��P+a
gMٸUJ0iuI+KZ��
�=2fcU�$}/q[D�IO3ҿ++tC��Bg\Co0|�n���/�͆Rie�mR��ܑN [ }u
�($j^�ç
,t�2jUk?�� ��|� j��!9cm?�`�&MMX)���A`r0qq3(��5E491���-L�x0M8tz'JUqe?s<�c��SW�wvZ]}}� � }MMA�9
|1tc~y
̶I\f}zgWu4U{ڽK�ѨQ�8筫w�mq{O�E[J:^[�r��Kλ��,�z�!zڭFS�tk3d8)1Gg~H��6Q`���!�,{uҾĂsÜ4�"z�sM3"n,q� ۳}gI�w�²V�XHy`&.�v)tz]��E9����,��{B�,2�q]>ǧ2sY�t6����VS�F(�?D�rAFzZF�>o'U���f�}3bt4zQt":#oo9j
�~�_!c�ߗ&8��~�ѶPV=8Y̳ph縕zI��~<)}Agm9˝}H�u(�ōW�7 r�E�P�XIR"�9oũp$-ޱakO܉W(^H�#۽;Z�5@4rk=H\P6n'im�.6t[bă)3�ɔrFD4<�A�2XiYMzFcTcH�(PDPK;
3>I�e
&ޜ,Hu9Yn@yjXýMی3/LB$w>fKEҊ�P�k��q,��)�"
;|E?2B[LkHuT䵴�f[YeUHO~̩�'�� L8����=�!�Qh���S~Mbݩc3c�<�Im�wR�6(Sf��c�F�P'�gYX*40so����8dcΣd�f�T cv2O7&�M���Z�9�1c6q�w�vh!(;A�\@FJKrm�]O]Ak6Ê,�\J>|[|,'�Mw[�v1tEOZg�i]|�1L0�x1�$?L)Э�>��z}h^qw>P]Qz AE~k}\;z{w_7�|Kf0�W+��l8n4-7OT�F�yd�J�~j'Mt:�D�jE[c[{C9��Ȫ̙S.zR؉O?'�3v`q@+:#�&j�%3ތ��7D/�Z2f:9�f�rf�#F0�[v���EcO�4v�7
]ekw}B&u\6e�J}�;q-Ԉ@�k*kej,^$��D�G%�{two��v�U6�ut_����O 6;w1_�t`��A�AXŀ0!V
lKG
q�}X��Pz�pvv�ƘI�3"qc$QI)Zþ4
٦p��
�v��P\���>c1�\JUO#E.}}&P<�V�®XG*L�M'JV u.?t�
u$~b^jj\��bNJ.�h�G�R]
@�E&D.�m�Ӕ\�Y?�e[�`wsn�nK*sz9t=�̫"0Uh& �QWB�iڦa%cLW�Z:QXނ�$|�r�j>�-)YIjuSJ.=LJ?n\')� ,TnK,9�}]K}eIW!f��N"":?�iW票ѕ%ۭpܾU6%sW��f�pKmכ2��0��sE> nO�#LUp@D�⼛A' \Ȉiߛ�f|�E6sQT�eP��ֶ|P~w(vY89�T8�,J�,}'ũqSחz.��wg7Ra�fr�D��-#X�#P�IGD}� b^9Ϯ�c�h���a�ǥSHVGЕ:aL�5̿�f;�1�JMm
ĵ�Q�ZH\�oE-BD-ߚV��p�,5�_�˱ڦ�\{X2�~5d9�P�Ӿ@�_W�T]%3�`1\%d@j6Էz$j�b�*:d4\;cg;�+,�OtC\(((((_*Ӎ�|~�jОuՁԛ�`4�Ob:�L-KZˮ17֣�C$dqb�3�Sϙ柀iqXi>膔0eu0"0Z$]`+R{!F�?SR\�W'Qor6A�lY7sQB;p-v��cKK߽ŵ_ Sǀ"6�l���Wc1D�� H�|�!~;T"蚣Ga�\OK:ҝ�f
�.Mu˖\�)�zoXQR7HRZ�{P�B̖`e`�K�h%6�ԓ�!i>$|o�:/E�p�쎄!p'SV�Ber,e@�HC1�p8ߎz�̉-�ܺȆtS}Is�p��NRtI�ڌ4e� ܝĒ$.Ih߈yt.o�6�W&Kd�$�~#��r}"�89ԲR[p�$cA⊘_{RQ�_iҖ&d'^�2[9�3VeHewwwwJcqvٰ�HxK;a*JW�י7cԽ>5R3n;jEȞa0ݖ.끾�")
>S�Pkc&�ۼM�73OEZߪmK|mh^��#|:Lpe�7V)@� D�1�W�Alۛiίm\eU�ӗN
k?Cfţtj�KvR$*'0���Q�'! m
2}m!0{\�;
(E���A8O4 }erx:F�0ܲ˛
EGw�B8彇:۬W`YHvjce4.㹙$=|6-�^�b-M*)X�6̎5>,6Ɠo{�� ˢ.ƞ�}:uoBܽy,��ˡ�>Hsb�lu�؆_�߳��
JTcaֈ�aآZ(����^M�N1�5�Kx(!H(N�@=|6�1z�>8X@O}kҽ9:u]�g�[2_)�;>a {bgiQɑOmK"�<�(`-۞F�ܓَatЄx��-b9�
D�?\<=C�EZ"��0#{S3!sl7�7w-
�4&N-§E���YU7>ků œhg!g:n6b!��<{6�ތ+>I%4Ku�ыb�*�nN2(h�X?�&-Y?̠�C䷿P'mdǷQ^ sbm2QB�aʼnJ~q'�dE6�w+_aR-�-:'�[�;"
u��G@M!Zv|�x��*n�'@ %�o�[~~��Fy�Qs�ǺA|_�PUSžv0�"}.K[,pŽ�p=鲆ES�-sq�Gv5P�rza~�=�ʵm~�EYƗ�q.|9صh�e9L
qj*b�{P2D��#�%1�we(�#gs8RG%9x����"7�~TLZ��@�_��^�a)~c�)A%+�ޟG "�K&5Ձ�(gT|3, ^膷JW15ƜSv.\l��#mZB,iw%�dox7Bք0fx*B 'Yٜ�AGuroh�DR!U�JK�559V�)\[>3-iU15bmE,*�~��3=u`m=,*bǭ�3m]Mt]V9Ow|��e4k�l/3
��?�3$UX]h ��0.�7-��l�W/ժ/{�ҋzhNU_�ZהV/�eE�^[�����d(ur3b}nރKL�IG:�gYJE+Lۺo?qX*@E�L�n)?is�J<<~Q,mJ)Ag���g�dmt����[�oW-F]5t tP�G'��"�X_8�7t*ޞ+j6
$|tBO3'r1!'th'*vUZtRtj�ϳ�W[ "yFsks?�?bS~碷�+KNwV8��66mEUk)7�g%۹caYL\#&'0��^wt�c,.��Iϣ,Z�̏XJ1_[�F�zVM9�7XC'FUAǵ��,?zîֿ�|Ɉֲs
!"Ik%�NnL#D�^*�Z�@(iYr'
&G>�xB)SW�q+TVwAkj��ݙ=ҁ.+q,N7ⶭM1Tx/>coI^P>Eg� :WZ54�Gw/�t�X�3+b3-Ѩ#k�W�|$�{S4m�#F0�˼3�'F!,x|EtZZ&e}�~l1Bi�b#�#��
^BP\6�zhuEwW=�d6Ƀ;Cym!��W�yh;�?�E!Cl�;=V�]W\A.!Ƥ�H�]So����>�!��M᧸�
:�LXP4e~�ѾpuS��{DTw.rOaH��P-S["dZ1ֈ�Q-�?��~1&I?
,iM�����^C.B' �<6"))Ĵ0
/F20�a`(-RS~Qx^ȆRǠ{=۹dl��U^�(l+wxcF>b|�>gg, +D:Ab)u��(b��E�$�7�@O��55��?B6ϱRSJLn$|�s�Q!,a4yn��3���z�q"tM
0�}� 5tHM<0��2B�kQ.#FMQpVM�u?3�ɏݠZHmݜ�(8��&�zy����H${=9Q~ieP{aJ~X{��dO 0����K1c�RWkJ%�u���3�ʰ�LXU+n���"�̪g2�qJйJV �J�{�AFA
dhz߃B-
-C#�*a@}FL�@s,4[giUMz�zW~{Agk^~>\/:�Ba&FoL/Y百TQ(X7K{YF�ufzʌPN{:c.ͅdY/yr9,tC�1}T�y(;5�Y6ühr�gzqL�&�Up�:kr8ٙEG]3G �9nzV�h9��P}P\ᡚ �@AC<}ҽh�JKʋ3 dz�!'WH5'
үV�R[9]H#W��N9ǐ~:�sww9�?N)4wVwN
IN:>t.rҡ��z9!3��fyCs��~s{�99<@9y�yCȣ�9�rC@?r!<'�"g|/.r�"gnN 9�#_.>.s�_政�ʡ��>_?N�1>Atߧ}�}5_�^5S5u�:Iʙ gK\8=J��W
ͣ�zTA^䕯�?�4'}�sYU�zvCUX^Z*4*ௗU}odlڹ<�BR+�+]q%>aW*I m���}}}/Q
-Cyik25���AQ𰐲FgE6e�+&Ȭ-'hHt]f=�g%%eX�-0?Ut[.�2پWޕ\~Sfy�+tO12<=s�s>@͝eNu+r6d)?``����~&�\ʠbC�a4�uv[F8�cN>�@���3x�G� �Y@D˼���hգ�9ı�~?ų�l1@�ҩ |^:%�3!U{�Txx e*�j莃�>�uQ0Z�gqõ�d<@T:?�9@��&ɉz͑yC�}b̜�C�U^���ˋ!A0Hyfʱ0.6�A�b!Ÿޙ�nǍqc
o-&�D}Ȯ01lx]|�cL!I�U? 펟6��RwzhLRGh_cFrd9�Ge�j��09[q�3u{Zf$J�B53v�L��~m@e8>qm6!�d`6Nώ�;]:��K�ufp^�R�_���ێ�}
�fL�&S�O"
�x^�37ty'����^c~1L��n`�[>/A>=Ԯ�{!fI߫��a0'l �|P#%&'Rv$m�ԁ��`7N�
04
6 郇rIB�+ΓĠ�>'GTWB&�:#S3Q1֜��Ogзc�x쥭%�mY $�v.}�xF˒5\z#2|1)HxbHIhC>e��v�EE�`A�0^e�D$u@Ч�
�߆S�'11?�0�j;;�1�Te-s0ŴBShJ ,�(O?Gkn5�y`w`ehD�P�/Tvy(3*>ܠK��A,�1-i��ΦJ/"e`7'#�~*��V��œC>p8{g@�!{hI5�C_�z
9@+7A{-?OJ��D O.y(ظo�@WD0;"6����ic."sE0畲�&(Xp\GAVΙنz&�5w<#�#*�g
՜5%SWnRP'r`V(̛
m+,�~HױQ��_`[P~X��3mKbA<\h�n2;6%�i#q|��@ =H
ofԩ�%`y��@0�z���ǩk[mx�~;ݾA�
g��+�OeXgg�{,UM)�X5l\d�JM["ö,:qp {۶w&WȰ-'my�#�Q1V)vf$Ѿs,�a�|X��o�V|u�7Ϗp�`d2��Y>'��KY'Ӷ}d&5,�$$r幖I��;;*7�&�iy-�cC�v_)vph[?�Y�A� wVǰ�>BO7sS
30RO
+(|[P�d3>C7DjF7Br�
dZH_مt&�v3�k�{�;3b,/�A,xrs*]x�7�Nb���g�_ydOȅ�_Y�G��7�XMp1Nꇿ3�E_:mw>�pJ{�ggI^v�vQ*�+Se{l~
�)CUs̹DUT_JC\rbx6
}OTbr$XX7a66̈́
��]&ŮM�v�es��$ݬ+��
|
Network Security & Hardware 
