Google and the cloud computing model were the victims of some jibes from popular blog TechCrunch in the wake of a personal e-mail account hack at Twitter.
The attack, centered on the security of Google Apps’ password system, rekindled the debate about whether it is safe for businesses to use the Internet to store sensitive documents and forced Google to defend itself, with Twitter coming to Google’s aid July 15.
The brouhaha started when TechCrunch came into possession of some 300 documents a hacker named Hacker Croll allegedly swiped from Twitter back in May. The documents contained anything from executive meeting notes and financial projections to such banalities as meal preferences, calendars and phone logs of Twitter employees.
Twitter co-founder Biz Stone confirmed the hack after TechCrunch posted screenshots of some of the documents, adding that the hacker retrieved information from an employee’s personal e-mail account, believed to be a Yahoo Mail account.
Twitter has not confirmed this detail, but news Websites CNET and the New York Times claim a weak password recovery system from Yahoo enabled Hacker Croll to access the employee’s Google Apps account. This account include Google Docs, Calendars and other Google apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company, Stone said.
TechCrunch founder Michael Arrington July 14 suggested the password security for Google Apps was weak, noting in a comment on his blog that “the original security hole seems to be Google, via Google Apps for your Domain. Some passwords were guessed and things started to fall apart from there. Most (or all) of these documents were downloaded from Google’s servers.”
Less than a day later, Arrington defended his right to publish the documents when he wrote:
““It’s not our fault that Google has a ridiculously easy way to get access to accounts via their password recovery question. It’s not our fault that Twitter stored all of these documents and sensitive information in the cloud and had easy-to-guess passwords and recovery questions. … Hopefully this situation will encourage Google and Google users to consider more robust data security policies in the future.”“
Michael Eisenberg at SeekingAlpha rushed to condemn the security of cloud computing: “The bottom line is that many startups and an increasing number of large companies are using Google Apps for critical company documents. Most of them think that they are living securely. They are not. … This is a risk for Google going forward and an interesting nod that cloud security companies are needed.”
Google and Twitter Deny Weakness in Google Apps
Both Google and Twitter moved to put the kibosh on these insinuations about Google’s account security protocols and the cloud having weak security. Stone added in his post:
““This attack had nothing to do with any vulnerability in Google Apps, which we continue to use. This is more about Twitter being in enough of a spotlight that folks who work here can become targets. … This isn’t about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords.”“
Stone also stressed that this was not a hack on Twitter, but a personal attack that led to the theft of private company documents.
Google, meanwhile, also addressed the questions about its Google Apps security. Google Engineering Director Macduff Hughes wrote in a blog post:
““We run our own business on Google Apps, and we’re highly invested in providing a high level of security in our products. While we can’t discuss individual user or customer cases, we thought we’d try to clear up any confusion by taking some time to explain how account recovery works with various types of Google accounts and by revisiting some tips on how users can help keep their account data secure.”“
Noting that password recovery is one of the more common requests for assistance Google receives from its Gmail users, Hughes said Google recommends security questions and a secondary e-mail address, as well as an option to input a mobile phone number to assist with account recovery.
But Hughes said password recovery is another animal altogether for Google Apps, for which there is no password recovery process for individual Google Apps users. Hughes said users must get new passwords from their domain administrator.
Pundits were not as diplomatic in their defense of Google and its cloud computing approach. In a post titled “The Twitter hack: Let’s not start blaming Google or the cloud,” Sam Diaz at ZDNet wrote:
““Sure, maybe Google could come up with a better password-recovery system-but this isn’t Google’s fault. Bottom line: Twitter used an easy-to-guess password and recovery question. That’s how the hacker was able to get in-not because Google has some sort of security hole.”“
GigaOm’s Jordan Golson wrote that the issue may be chalked up to companies using poor authentication and password protocols to secure their data.