Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • IT Management

    Twitter Attack Bigger Than Password Strength, Cloud Security Talk

    By
    Brian Prince
    -
    July 16, 2009
    Share
    Facebook
    Twitter
    Linkedin

      In the aftermath of the latest Twitter breach, much has been written about password strength and the risks of cloud computing. But when it comes to the two most recent hacks targeting Twitter employees, there are other issues involved.
      After all, password strength in and of itself means nothing if someone can reset your password. So was the case about a month ago, when an attacker going by the name “Hacker Croll” abused the password recovery feature of an employee’s private e-mail account to get access. From there, Croll was able to get information that allowed access to the employee’s Google Apps account, which contained Docs, Calendars and other Google apps Twitter relies on for sharing notes, spreadsheets and other information.

      Croll got access to an employee’s Yahoo account in April and got the password to the employee’s Twitter administrative account. With it, Croll posted 13 screenshots of the microblogging service’s administrative panel-including internal details for accounts belonging to a number of high-profile individuals, including Britney Spears.

      “We saw an attack like this last year with the Sarah Palin account on Yahoo as well,” noted Mark Diodati, an analyst with the Burton Group. “So to us it’s the insufficiency of that knowledge-based authentication, mom’s-maiden-name thing that set this whole thing up to begin with.”

      Both Google and Yahoo allow users to create their own security questions, something that has been cited in the past as being more secure than providing a few generic questions for users to choose from. Google also announced a feature last year where users could view the time of last activity on their Gmail and whether another session is currently open. The information also includes the form of access-mobile or PC, for example-and the IP address, said Google Engineering Director Macduff Hughes.

      Then, of course, there is the question of why, in the April situation, the person’s Twitter password was in their private e-mail account in the first place. That’s bad news, Diodati said.

      “That has nothing to do with strength of passwords; that’s just plain old bad security to send passwords on e-mail,” he said.

      When it comes to password security, Twitter seems to be behind the time compared with other companies that have been selling software as a service to enterprises for years, opined Gartner analyst John Pescatore.

      “Years ago Salesforce.com had to offer more than just reusable passwords/shared secrets for access to data stored on sf.com,” Pescatore said. “It had ‘IP address restriction’-I could force my Salesforce to VPN into HQ and then get to sf.com from there. That was sort of draconian-they should have also added support for SecurID tokens, since many companies require those for all remote access. But that was an example of a business-class service [sf.com] going beyond reusable passwords and having to deal with password reset and the like.”

      Though some of the concerns have been raised regarding the security of Google Apps, Hughes notes that users cannot reset their passwords without communicating directly with their domain administrator. There is no password recovery feature for individual users.

      “Early this year we introduced the ability for Google Apps administrators to set minimum password length requirements that apply to all of their domain’s accounts,” he said. “Administrators can also view password strength indicators for each user in their domain to identify passwords that may be of sufficient length but that may be weak for other reasons, such as words that can be pulled directly from the dictionary.”

      Google has also supported SAML Single Sign On since 2006.

      “This breach indicates, at the very least, that traditional password protection practices were not being followed,” blogged Secerno CTO Steve Moyle. “For every organization that holds information that could be deemed embarrassing if made public, Twitter serves as reminder that open does not mean secure and the protection needs to come from the appropriate care at the level of the data itself.”

      Brian Prince
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×