In the aftermath of the latest Twitter breach, much has been written about password strength and the risks of cloud computing. But when it comes to the two most recent hacks targeting Twitter employees, there are other issues involved.
After all, password strength in and of itself means nothing if someone can reset your password. So was the case about a month ago, when an attacker going by the name “Hacker Croll” abused the password recovery feature of an employee’s private e-mail account to get access. From there, Croll was able to get information that allowed access to the employee’s Google Apps account, which contained Docs, Calendars and other Google apps Twitter relies on for sharing notes, spreadsheets and other information.
Croll got access to an employee’s Yahoo account in April and got the password to the employee’s Twitter administrative account. With it, Croll posted 13 screenshots of the microblogging service’s administrative panel-including internal details for accounts belonging to a number of high-profile individuals, including Britney Spears.
“We saw an attack like this last year with the Sarah Palin account on Yahoo as well,” noted Mark Diodati, an analyst with the Burton Group. “So to us it’s the insufficiency of that knowledge-based authentication, mom’s-maiden-name thing that set this whole thing up to begin with.”
Both Google and Yahoo allow users to create their own security questions, something that has been cited in the past as being more secure than providing a few generic questions for users to choose from. Google also announced a feature last year where users could view the time of last activity on their Gmail and whether another session is currently open. The information also includes the form of access-mobile or PC, for example-and the IP address, said Google Engineering Director Macduff Hughes.
Then, of course, there is the question of why, in the April situation, the person’s Twitter password was in their private e-mail account in the first place. That’s bad news, Diodati said.
“That has nothing to do with strength of passwords; that’s just plain old bad security to send passwords on e-mail,” he said.
When it comes to password security, Twitter seems to be behind the time compared with other companies that have been selling software as a service to enterprises for years, opined Gartner analyst John Pescatore.
“Years ago Salesforce.com had to offer more than just reusable passwords/shared secrets for access to data stored on sf.com,” Pescatore said. “It had ‘IP address restriction’-I could force my Salesforce to VPN into HQ and then get to sf.com from there. That was sort of draconian-they should have also added support for SecurID tokens, since many companies require those for all remote access. But that was an example of a business-class service [sf.com] going beyond reusable passwords and having to deal with password reset and the like.”
Though some of the concerns have been raised regarding the security of Google Apps, Hughes notes that users cannot reset their passwords without communicating directly with their domain administrator. There is no password recovery feature for individual users.
“Early this year we introduced the ability for Google Apps administrators to set minimum password length requirements that apply to all of their domain’s accounts,” he said. “Administrators can also view password strength indicators for each user in their domain to identify passwords that may be of sufficient length but that may be weak for other reasons, such as words that can be pulled directly from the dictionary.”
Google has also supported SAML Single Sign On since 2006.
“This breach indicates, at the very least, that traditional password protection practices were not being followed,” blogged Secerno CTO Steve Moyle. “For every organization that holds information that could be deemed embarrassing if made public, Twitter serves as reminder that open does not mean secure and the protection needs to come from the appropriate care at the level of the data itself.”