Skip to content

Management

Technology

Toolbox

Training

Books

White Papers

Webcast

Resource Centre


ComputerworldUK CommunIT

Want to join the UK’s fastest growing dedicated IT community? Enter here to browse the UK’s top usergroups, societies and associations.

community > blogs > clued up on cybercrime

What we can all learn from the Twitter security breach

July 17, 2009

Posted by: Graham Cluley

I can't help but feel sorry for Twitter. They have been having a terrible time.

A couple of days ago it was revealed that the French hacker who broke into their internal systems a couple of months ago, had been up to mischief again.

Last time Hacker Croll had gained access to the Twitter administration console, giving him access to the accounts of millions of Twitter users. His intention seemed to be to embarrass the micro-blogging network as he posted screenshots revealing that he'd been able to access private information regarding the accounts of the likes of Barack Obama, Britney Spears, Ashton Kutcher and Lily Allen.

How had the hacker wormed his way in? By resetting the employee's Yahoo password after guessing the answer to their online "secret question" and finding the information about their Twitter login credentials inside.

Now it has become clear that Hacker Croll has also stolen confidential corporate documents and shared the information with popular website TechCrunch.

TechCrunch founder Michael Arrington says his site was sent 310 documents, including information about employees, their credit card numbers, confidential contracts with the likes of Nokia, AOL and Microsoft, email conversations with show business celebrities, phone numbers, plans for a TV show, financial projections, meeting reports and salary information.

Again, online email systems and poor password security appears to have been the weak link. A Twitter employee was using the same password on more than one website, and the hacker was able to determine it. This opened a treasure trove of corporate information that the company was storing in Google Docs, Google Calendars and Gmail.

Before any of us feel too smug about this - ask yourself this question: Do you use the same password on multiple websites? Because research conducted by Sophos shows that 33% of people do precisely that all the time.

Very few computer users seem to have woken up to the risks of using weak passwords and the same ones for every site they visit. With social networking and other internet accounts now even more popular, there's plenty on offer for hackers and by using the same password to access Facebook, Gmail and your Ebay account, you're making it much easier for them.

In the case of the Twitter security leak, for instance, it's even reported that the hacker gained access to Twitter's domain name account on GoDaddy and could have redirected the traffic to another IP address, perhaps with malicious intent.

I suspect that the people at Twitter have learnt their lesson now. They have reportedly told their staff to change their passwords to unique, non-dictionary words, are introducing two factor authentication, and have advised their millions of users to never use the same password on multiple websites. Of course, there is more they could be doing to better protect their users - but at least they're making a start.

If I were one of the bosses at Twitter I would be feeling pretty embarrassed by what's happened, but I would also have some other emotions.

I'd be angry with the hacker for breaking in, and acting irresponsibly by not reporting the problem directly to the company rather than the world at large.

I'd be disgusted with TechCrunch, which seems to have adopted a holier-than-thou position on the leak, eager to publish confidential information - not for genuine reasons of public interest, but more in the voyeuristic style of a paparazzi.

But most of all, I'd be relieved that Hacker Croll didn't use the information he uncovered to cause much more serious problems for the organisation, that could have impacted all of its users.

Graham Cluley is senior technology consultant at Sophos, and has been working in the computer security field since the early 1990s. When he's not updating his other blog on the Sophos website you can find him on Twitter at @gcluley.

Follow highlights from ComputerworldUK on Twitter
Sign up for our Daily Newsletter
The UK IT News widget Get it for your site!

<<newer entry | back to blogs indexolder entry>>

Advert

close

Email this article to a friend or colleague:




PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

close
  • This article is now being printed.
close

What are your views on this subject? Use the form below to post a comment on this article up to 1000 characters.


Characters remaining:

close

Click below to add 'What we can all learn from the Twitter security breach' to your blog.



If you do not have a ComputerworldUK Account and would like to use this feature, please Register.

If you are a registered, logged-in user, this will post the title and first paragraph of this story to your blog to share with your readers.

What is this?

Comments received

Neil Hollister, CEO, CRYPTOCard said on Wednesday, 22 July 2009

There is a positive to come out the latest security breach of the Twitter site(“What can we all learn from the Twitter security breach?”, Graham Cluley, 17 July 2009). The biggest problem is one of ignorance: by being made public therefore,the Twitter breach can only help raise awareness of the security risks we all face in using social networking sites.

The need to protect ourselves against risk is as great in casually talking to each other on such sites as it is in undertaking trading transactions elsewhere on the web. And the number of attacks that either target social networking sites or use information gained from them to hack into networks or steal identities is growing fast.

In response,social networking sites such as Twitter are already starting to look at technologies such as two-factor authentication – combining a physical card, soft or SMS-based token which generates a one-time password with a memorised personal security code – to protect users against identity theft.

Advert

WHITE PAPERS

  • Legal risks: Employee use of the internet and email
    Exploring the challenges facing IT Mangers today and vital steps to ensure safe internet an email use by employees.
  • Phishing for victims
    This White Paper examines the phenomenon of phishing. It explains the potentially catastrophic threat it presents to all kinds of organisation. Exploding some widespread myths, it lights up the murky waters where phishing first emerged and where it continues to evolve. But it also highlights what your business can do to blunt the threat.
  • Challenges and opportunities of PCI
    The control framework implicit in the Payment Card Industry Data Security Standard (PCI DSS) provides an enterprise structure for improving operational, security, and audit performance.
  • Social CRM comes of age
    Who is this “social customer”? What strategies and tools does the new breed of CRM provide to do something about this?
  • Risk Management: Protect and Maximize Stakeholder Value
    What has held organisations back from a broader adoption of risk management programs?
*