[Infowarrior] - Twitter Hack Raises Flags on Security

[Richard Forno]

July 16, 2009
Twitter Hack Raises Flags on Security
By CLAIRE CAIN MILLER and BRAD STONE

http://www.nytimes.com/2009/07/16/technology/internet/16twitter.html?_r=1&pagewanted=print
SAN FRANCISCO — You might think your password protects the  
confidential information stored on Web sites. But as Twitter  
executives discovered, that is a dangerous assumption.

The Web was abuzz Wednesday after it was revealed that a hacker had  
exposed corporate information about Twitter after breaking into an  
employee’s e-mail account. The breach raised red flags for individuals  
as well as businesses about the passwords used to secure information  
they store on the Web.

On Web sites containing personal information like e-mail, financial  
data or documents, there is usually just a user name and password for  
protection. More individuals are storing information on Web servers,  
where it is accessible from any online computer through services  
offered by Google, Amazon, Microsoft, social networks like Facebook or  
back-up services like Mozy.

But password-protected sites are growing more vulnerable because to  
keep up with the growing number of passwords, people use the same  
simple ones on numerous sites across the Web. In a study last year,  
Sophos, a security firm, found that 40 percent of Internet users use  
the same password for every Web site they access.

The attack on Twitter highlights the problem. For its internal  
documents, the company uses the business version of Google Apps, a  
service that Google offers to individuals free. Google Apps provides e- 
mail, word processing, spreadsheets and calendars over the Web.

The content is stored on Google’s servers, which can save time and  
money and enable employees to work together on documents at the same  
time. But it also means that the security is only as good as the  
password. A hacker who breaks into one person’s account can access  
information shared by friends, family members or colleagues, which is  
what happened at Twitter.

The Twitter breach occurred about a month ago, Twitter said. A hacker  
calling himself Hacker Croll broke into an administrative employee’s e- 
mail account and gained access to the employee’s Google Apps account,  
where Twitter shares spreadsheets and documents with business ideas  
and financial details, said Biz Stone, a Twitter co-founder.

The hacker then sent documents about company plans and finances,  
confidential contracts, and job applicants to two tech news blogs,  
TechCrunch, in Silicon Valley, and Korben, in France. There was also  
personal information about Twitter employees including credit card  
numbers.

The hacker also broke into the e-mail account of the wife of Evan  
Williams, Twitter’s chief executive, and from there accessed several  
of Mr. Williams’ personal Internet accounts, including those at Amazon  
and PayPal, Mr. Stone said.

TechCrunch revealed documents showing that Twitter, a private company  
that so far has no revenue, projected that it will reach a billion  
users and $1.54 billion in revenue by 2013. Michael Arrington,  
TechCrunch’s founder, said in an interview that the hacker had also  
sent him detailed strategy documents about potential business models,  
the competitive threat from Facebook and when the company might be  
acquired.

Some analysts say the breach highlights how dangerous it can be for  
people and companies to store confidential documents on Web servers,  
or “in the cloud.”

But Mr. Stone said that the attack “isn’t about any flaw in Web apps,”  
but rather about a bigger issue that affects individuals and  
businesses alike. “It speaks to the importance of following good  
personal security guidelines such as choosing strong passwords,” he  
said.

Instead of circumventing security measures, it appears that the  
Twitter hacker managed to correctly answer the personal questions that  
Gmail asks of users to reset the password.

“A lot of the Twitter users are pretty much living their lives in  
public,” said Chris King, director of product marketing at Palo Alto  
Networks, which creates firewalls. “If you broadcast all your details  
about what your dog’s name is and what your hometown is, it’s not that  
hard to figure out a password.”

Security experts advise people to use unique, complex passwords for  
each Web service they use and include a mix of numbers and letters.  
Free password management programs like KeePass and 1Password can help  
people juggle passwords for numerous sites.

Andrew Storms, director of security operations for nCircle, a network  
security company, suggested choosing false answers to the security  
questions like “What was your first phone number?” or making up  
obscure questions instead of using the default questions that sites  
provide. (Of course, that presents a new problem of remembering the  
false information.)

For businesses, Google allows company administrators to set up rules  
for password strength and add additional authentication tools like  
unique codes.

The Twitter hacker claims to have wanted to teach people to be more  
careful. In a message to Korben, the hacker wrote that his attack  
could make Internet users “conscious that no one is protected on the  
Net.”