Government // Enterprise Architecture
News
7/15/2009
07:08 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Twitter Hack Tars Google's Cloud

The distribution of internal Twitter documents by a hacker has revived doubts about the security of cloud computing. But Google wants everyone to know that security tools are available for those who want to use them.

In a blog post on Wednesday about the distribution of internal Twitter documents by a hacker, company co-founder and creative director of Biz Stone traced the origin of the online break-in to a compromised personal e-mail account of an administrative employee.

And then Stone brought Google into the picture: "From the personal account, we believe the hacker was able to gain information which allowed access to this employee's Google Apps account which contained Docs, Calendars, and other Google Apps [that] Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company," he explained.

The hacker claims to have guessed the answer to the Twitter employee's security question and reset the password of the account in question.

Though Stone made clear that the attack was not the result of any vulnerability in Google Apps, the incident nonetheless prompted yet another round of doubt about cloud-based services.

Albert Wenger, a partner at venture capital firm Union Square Ventures, an investor in Twitter, said on his blog that the break-in demonstrates the inadequacy of usernames and passwords as a means of authentication. He urged online services like Google and Microsoft to adopt a two-factor authentication scheme, possibly involving SMS messages or a dedicated mobile authentication app.

Google, having witnesses the brand damage security issues have inflicted upon Microsoft, is keen to seen as more secure than the competition and moved quickly to quell the disparagement of cloud computing.

Acknowledging only that "there's been some discussion today about the security of online accounts," Google engineer Macduff Hughes said in a blog post that the company wanted to share its perspective.

Apparently reacting to the hacker's claim to have breached Twitter by answering a security question to reset an online password, Hughes explained that Gmail's password setting and recovery process is more involved than many other services. For instance, Google recently added the ability to enter a mobile phone number for receiving password recovery authorization notices. The company also provides the opportunity to enter a secondary e-mail address for password change confirmations.

"[I]f you want to initiate a password reset, we'll only send that information to the secondary address or the mobile phone number you provide," said Hughes.

In addition, Gmail also allows users to see the IP address and time of their last login, which may help users recognize unauthorized access.

Google doesn't allow Google Apps users to reset their passwords; all such requests must be authorized by Google Apps administrators. And since 2006, Google Apps has supported SAML Single Sign On, for two factor authentication.

For such tools to be effective, however, people need to use them.

Andrew Storms, director of security operations for nCircle, a network security company, said that we need to recognize that the personal and work lives of today's information workers have become intertwined. "Just putting a pet's name on a Facebook page could allow hackers to obtain your password," he said.

Storms urges employers to pay more attention to educating workers about safe computing practices. And he said that companies need to do their due diligence to determine how data is stored at online services.

Janz Yaneza, site research manager for Trend Micro, said the Twitter hack really comes down to proper account management. He recommended that companies have a data leakage prevention system in place and that individuals think carefully before publishing any information to social networking sites.

InformationWeek has published an in-depth report on managing risk. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.