The distribution of internal Twitter documents by a hacker has revived doubts about the security of cloud computing. But Google wants everyone to know that security tools are available for those who want to use them.
And then Stone brought Google into the picture: "From the personal account, we believe the hacker was able to gain information which allowed access to this employee's Google Apps account which contained Docs, Calendars, and other Google Apps [that] Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company," he explained.
The hacker claims to have guessed the answer to the Twitter employee's security question and reset the password of the account in question.
Though Stone made clear that the attack was not the result of any vulnerability in Google Apps, the incident nonetheless prompted yet another round of doubt about cloud-based services.
Albert Wenger, a partner at venture capital firm Union Square Ventures, an investor in Twitter, said on his blog that the break-in demonstrates the inadequacy of usernames and passwords as a means of authentication. He urged online services like Google and Microsoft to adopt a two-factor authentication scheme, possibly involving SMS messages or a dedicated mobile authentication app.
Google, having witnesses the brand damage security issues have inflicted upon Microsoft, is keen to seen as more secure than the competition and moved quickly to quell the disparagement of cloud computing.
Acknowledging only that "there's been some discussion today about the security of online accounts," Google engineer Macduff Hughes said in a blog post that the company wanted to share its perspective.
Apparently reacting to the hacker's claim to have breached Twitter by answering a security question to reset an online password, Hughes explained that Gmail's password setting and recovery process is more involved than many other services. For instance, Google recently added the ability to enter a mobile phone number for receiving password recovery authorization notices. The company also provides the opportunity to enter a secondary e-mail address for password change confirmations.
"[I]f you want to initiate a password reset, we'll only send that information to the secondary address or the mobile phone number you provide," said Hughes.
In addition, Gmail also allows users to see the IP address and time of their last login, which may help users recognize unauthorized access.
Google doesn't allow Google Apps users to reset their passwords; all such requests must be authorized by Google Apps administrators. And since 2006, Google Apps has supported SAML Single Sign On, for two factor authentication.
For such tools to be effective, however, people need to use them.
Andrew Storms, director of security operations for nCircle, a network security company, said that we need to recognize that the personal and work lives of today's information workers have become intertwined. "Just putting a pet's name on a Facebook page could allow hackers to obtain your password," he said.
Storms urges employers to pay more attention to educating workers about safe computing practices. And he said that companies need to do their due diligence to determine how data is stored at online services.
Janz Yaneza, site research manager for Trend Micro, said the Twitter hack really comes down to proper account management. He recommended that companies have a data leakage prevention system in place and that individuals think carefully before publishing any information to social networking sites.