How Microsoft And Habit Abetted Twitter Hack - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Infrastructure // PC & Servers
Commentary
7/20/2009
11:37 AM
Michael Hickins
Michael Hickins
Commentary
50%
50%

How Microsoft And Habit Abetted Twitter Hack

Unfortunately, we all know a lot more about Twitter's business plans than we'd like, since TechCrunch made the ill-conceived editorial decision to publish the stolen contents of files it received from a French cybercriminal.

Unfortunately, we all know a lot more about Twitter's business plans than we'd like, since TechCrunch made the ill-conceived editorial decision to publish the stolen contents of files it received from a French cybercriminal.Early reports on the theft focused on Google's Gmail, and seemed to imply that the very notion of cloud computing was threatened by the success of this attack.

But it turns out that the focus should really be on two very different targets: Microsoft and end user habits in general.

It seems that the French hacker took advantage of lax Hotmail security standards that allowed him to nefariously reset his target's Gmail password.

As Computerworld's Gregg Keizer explains (I'm intentionally not linking to the original article in TechCrunch):

The Hotmail account was inactive… -- a Microsoft practice designed to recycle dormant accounts -- which allowed [Hacker Croll] to register the inactive Hotmail account. He returned to Gmail and again went through the password recovery process, specifying a password of his own. The new password was then sent to the just-hijacked Hotmail account.

The hacker then relied on typical user behavior, as Harry McCracken explains:

Basically, "Croll" didn't do anything particularly brilliant -- and there were no chinks in Twitter's security armor that aren't pretty much universal. Mostly, he took advantage of (a) Twitter's use of other Web-based services to run its business; (b) the fact that every organization has employees who use the same damn password for multiple accounts; and (c) password recovery systems that can make it absurdly easy to break into someone else's account.

The lessons here: first of all, we really should use different passwords for different accounts -- not just for our own protection, but the for the sake of others in our social graph.

We're all promiscuous surfers, so we should protect members of our community as we would our partners if we were being sexually promiscuous.

The second lesson: Microsoft should rethink its practice for reestablishing dormant accounts, and make users jump through much tougher hoops in any case. It might annoy some people, but this is a case where business rules should trump user preferences.

I've already noted how poorly the decision to publish these documents reflects on Michael Arrington's news judgment. To the argument that if he hadn't published this stuff, someone else would have, I'd reply that if a politician argued that he took money from a lobbying group because if he hadn't, someone else would have, we'd still turn him out of office (and hopefully send him to jail).

I'd even argue that this kind of reasoning has afflicted many aspects of American life, from mortgages to health insurance, from steroids in baseball to Ponzi schemes, all of which take advantage of people's need to not be the naïve sap who doesn't make out as well as the next guy because he stuck to his principles.

But that strand of naiveté is precisely our strength. I know it's a generalization, but as with many generalizations, there is some truth to the fact that Americans have been identified with Dudley Do-Right (ironically, a Canadian, but never mind).

I lived in Europe in the 1980s and 90s, where I owned two different businesses, and one of the questions I invariably got from prospective customers or business partners was, "how come Richard Nixon had to resign? Doesn't everyone do what he did?"

We were viewed as hopelessly naïve for having expected more out of our President. But far from being a liability, our reputation as straight shooters was a huge help to me in business. European businesspeople were more likely to give me the benefit of the doubt because I was American.

That is a priceless asset, and one that we're quickly frittering away. So if you can't condemn Arrington for what he did simply because it was wrong, maybe you can condemn him for eroding yet another measure of our national treasure.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
News
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
Commentary
Study: Cloud Migration Gaining Momentum
John Edwards, Technology Journalist & Author,  6/22/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Slideshows
Flash Poll