Twittergate: “Most difficult part of Web 2.0 security is the human”

July 15, 2009 | Kim-Mai Cutler | Comments |
|

twitter-confidential1

The release of Twitter’s internal documents overnight by a hacker is a potent reminder of how much information we store in the cloud and how vulnerable that data is.

Furthermore, it raises questions about Twitter’s security practices, given that the break-in didn’t happen because of a complicated hacking strategy, but because the hacker got the right answers to password reset questions. Twitte co-founder Biz Stone stressed that the attack didn’t compromise any Twitter accounts and was instead a personal hit on an administrative employee’s and Ev Williams’ wife’s accounts. Twitter said it has performed a security audit and has reminded employees of personal security guidelines.

Although Twitter is largely known as a public platform where people communicate openly, it’s also become a substitute for instant messaging or short e-mails with the direct message function. People use direct message, or “DM” for short, to schedule meet-ups in new cities or to solicit answers to questions from followers.

Twitter has also become an important brand management and marketing tool for companies, so a break-in could leave a company open to potentially destructive tweets to customers. In January, this happened to 33 high-profile accounts, including those belonging to Barack Obama and CNN’s Rick Sanchez.

So what can you do to protect yourself? The difficult part of Web 2.0 security isn’t actually the technical side. It’s the human, said David Marcus, director of security, research & communications at security software maker McAfee.

He had a few pieces of advice:

1. Be careful about what you share: It becomes easier and easier to share personal details without thinking on Twitter. Compiled together, a person’s entire tweet stream can easily reveal where they live.

2. Don’t use your Twitter password for other Web 2.0 services. From a hacker’s perspective, if a password combination works on Twitter it’s probably worth trying elsewhere.

3. Be judicious about the third-party applications you access.

4. If you’re keeping data in the cloud (in any service, e-mail, Twitter or otherwise), do due diligence to make sure that company has good security practices.

Next Story:
Previous Story:

Email
Print
Bookmark
Google
Delicious
Facebook
Twitter
StumbleUpon
MySpace
Digg
Live
More…

Photo of Kim-Mai Cutler

About the Author, Kim-Mai Cutler

Kim-Mai was born and raised a stone's throw from Apple headquarters in Cupertino by a devout Hewlett-Packard family. After attending UC Berkeley, Kim-Mai worked for Bloomberg, The Wall Street Journal and Dow Jones Newswires in New York, Los Angeles, London and Buenos Aires. Follow her on Twitter at @kimmaicutler, and follow VentureBeat on Twitter at @venturebeat.

  • Wil
    Twitter uses Google Apps, and while they were quick to point out that this wasn't a Google Apps vulnerability, Google's insistence upon "one Google Account for everything" certainly doesn't help. I wonder if the outcome would have been the same if this user had been required to use a different password for storing Twitter documents than they use for their personal GMail account, or if they had needed to log into a VPN prior to logging into the site where the docs were stored.
  • Kim, I'm giving you the exclusive on this... "Hacker Croll" just contacted ME and sent me this stolen doc of arrington... I wasn't going to release it but eh, "It ain't news unless someone wants to hide it." http://journik.posterous.com/twittergate-i-was-...
  • I agree that ignorance and laziness are the biggest threats to internet security. The mechanisms are in place to work, but people need to think more carefully about how fast and loose they are with passwords.

    Some more tips to add to those you give:

    1) Never, EVER give out your passwords to sites unrelated to the ones asking for them! This seems to have become accepted behaviour for Twitter add on sites, but needs to stop - Twitter now provides a mechanism for authentication your identity on its own site before it passes you back to the app site, so there is no need to give your username and password to anyone else!

    2) Never write your passwords down; make them easy to remember so you don't have to

    3) Use a system no one could ever guess. How about taking the first letters of a sentence you can easily remember, e.g. Ev Watches Formula 1 Every Other Sunday would become EWF1EOS. Who is ever going to guess that when it's a coded version of any possible aspect of your life?

    4) Never use the same password on more than one site; introduce just the smallest change between them which is inspired by something about the site or service, e.g. add CI to the above password suggestion for your Citi bank account, TW for your Twitter login, WE for WeCanDo.BIZ etc

    5) If you can set a password reminder question, make it the most obscure option offered so that anyone but you is unlikely to be able to answer it; or lie about the answer, but make sure you can remember what the lie was!

    Ian Hendry
    CEO, WeCanDo.BIZ
    http://www.wecando.biz
blog comments powered by Disqus