You might think your password protects the confidential information stored on websites. But, as Twitter executives discovered, that is a dangerous assumption. The Web was abuzz Wednesday after it was revealed that a hacker had exposed corporate information about Twitter after breaking into an employee’s email account. The breach raised red flags for individuals as well as businesses about the passwords used to secure information they store on the Web. On web sites containing personal information like email, financial data, or documents, there is usually just a user name and password for protection. More individuals are storing information on web servers, where it is accessible from any online computer through services offered by Google, Amazon, Microsoft, social networks like Facebook, or back-up services like Mozy. But password-protected sites are growing more vulnerable because to keep up with the growing number of passwords, people use the same simple ones on numerous sites across the web. In a study last year, Sophos, a security firm, found that forty percent of Internet users use the same password for every web site they access. The attack on Twitter highlights the problem. For its internal documents, the company uses the business version of Google Apps, a service that Google offers to individuals free. Google Apps provides email, word processing, spreadsheets, and calendars over the Web.Rico says removing the hacker's fingers, preferably with bolt cutters, would be appropriate punishment... (Now that video would get watched on YouTube!)
The content is stored on Google’s servers, which can save time and money and enable employees to work together on documents at the same time. But it also means that the security is only as good as the password. A hacker who breaks into one person’s account can access information shared by friends, family members, or colleagues, which is what happened at Twitter. The Twitter breach occurred about a month ago, Twitter said. A hacker calling himself Hacker Croll broke into an administrative employee’s email account and gained access to the employee’s Google Apps account, where Twitter shares spreadsheets and documents with business ideas and financial details, said Biz Stone, a Twitter co-founder.
The hacker then sent documents about company plans and finances, confidential contracts, and job applicants to two tech news blogs, TechCrunch, in Silicon Valley, and Korben, in France. There was also personal information about Twitter employees, including credit card numbers.
The hacker also broke into the email account of the wife of Evan Williams, Twitter’s chief executive, and from there accessed several of Mr. Williams’ personal Internet accounts, including those at Amazon and PayPal, Mr. Stone said. TechCrunch revealed documents showing that Twitter, a private company that so far has no revenue, projected that it will reach a billion users and $1.54 billion in revenue by 2013. Michael Arrington, TechCrunch’s founder, said in an interview that the hacker had also sent him detailed strategy documents about potential business models, the competitive threat from Facebook and when the company might be acquired.
Some analysts say the breach highlights how dangerous it can be for people and companies to store confidential documents on web servers, or “in the cloud.”
But Mr. Stone said that the attack “isn’t about any flaw in Web apps,” but rather about a bigger issue that affects individuals and businesses alike. “It speaks to the importance of following good personal security guidelines such as choosing strong passwords,” he said. Instead of circumventing security measures, it appears that the Twitter hacker managed to correctly answer the personal questions that Gmail asks of users to reset the password. “A lot of the Twitter users are pretty much living their lives in public,” said Chris King, director of product marketing at Palo Alto Networks, which creates firewalls. “If you broadcast all your details about what your dog’s name is and what your hometown is, it’s not that hard to figure out a password.”
Security experts advise people to use unique, complex passwords for each web service they use and include a mix of numbers and letters. Free password management programs like KeePass and 1Password can help people juggle passwords for numerous sites.
Andrew Storms, director of security operations for nCircle, a network security company, suggested choosing false answers to the security questions like “What was your first phone number?” or making up obscure questions instead of using the default questions that sites provide. (Of course, that presents a new problem of remembering the false information.)
For businesses, Google allows company administrators to set up rules for password strength and add additional authentication tools like unique codes.
The Twitter hacker claims to have wanted to teach people to be more careful. In a message to Korben, the hacker wrote that his attack could make Internet users “conscious that no one is protected on the Net.”
16 July 2009
See what silly software will get you?
Rico says someone asked him just yesterday if he used Facebook. Nope, he said; they get hacked too easily. Today there an article by Claire Cain Miller and Brad Stone in The New York Times on the very subject:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment