Shaila’s Weblog

Archive for August 2009

SAN FRANCISCO — You might think your password protects the confidential information stored on Web sites. But as Twitter executives discovered, that is a dangerous assumption.
The recent hacking of a Twitter employee’s personal e-mail account is raising questions about the security of storing personal information and business data on the Internet.

The Web was abuzz Wednesday after it was revealed that a hacker had exposed corporate information about Twitter after breaking into an employee’s e-mail account. The breach raised red flags for individuals as well as businesses about the passwords used to secure information they store on the Web.
hat account housed some of Twitter’s private financial documents and notes, according to Twitter’s official blog.

Some of those documents circulated the blogosphere on Wednesday, and TechCrunch, a technology blog, published a Twitter financial forecast. The hacker sent 310 documents to the tech site, according to a post by Michael Arrington, TechCrunch’s founder and co-editor.

he attack on Twitter highlights the problem. For its internal documents, the company uses the business version of Google Apps, a service that Google offers to individuals free. Google Apps provides e-mail, word processing, spreadsheets and calendars over the Web.

The content is stored on Google’s servers, which can save time and money and enable employees to work together on documents at the same time. But it also means that the security is only as good as the password. A hacker who breaks into one person’s account can access information shared by friends, family members or colleagues, which is what happened at Twitter.

The Twitter breach occurred about a month ago, Twitter said. A hacker calling himself Hacker Croll broke into an administrative employee’s e-mail account and gained access to the employee’s Google Apps account, where Twitter shares spreadsheets and documents with business ideas and financial details, said Biz Stone, a Twitter co-founder.

The hacker then sent documents about company plans and finances, confidential contracts, and job applicants to two tech news blogs, TechCrunch, in Silicon Valley, and Korben, in France. There was also personal information about Twitter employees including credit card numbers.

The hacker also broke into the e-mail account of the wife of Evan Williams, Twitter’s chief executive, and from there accessed several of Mr. Williams’ personal Internet accounts, including those at Amazon and PayPal, Mr. Stone said.

TechCrunch revealed documents showing that Twitter, a private company that so far has no revenue, projected that it will reach a billion users and $1.54 billion in revenue by 2013. Michael Arrington, TechCrunch’s founder, said in an interview that the hacker had also sent him detailed strategy documents about potential business models, the competitive threat from Facebook and when the company might be acquired.

Some analysts say the breach highlights how dangerous it can be for people and companies to store confidential documents on Web servers, or “in the cloud.”

But Mr. Stone said that the attack “isn’t about any flaw in Web apps,” but rather about a bigger issue that affects individuals and businesses alike. “It speaks to the importance of following good personal security guidelines such as choosing strong passwords,” he said.

Instead of circumventing security measures, it appears that the Twitter hacker managed to correctly answer the personal questions that Gmail asks of users to reset the password.

“A lot of the Twitter users are pretty much living their lives in public,” said Chris King, director of product marketing at Palo Alto Networks, which creates firewalls. “If you broadcast all your details about what your dog’s name is and what your hometown is, it’s not that hard to figure out a password.”

Security experts advise people to use unique, complex passwords for each Web service they use and include a mix of numbers and letters. Free password management programs like KeePass and 1Password can help people juggle passwords for numerous sites.

Andrew Storms, director of security operations for nCircle, a network security company, suggested choosing false answers to the security questions like “What was your first phone number?” or making up obscure questions instead of using the default questions that sites provide. (Of course, that presents a new problem of remembering the false information.)

For businesses, Google allows company administrators to set up rules for password strength and add additional authentication tools like unique codes.

The Twitter hacker claims to have wanted to teach people to be more careful. In a message to Korben, the hacker wrote that his attack could make Internet users “conscious that no one is protected on the Net.”
Shaila Smith

Advertisements

a

Pages

August 2009
M T W T F S S
« Jul   Aug »
 12
3456789
10111213141516
17181920212223
24252627282930
31