|By Lori MacVittie||
|July 22, 2009 09:30 PM EDT||
First, everyone needs to calm down. Twitter.com itself was not breached. According to Evan Williams as quoted in a TechCrunch article, the attack did not breach Twitter.com or its administrative functions, nor were user accounts affected in any way. So everyone can just stop with the “Twitter needs to revamp its security!” and “Twitter isn’t secure” headlines and articles because it’s not only blatantly wrong, it’s diverting attention that should be devoted to the real problem: e-mail and account self-service.
THE E-MAIL FACTOR
What was compromised remains somewhat of a mystery. Following through the TechCrunch article to a blog on the same subject reveals some interesting details, however. A screen shot of what appears to be an internal memo to Twitter employees requires a change in passwords (along with instructions on improving the strength of said passwords) but mentions the password to be changed is the password you use to login to internal sites. From this one might infer that a breach was perpetrated through an intra/extranet, as opposed to twitter’s core infrastructure. Regardless, the breach of Twitter was only ancillary to the real security risk: the access to e-mail. That’s where the real meaty data was obtained; not from Twitter or its internal systems.
In this case, it was GMail access that enabled the miscreant to use password recovery techniques (“Forgot your password?”) to gain access to other related information and sites: personal credit cards, GoDaddy registrar accounts, etc… Did the attacker really need to breach Twitter’s internal applications to get that information? Probably not. Remember the successful breach of then Vice-Presidential candidate Sarah Palin’s Yahoo account?
As detailed in the postings, the Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.
Certainly gaining access to Twitter’s internal applications made accessing employees’ GMail accounts that much easier, but it likely wasn’t necessary except as a means to garner attention which was, the miscreant claims, the intent of the attack. The danger of a GMail breach is that Google is very integrated across applications, so gaining access to one often makes it a no-brainer to gain access to others. And if you’re storing sensitive or even non-sensitive corporate documents in Google Docs or Apps, a breach of e-mail is likely to lead to a breach of those applications too. Which is essentially what happened to Twitter (the organization, not the service).
ANY WEB-BASED E-MAIL SERVICE IS A RISK
It isn’t just GMail or Yahoo or other hosted e-mail services that are at risk. Any one of the millions of organizations that use Microsoft’s Outlook Web Access to provide employees remote access to their e-mail is potentially at risk to be compromised. The prohibitions on the access of “personal e-mail” vary from organization to organization, so it’s likely that an attacker could succeed in compromising a corporate OWA account and then use that to compromise a “personal” account – or vice versa. That’s in addition to obtaining instant access to e-mail, phone numbers, organizational hierarchies, and sensitive data being exchanged between employees.
There are any number of known vulnerabilities in the entire software stack required to run Microsoft OWA, many of them that remain unpatched. These open vulnerabilities leave organizations and their employees susceptible to attack. In some cases it’s a lack of time/availability that causes the service to remain vulnerable; in others it's simply the case that Microsoft hasn’t gotten around to addressing them yet (they do have a lot of software and a lot of patches to deal with, after all). There are best practices for securing OWA and other solutions available that can provide “virtual patching” of those vulnerabilities that shore up the overall security of the service so there’s really no good excuse for not securing OWA. Not doing so not only puts the organization at risk, but the individuals using the service (including your CEO, your CFO, and other executives) because the personal information contained in e-mail provides a cornucopia of information that makes it easier for attackers to discern passwords for other sites, which leads to breaches of other sites, which leads to… I’m sure you get the picture by now.
And of course there’s the fact that OWA is meant for mobile access, so it’s going to be accessible via the Internet. All one has to do is figure out one person’s password and from there they may be able to do a whole lot of damage to other systems. All those “password recovery” e-mail messages are likely stored somewhere in an inbox, making it a veritable cornucopia of account information.
And that’s where perhaps the biggest threat of all lies.
SELF-SERVICE IS A BIGGER THREAT
What Twittergate teaches us is that it’s not just the vulnerabilities in web applications that we need to watch out for. It’s the amazing amount of information that can be pulled together on any individual using various applications on the Internet that can make it a nearly brainless task to discern passwords. It’s the current mechanisms we use for account “self-service” that are also partially to blame, as they rely heavily on e-mail as a method of identity verification and as we’ve seen in this case – and others – that’s not always a sure bet.
Secret questions, e-mail based verification, and other modern implementations of self-service are inadequate. They do not provide enough obfuscation to protect the actual password of any given individual. Yes, I said obfuscation in relation to security, but in this case, it’s accurate and necessary. There should never be a question for which the answer would give a hint about the password. Never. And yet many sites and applications still rely upon the “hint” question as a means to reduce the costs associated with password and account support.
Rather than using a hint, don’t allow password recovery. Allow password reset, but only after the user has answered a series of completely unrelated questions. Good options include:
- Name of the author of your favorite book
- First musical instrument you learned to play
- Name of the first person you ever kissed
- When you look out your kitchen window, what do you see?
There are myriad good questions that could be used in lieu of a password hint. Anything that isn’t likely to be divulged in public is a good option, and there needs to be more than one just in case one of those odd-ball questions has been answered someone in the ether. The problem is that this requires a bit more work to implement, as it’s a process, not a simple “forgot your password” button that dumbly sends off the password to an associated e-mail account.
Again: password recovery is a bad idea. Password reset is better if the “security” questions required are diverse and obscure enough to make it difficult to pull the information from a quick Google search or a perusal of the individual’s Facebook page. But any process that ends with “your password has been mailed to you” is a risk.
PAY ATTENTION TO WHAT MATTERS
Sure it’s more exciting to talk about Twitter and its security breach, and to write a bazillion blogs and articles about how Twitter isn’t secure and how it’s dangerous to businesses and blah, blah, blah. But that completely ignores what really happened and what that says about the security methods being used in our businesses and personal lives – and how the two are now intimately interconnected.
We need to make sure our own backyard is secure before we start making fun of Twitter, and that means tightening up security of our own external e-mail and applications. It means enacting and enforcing strong password policies in the workplace, and taking that policy home with us. It means as individuals we need to be proactive in choosing better security related questions when they are offered and being aware that if a hint is going to lead us to the right password, it just may do the same thing for an attacker.
password reset,web 2.0,outlook web access,OWA,microsoft,web,
Related articles and blogs:
- Virtual Patching: What is it and why you should be doing it
- How to secure virtualized applications against the unknown
- Soylent Security
- The IT Security Flowchart
- Twitter Hacked!
- Twitter’s @Ev Confirms Hacker Targeted Personal Accounts; Attack Was “Highly Distressing.”
- Palin E-Mail Hacker Says It Was Easy
- The Odd Couple: Marrying Agile and Waterfall
- Fanning the Flames of Agile
- Internet of @ThingsExpo Silicon Valley Call for Papers Now Open
- April and May 2014 Server and StorageIO Update newsletter
- MangoApps to Exhibit at Cloud Expo New York
- WSO2 Introduces Industry’s First Enterprise Identity Bus With the Launch of WSO2 Identity Server 5.0
- Practical WebRTC: From API to Solution
- Last Chance to Register for LTE World Summit
- The Butterfly Effect Within IT
- The Business Challenges Impacting Digital Transformation
- Stay Current on the Internet of Things
- Setting the Bar for Agile Architecture
- How to Get the Best From Virtual Employees
- Global Financial Firms Can Effectively Address Technology Risk Guidelines
- .CLUB Domain Name Extension Now Available for General Registration
- MapR Technologies Announces Upcoming June Conferences
- More Mainstream Businesses Depend on Open Source
- AMAG, HP, ImageWare Systems, March Networks and StrikeForce Discuss Security Solutions in SecuritySolutionsWatch.com Interviews
- F5 to Present at Upcoming Technology and Investor Conferences
- The Odd Couple: Marrying Agile and Waterfall
- Flexera Software’s InstallShield 2014 Release Introduces New Support of Cloud and Virtualised Installations, High-DPI Displays and Touch Devices, and Agile Development
- FlexNet Manager Suite Wins CODiE Award for Best Asset Management Solution - 4th CODiE Award for Flexera Software
- Fanning the Flames of Agile
- WSO2 Guest Speakers at WSO2Con Europe 2014 Will Examine Technology Developments and Best Practices Enabling the Connected Business
- The Top 150 Players in Cloud Computing
- Who Are The All-Time Heroes of i-Technology?
- Where Are RIA Technologies Headed in 2008?
- Success, Arrogance, Rise and Fall
- AJAX World RIA Conference & Expo Kicks Off in New York City
- The Top 250 Players in the Cloud Computing Ecosystem
- Personal Branding Checklist
- i-Technology Viewpoint: Attack of the Blogs
- Exclusive Q&A with Jeff Haynie, Co-Founder & CEO, Appcelerator
- Cloud People: A Who's Who of Cloud Computing
- Ulitzer Names the World's 30 Most Influential Cloud Computing Bloggers
- Web 2.0 News and Wrapping Up "Real-World AJAX" Seminar