Twitter's recent jaunt in the news kicks off security debateby Steve Ragan - Jul 17 2009, 13:00
Twitter's recent jaunt in the news kicks off security debate. (IMG:J.Anderson)
The recent debacle that has befallen Twitter might have some positive use after all. In the wake of the information compromise, leading to ethics discussions over TechCrunch’s use of the stolen information, there is a wave of news centered on security. Some of the articles in this news cycle make great points, while others are just over sensationalized.
The security topics vary a bit, but the two topics that stand out are passwords and cloud-based security. Since the Twitter employee accounts were hosted with Google Apps, the first wave of cloud-based news centered on various “shortcomings” of Google. From their overall security to the process of password resets. Some stories even questioned the security of Google’s Chrome OS.
Is Google to blame? According to Twitter co-founder Biz Stone, not at all. “This attack had nothing to do with any vulnerability in Google Apps which we continue to use. This is more about Twitter being in enough of a spotlight that folks who work here can become targets…This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords.”
So what does Google do for account protections?
“When you select a password as you create an account, we recommend that you also choose a security question and provide a secondary email address. Recently, we also added a field where you can input a mobile phone number to assist with later account recovery,” Google wrote in a recent security blog posting.
“It's not enough to just tell us your email address to try to change your password. The security question helps us identify you, but if you want to initiate a password reset, we'll only send that information to the secondary address or the mobile phone number you provide.”
Google Apps customers have a separate method and policy for resetting passwords. “There is no password recovery process for individual Google Apps users. Instead, users must communicate directly with their domain administrator to initiate password changes on their individual accounts,” Google explained.
Albert Wenger, a partner at venture capital firm Union Square Ventures, one of the investing companies in Twitter, said in a blog post that the recent information compromise Twitter is faced with demonstrated the fact that the username and password scheme “is clearly insufficient for authentication.”
“Give users the option to secure with a second factor,” Wenger wrote. “Two ideas come to mind…the first is SMS. Just enter your cell phone number during registration to enable the second factor. As you log in with username and password you receive an SMS with a code that you need to enter also…the second idea is simply a twist on the first one. Instead of SMS, use an app downloaded to the phone. The app would display the second factor on the phone to be entered along with the password.”
Wenger said also that while the SMS idea may slow things down to the point of making it useless, he said his ideas are “not novel,” but that “now is the time to get serious about [multi-factor authentication].”
Google obviously agrees on many levels with the logic used in Wenger’s post. Google Apps customers have support for SAML Single Sign On. This allows two factor authentication, including certificates, smart cards, one-time only generators, other token devices, as well as biometrics. The catch is that they are available only, if they are to do any good, then business and other Apps customers need to take advantage of them.
Putting data in the cloud is no different than putting it on a network. If someone is willing to do whatever it takes to access that data, they will eventually get what they want. Stronger passwords help and so does layered authentication. Still, they are far from perfect. You lock your car door, maybe even use the Club to protect it; yet, a determined thief will steal it eventually.
The same parallel can be drawn from cloud-based security. You will rely on a third-party for protection when you place data in the cloud, but in an office-based network you rely on a third party as well, humans, who are flawed by nature. Humans and the cloud-based provider will make mistakes, which could easily lead to compromise and data loss, as was the case for Twitter.
The mistake was not using all of the protection Google offers for Apps customers, and easily obtained passwords. The odd thing is, there is still no proof as to how Hacker Croll guessed the passwords on the accounts that were accessed, if they were guessed, or the methods used to circumvent the protections that were in place if that is the case.
In the end, there are ways to make attacks harder, data loss less likely, and impose stringent authentication. The tools are there for the taking, but they have to be utilized before they are worth anything. Tossing blame on Google or other cloud-computing providers is worthless and counterproductive. It takes serious planning before a business is ready to take advantage of what the cloud can offer, likewise, security itself takes planning to new levels on its own.
However, the balance is where the problems start to arise. Once plans are in place, businesses need to make sure that security is merged equally with the overall business needs. Twitter did this, but based on what is known, the weak passwords used are a result of those plans giving access and convenience more authority over security. Twitter isn’t to blame, this dilemma happens all the time in IT, and that is why security is a giant circle.
Sometimes, you really are damned if you do and damned if you don’t.