bbc.co.uk Navigation

Rory Cellan-Jones

The Twitter hack and the cloud

  • Rory Cellan-Jones
  • 15 Jul 09, 12:57 GMT

A leading technology blog Techcrunch said last night that it had been forwarded hundreds of confidential corporate and personal documents belonging to Twitter and its employees.

The information, obtained by a hacker calling himself Hacker Croll, was first mentioned on this French blog.

It apparently includes the names and food preferences of all employees, records of internal meetings, names of job applicants, confidential contracts with companies like Nokia and Microsoft, and details of staff salaries.

In other words, just about everything that Twitter would like to keep secret - and that rivals, and journalists, would love to get their hands on. The post on Techcrunch immediately provoked a firestorm, with many expressing outrage that the blog should even consider publishing this material, which appears to have been obtained by illicit means.

I spoke to the French blogger Manuel Dorne, who was the first to receive the file from "Hacker Croll" - who's apparently based in France. He told me the documents included credit card numbers and personal account details from Apple's Mobile Me service.

There were also details of plans for the French president to acquire a Twitter account - under the name @NicolasSarkozy. But Manuel Dorne said he'd made a different decision from Techcrunch, opting just to show a few screenshots of the material rather than publish more. "I don't want to cause damage to Twitter or to help their rivals," he told me.

Beyond the issue of journalistic ethics, the whole incident also raises interesting questions about the security of cloud computing. Much of the information appears to have been obtained by the hacker gaining access to Gmail accounts. So it appears that Twitter, like an increasing number of young businesses, was storing lots of corporate information on the servers in Google's vast data centres.

Now Google is stressing that there's no suggestion that its systems have been hacked - merely that someone has somehow guessed the Gmail passwords of various Twitter employees.

As a spokesman explained it to me, you'd feel furious at your bank if their servers had been hacked allowing someone to get access to your account, but furious with yourself if you'd given away your online banking details - or chosen a very weak password.

That's obviously true. But companies thinking of migrating all of their e-mail into the cloud might consider what Hacker Croll told Manuel Dorne about the motivation behind his Twitter hack:

"J'espere que mon intervention leur fera prendre conscience que nul n'est a l'abri sur le net."

In other words, he hopes his "intervention" will make Twitter wake up to the fact that nothing is secure on the net. Companies promoting cloud computing - from Google to Amazon to Microsoft - are all confident that their systems just cannot be hacked.

But if you allow your employees - including very senior members of staff - to send confidential information on cloud-based e-mail then you'd better make sure their passwords are super secure.

Comments

  • Comment number 1.

    Twitter pulled a Palin!

  • Comment number 2.

    As usual, the error is human error - setting weak passwords and simple password-reminder options. Public figures like @ev will have so many details about them documented on sites like wikipedia that 'mother's maiden name' is no longer secure (for example).

    More importantly, is this a wakeup call for those advocating Google Health and Microsoft systems for the NHS?

  • Comment number 3.

    Do you not realise that unless you actually have a dedicated server in your company, ALL email is stored in the "cloud"?

    There is absolutely nothing different between having your emails on Google's servers to having them on the servers that are run by your web host. It could be argued that Google's servers are more secure.

  • Comment number 4.

    What part of data security and encryption do these people not understand. It's not that difficult. The same is true for password strength, again it's not a difficult task.

    I have a system where a colleague typed in all the four letter words from the shorter OED. It randomly picks two words, joins them and changes one or two letters to numbers. It then picks 40 of these "portmanteau" words.

    I pick one that I like from the list - that's a reasonable password (which I'll use for 90 days). If I need a longer password I'll run the process twice or pick two from the list.

  • Comment number 5.

    Well this is TechCrunch's modus operandi.
    Mike Arrington is a hack, he's one of the worst journalists out there. He just throws mud at anyone and everyone to see if it sticks... From Leo LaPorte, last.fm and now Twitter.

    The man is a disgrace to technology journalism.

  • Comment number 6.

    I wrote about this very thing on TheNextWeb about 45 minutes ago...(https://bit.ly/KailS%29 I'd like to say "great minds"...but frankly, your mind is far greater than even mine :)

  • Comment number 7.

    Rory's post raises an interesting issue about cloud security. In many ways, securing the cloud itself may be an almost impossible task due to the numbers of providers involved and the level of sharing that is inherent with many cloud-based services. But the fact is that by the time data has reached the cloud, its normally too late. The potential for data getting in to the wrong hands starts from the moment it leaves an organisation, and its therefore at this boundary point between the organisation and its external environment that security has to be the key priority for those looking to use cloud-based services.

  • Comment number 8.

    If the hack solely involved guessing gmail passwords then its hardly a condemnation of cloud computing. Most companies have their mail on server run by the ISP - protected by the same thing - a password.

    Similarly companies hosting their own servers might run eg remote desktop - protecting the machine with just a password.

    If the hack was mere password guessing then its not a weakness in the concept of cloud computing - that same weakness exists in pretty much any IT system connected to a network.

  • Comment number 9.

    Lots of companies allow access to their exchange servers through the web with a similar level of risk. If it's just a matter of brute force password cracking, it has nothing to do with cloud computing.

  • Comment number 10.

    I'm torn. As a person who researches social networks, any information that could help me better understand how they operate, internally, would be incredibly useful to my analysis. But this clearly goes beyond the ethical boundaries, at least for my profession.

    I think this whole problem is magnified by the fact that Twitter is so secretive, not even publishing the number of active users/accounts (and I've heard several implausible reasons why). Even Facebook is more forthcoming about revealing information about their network usage, offering demographic portraits of their userbase and celebrating milestones when they reach a significant increase in users. I'm not talking about proprietary information, just some basic stats!

    The more secretive you are about what seems like simple information, the more explosive your "secrets" will be and the more eager people will be to publish them. If Twitter were more transparent, I doubt they would've been targeted by a hacker bent on revealing their security lapses.

  • Comment number 11.

    I am registered on over a thousand websites and most of them have a password such as "862U6866642k" which was randomly generated for me just now using software and not used anywhere as far as I know. There has been no typing of the password at any point, just copy and paste, which foils any keylogger software should there be some.

    For those services where I do require a memorable password, I tend to pick a random word not connected to family, pets, friends or interests and sometimes add a number to part of it. The 1000+ randomly generated passwords are stored in a 128-Keys encrypted database on my computer, which is a Mac, a change from Windows made partly for the security benefits.

  • Comment number 12.

    #11

    While your mechanism for generating and storing passwords is more than adequate for (with all due respect) particularly paranoid and tech-savvy individuals, it's not particularly practical for the masses.
    If I want to access my Facebook account from a different PC, I just browse to the website and enter my password. If that password was completely unmemorable and stored in a digital vault then I am either tied to one computer, or (worst case scenario) I write the password down somewhere and carry it around with me. There are other solutions, e.g. I could replicate the digital vault on my mobile device... but that brings with it unique challenges and risks.

    There is a happy half-way house that would be suitable for most people, excluding perhaps Intelligence agents. That is, memorise a short, meaningless alphanumeric string: e.g "A_59x" and then mix that in with something memorable about the website, e.g. FBook_A_59x. You then have a strong password that you can remember, don't need to write down, and that can vary from site to site. You could even include some sort of sequence number so that you can rotate the password periodically.

    Of course, it's not unbreakable... but then nothing is. All you have to do is make it so that the "payoff" is not worth the effort required to break your password. If someone with enough time, skill and dedication really wanted to get into YOUR stuff, then they probably would. Even the 128-bit encrypted password vault in #11 has a basic weakness... to retrieve the passwords, he will have to "decrypt" using a key. That key will need to be something simple that he can remember. Break that one key, and you have access to every password in his vault.

  • Comment number 13.

    #11 - What happens if your hard-drive gets fried?
    The problem with Gmail is that their password reset system is flawed and automatically logs the hacker in. A new generated password should be sent to another email account or by SMS. The SMS option would cost Money, the other email account means Google does not have total control of the internet - as every gmail user would need one other email account.

  • Comment number 14.

    Someone guessing your password or recovery question is the same no matter if it's on GMail, a private server, your hard drive or... Well, anything. This has nothing to do with the cloud really.

  • Comment number 15.

    @11 - what if you want to log in to something from a friend's computer? You need a damn good memory...

  • Comment number 16.

    The problem with storing all this in the cloud is that you are relying on someone else's security which, as we have seen, can fail. Also storing documents on someone else's systems means you have little control when you decide you want more control over who access them. Yet there is a solution to this, information rights management puts controls around the document so no matter where the content resides you have persistent protect and access control.

    So for instance I could send a document to someone then a week later decide they should not have access to this information. I simply remove their rights and they can no longer access the document... simple...

    Read more about these technologies at https://blogs.oracle.com/irm/

  • Comment number 17.

    This is probably nothing to do with cloud computing... as webbunny says, it's just another server.

    The probable cause for the issue, is that gmail has a default setting "Don't always use https". I'm surprised it taken this long for a high profile 'hack' to happen. Any fool with fiddler can read a un-savy twitter employee's gmail, unless they've switched the the much more advisable setting "Always use https".

  • Comment number 18.

    @11

    I think with session cloaking and monitoring your network packets from your IP address to the destination i want, i doubt it would be to difficult even with your super strong password unless your on a secured server to hijack your session and log in to your account.

    Unless there is a secured, encrypted connection from the client to the host then it can be cloaked and taken over, regardless of the password used.

    It would be down to the internal security of the site to determine if you are indeed the right person, and that the session integrity remains intact, and that it has not been hijacked.

    Fair enough, it would take someone fairly skilled to perform such a task, and they would need to have a reason too. To get into Mr. Joe Blogs Facebook account and go through his messages isnt really full exploitation of them type of skillz.

    Doing BTA (Brute Force Attacks) used to be slow (very slow, when you consider all the permutations in a 7 digit string), but a sure fire way to get into somewhere, but the three strikes and your out policy that many websites have implemented means that people hell bent on getting into a website have dreamed up new ways of getting in, from hijacking sessions, SQL attacks, XSS etc, and even hacking into the database server its self to get usernames and passwords or to bring the website to a grinding halt.

    At the end of the day, the integrity and security of a website is defined by the weakest link, and 9/10 times that the person sitting at the keyboard using it.

    Back to the point at hand: HA! Use better passwords!

  • Comment number 19.

    I've been using the cloud since 1998 (I have a Yahoo Mail account) and it's been fine. Back then we called it web mail.

  • Comment number 20.

    This is not really about the innate security or insecurity of cloud computing, it's about password security. This hack can happen to any enterprise that makes web-based email available.

    Organisations must enforce strong password policy and force their employees to make regular password changes on email accounts.

    Employees often demand web-based access to email, and web-based access to email greatly increases the utility of corporate email, but proper security policies should be in place to minimise the risks.

    Enterprises should enforce strong password policies as well as regular password changes. Im not sure if the enterprise version of Google Apps has such a feature to enforce such policies, but it should.

    For extra security, webmail can be protected by two-factor authentication (e.g. not just a password, but also a USB token or similar). Many enterprises already do this, though many do not.

    Email continues to be the de-facto filing and file transfer system in the enterprise. Its nearly impossible to change this behaviour, but as the Twitter hack shows; a massive amount of confidential information resides in the email system. Adopting a solution for secure file transfer to send files that are large, or contain confidential information and encouraging employees to use it, can help solve this problem.

  • Comment number 21.

    The biggest problem is lazy people who use lousy passwords (or write them down on pieces of paper or store them in unprotected computer files). To achieve a much higher level of safety, people should usetotally random, impossible-to-guess passwords and store them with desktop software (Keypass, iPassword, Roboform, SignUpShield, etc.), USB drive (Ironkey, ID Vault, etc.), or standalone device (Mandylion, Atek Secure Password Organizer). There are websites where you can also store passwords but that seems scary to me. In fact even the desktop software and USB drives feel scary since in theory they are vulnerable to hacking attack. So I prefer a standalone device that is totally insulated form such hacking.

  • Comment number 22.

    "... if you allow your employees -- to send confidential information on cloud-based e-mail then you'd better make sure their passwords are super secure..." is good advice. Recommendations for creating strong passwords https://www.enigmasoftware.com/how-strong-is-your-password/ include avoiding words like family, pet or friends’ names, as well as your street address. The strongest passwords are made up of a combination of letters, capitalized letters, numbers, special characters and symbols. A strong password could be #3FmAl5oFtwar3 for example.

 

The BBC is not responsible for the content of external internet sites

BBC.co.uk