Twitter’s Bitter Lesson – What You Should Know

Posted by Benjamin Ellis on Wednesday, July 15th 2009   
Topics: security
Tags: , ,
downup (No Ratings Yet)
Loading ... Loading ...

The ‘Twitter Hack’ is all over the blogosphere, although it isn’t really a hack on Twitter as such. An individual (or team) going by the name “Hacker Croll” gained access to the personal accounts of Twitter employees and associates, according to an email from Evan Williams (@EV – Twitter founder).

Based on the screen shots circulating the web, it would appear that admin staff at Twitter were using gmail for sensitive activities such as domain name administration – this meant that the hacker could potentially have used their access to redirect Twitter.com to a malicious site. Of course this is all great blogging fodder for the likes of TechCrunch, which is clearly enjoying baiting its readers. I don’t see that publishing Twitter’s company confidential information on a blog helps anyone, other than gaining traffic for the blog that posts it.

The fall out will inevitably be harmful to Twitter. It isn’t the first security incident associated with the darling of the web, and I know of other breaches of confidentiality that have happened, but not made it in to the public domain yet. Twitter needs to tidy up its act.

Key take aways:

Don’t send company confidential information over low-security email.

  • Public email services tend to send data over straight http, rather than https. This makes unencrypted data vulnerable to snooping on public LANs and WiFi hot spots.
  • Don’t forward (or allow to be forwarded) ‘corporate’ email accounts to public services. Yes, I know it is a pain, but the risks far outweigh the benefits. “Personal” and “business” email are best separated for a whole list of reasons.
  • Email can be the weakest link in a number of situations. Don’t use public email services for critical administration functions like account resets, domain name administration and the like.
  • Password recovery mechanisms can be gamed to escalate a hacker’s access. If someone has access to your email, what else can they gain access to?

Don’t store more in email that you need to.

  • Modern day inboxes have turned into huge document repositories. This isn’t a good thing.
  • Yes, gmail is wonderful, in that I can access emails from years ago. However, is that a risk as well as a benefit?
  • “Delete nothing” is great for information discovery, but turns against you the second an email account is compromised.
  • With IMAP-style email access giving the ability to neatly place emails into folders, it becomes all too tempting to store passwords in the mail archive. Many on-line systems (foolishly) email the new user’s ID and password to the user. Filed into a folder, or left undeleted in ‘trash’, these are a gold mine for a hacker. DELETE THEM. Change your password and tell the site involved not to email passwords. Ever.
You are reading BusinessTechFeed. Follow the feed via RSS or email:

 Subscribe in a reader

Enter your email address:

Thanks for visiting!

Related Posts

Keep it / Share it

delicious it

Stumble it

Add to Technorati

Related Posts

0 readers responded to this post

2 Pings & Trackbacks On This Post
Twitter Gets DOS ‘d Off | Network Industry Review said in August 6th, 2009 at 4:07 pm    
BusinessTechFeed « Information & Technology Blog said in August 8th, 2009 at 4:13 am    
Add Your Comment

« WordPress 2.8 Release – Baker Hits the Street
Embedding a Flickr Gallery in a Wordpress Post »