Based on the screen shots circulating the web, it would appear that admin staff at Twitter were using gmail for sensitive activities such as domain name administration – this meant that the hacker could potentially have used their access to redirect Twitter.com to a malicious site. Of course this is all great blogging fodder for the likes of TechCrunch, which is clearly enjoying baiting its readers. I don’t see that publishing Twitter’s company confidential information on a blog helps anyone, other than gaining traffic for the blog that posts it.

The fall out will inevitably be harmful to Twitter. It isn’t the first security incident associated with the darling of the web, and I know of other breaches of confidentiality that have happened, but not made it in to the public domain yet. Twitter needs to tidy up its act.

Key take aways:

Don’t send company confidential information over low-security email.

• Public email services tend to send data over straight http, rather than https. This makes unencrypted data vulnerable to snooping on public LANs and WiFi hot spots.
• Don’t forward (or allow to be forwarded) ‘corporate’ email accounts to public services. Yes, I know it is a pain, but the risks far outweigh the benefits. “Personal” and “business” email are best separated for a whole list of reasons.
• Email can be the weakest link in a number of situations. Don’t use public email services for critical administration functions like account resets, domain name administration and the like.
• Password recovery mechanisms can be gamed to escalate a hacker’s access. If someone has access to your email, what else can they gain access to?

Don’t store more in email that you need to.

• Modern day inboxes have turned into huge document repositories. This isn’t a good thing.
• Yes, gmail is wonderful, in that I can access emails from years ago. However, is that a risk as well as a benefit?
• “Delete nothing” is great for information discovery, but turns against you the second an email account is compromised.
• With IMAP-style email access giving the ability to neatly place emails into folders, it becomes all too tempting to store passwords in the mail archive. Many on-line systems (foolishly) email the new user’s ID and password to the user. Filed into a folder, or left undeleted in ‘trash’, these are a gold mine for a hacker. DELETE THEM. Change your password and tell the site involved not to email passwords. Ever.

Related Posts

• When Blurred e-mail Goes From Bad to Worse
• Twitter Business? Business Twitter.

I spoke with James Spooner of Secerno and Bill Beverley of F5 Networks about their solution, which is based around the F5 BIG-IP ASM and Secerno DataWall products. Essentially they are working together to provide a more joined up security solution. While much has happened to deliver more integration between the lower network levels and applications, no-one has really tackled the problem of integrating application and database security – at least not in the web application space.

This is where F5 Networks and Secerno have jointly focussed their effort. By using customized rules on the F5 box, DataWall can be notified of anomalies at the web traffic layer. This gives Secerno’s product user-level visibility (down to the session level) of what is happening in web applications. In theory this approach should increase the ability to protect back-end databases, and reduce the number of false positives. 

The F5 BIG-IP provides more than half a dozen attributes that can be used to correlate web transactions to database transactions, enabling very granular blocking of attempts to exploit SQL security vulnerabilities (see here). Suspicious activity can be reported up to SIM/SEM security management products and used for security forensics.

It is an interesting development, with lots of potential for expanded functionality. Using web-based applications is an attractive way of sharing information outside of the organization, either via Web 2.0 style APIs, or web portals. They can be quick to develop, and provide efficiency and competitive advantage. The downside is that such applications often require access into databases with sensitive information. The F5 and Secerno solution is a worthy attempt to deliver high levels of security, but still enable business flexibility – making both companies’ solutions more attractive.

Related Posts

• Identity Management
• F5 Networks – A Case of Applications and the Network
• When Blurred e-mail Goes From Bad to Worse

From document management to remote access, compliance to shiny web 2.0 style portals, identity management is central to running a secure and efficient IT infrastructure. All the more distressing that it is also one of the most problematic elements of business IT architectures, with forests of directory trees and multiple ‘authoritative’ information sources. Now is the time to get that sorted out.

Dr. Hellmuth Broda, from the Liberty Alliance, talked about their efforts to standardize mechanisms across the industry. Questions from the floor challenged their ability to do that, with big names like IBM and Microsoft missing from the project. That said, they are re-using existing standards, rather than creating their own, so that may not be such a barrier. Kerberos received frequent mentions. This near-ancient standards-based security continues to feature, even in the upcoming Windows 7 security (read this introduction to Kerberos for more). It is a good technology that works well and is network friendly.

There were some impressive projects discussed during the day. Glow is a project for the Scottish educational system that supports millions of users on a national schools intranet, with up to 250,000 individuals authenticating at peak times. It has proved the ability of directory technologies to work at scale, but still be very feature rich – it supports the ability to have users in dozens of groups and with overlapping roles.

A number of vendors were on hand to discuss their products: integration products from Salford Software and Quest Software, server software from Sun Microsystems, and professional services and consulting from the likes of DNS, Logica and PA Consulting Group.

Dormant unused accounts are a potential security hazard, while password resets are a massive resource sync – figures quoted suggested taht a password reset costs an average of £50 in lost time and accounts for over 40% of all help desk calls. Getting user identity under control is a critical business governance task, and makes good commercial sense for any company from medium sized upwards.

For me, the most insightful comment of the day came from Alan Coburn of identity management specialists DNS, who said this: “Don’t treat an identity management project like just another IT project. Identity management projects are business transformation projects.”

If you want to dig into Identity Management in more detail, I recommend checking out Kim Cameron’s identity blog, starting with his introduction.

Related Posts

• A Cloud Computing Tour – London CloudCamp
• Britannic Technologies – Convergence in Communications
• Linking Network and Database Security