Based on the screen shots circulating the web, it would appear that admin staff at Twitter were using gmail for sensitive activities such as domain name administration – this meant that the hacker could potentially have used their access to redirect Twitter.com to a malicious site. Of course this is all great blogging fodder for the likes of TechCrunch, which is clearly enjoying baiting its readers. I don’t see that publishing Twitter’s company confidential information on a blog helps anyone, other than gaining traffic for the blog that posts it.

The fall out will inevitably be harmful to Twitter. It isn’t the first security incident associated with the darling of the web, and I know of other breaches of confidentiality that have happened, but not made it in to the public domain yet. Twitter needs to tidy up its act.

Key take aways:

Don’t send company confidential information over low-security email.

• Public email services tend to send data over straight http, rather than https. This makes unencrypted data vulnerable to snooping on public LANs and WiFi hot spots.
• Don’t forward (or allow to be forwarded) ‘corporate’ email accounts to public services. Yes, I know it is a pain, but the risks far outweigh the benefits. “Personal” and “business” email are best separated for a whole list of reasons.
• Email can be the weakest link in a number of situations. Don’t use public email services for critical administration functions like account resets, domain name administration and the like.
• Password recovery mechanisms can be gamed to escalate a hacker’s access. If someone has access to your email, what else can they gain access to?

Don’t store more in email that you need to.

• Modern day inboxes have turned into huge document repositories. This isn’t a good thing.
• Yes, gmail is wonderful, in that I can access emails from years ago. However, is that a risk as well as a benefit?
• “Delete nothing” is great for information discovery, but turns against you the second an email account is compromised.
• With IMAP-style email access giving the ability to neatly place emails into folders, it becomes all too tempting to store passwords in the mail archive. Many on-line systems (foolishly) email the new user’s ID and password to the user. Filed into a folder, or left undeleted in ‘trash’, these are a gold mine for a hacker. DELETE THEM. Change your password and tell the site involved not to email passwords. Ever.

Related Posts

• When Blurred e-mail Goes From Bad to Worse
• Twitter Business? Business Twitter.

Why is that so bad? Well, it moves the security boundary for the corporate e-mail firmly outside of the corporate firewall. Hackers have recently had quite a bit of fun with a certain vice presidential candidate’s email (for the full back ground check out Michelle Malkin’s “The story behind the Palin e-mail hacking“. There are many different services out there, and the way that they handle authentication (the usernames and passwords) varies widely. A wily hacker could have access to a mailbox for months if not years before anyone realised.

What to do? The immediate sensible reaction might seem to be a big crack down, but actually it would be more productive to look at employee’s needs and provide mobile e-mail access. Monthly costs are now very low (on a par with line rental or a broadband account). It might also be time to take another look at a corporate webmail solution for laptop-based remote users.

You might not want users stuck in the office, but you don’t want their email running free!

Related Posts

• Twitter’s Bitter Lesson – What You Should Know
• Linking Network and Database Security
• Identity Management