Twitter’s Security Problem is Our Security Problem

By  |  Monday, July 20, 2009 at 12:36 am

Twitter VaultHow did French data thief “Hacker Croll” break into accounts and swipe the 310 internal Twitter documents which he leaked to TechCrunch?  TechCrunch’s Nik Cubrilovic has a long post explaining what happened–or at least what “Croll” says happened–in surprising detail. Even if you have serious issues with TechCrunch’s ongoing use of stolen documents–as I do–this story is worth a read.

Basically, “Croll” didn’t do anything particularly brilliant–and there were no chinks in Twitter’s security armor that aren’t pretty much universal. Mostly, he took advantage of  (a) Twitter’s use of other Web-based services to run its business; (b) the fact that every organization has employees who use the same damn password for multiple accounts; and (c) password recovery systems that can make it absurdly easy to break into someone else’s account.

Companies aren’t going to stop using Web services, and if there’s a way to prevent employees from using the same password for disparate services from unrelated companies, I can’t think of it. The one aspect of security breaches such as the Twitter break-in that’s addressable is the lax state of password recovery. I’m worried it’ll stay lax, since the easier Web companies make it for users to get back lost passwords, the less costly it is from a customer service standpoint. But I dearly hope that Twitter’s embarrassment services as a wake-up call for the whole industry–one that’s about a decade overdue.

 
4 Comments


Read more: , ,

3 Comments For This Post

  1. stavros Says:

    It’s Pretty Amazing That It Is So Easy For People To Get Their Documents Swiped So Easily Especially documents pertaining to information from So Many People. Maybe instead of concentrating on all these new applications, somebody should concentrate on making a decent security system for these social media sites.

  2. Disputatore Says:

    Well, I have no particular interest in making excuses for Twitter or anyone else. Nevertheless frauds and social engineering have been around since before we got opposable thumbs. Everything is a trade-off and regardless of the security systems they put in place, if there are human operators involved, things will end up being stolen. It’s a fact of life.

  3. Gurudatt Shenoy Says:

    Arrggg…ARE WE BRAIN DEAD?

    The existing user id / password system is an ancient method that was developed for fixed computer systems such as servers, desktops and people needed mobility of account access and people had just one or two accounts to manage.

    It is totally a different situation today… People register to tens and possibly hundreds of accounts in their short online lifetime.

    And having to define a different user id and password for each of these accounts is simply crazy to expect. And then to give away my mothers maiden name, pets name, my favorite restaurant, etc to a online website that can get hacked can not only compromise my online accounts but also my real accounts such as bank accounts where these are used many a time.

    IT IS SCARY…..

    I have not used social networking sites much and have switched from one to another regularly. I was on orkut, then got bored and switched to LinkedIn which sounded more professional and now use FaceBook regularly and come to think of it, I use the same password for all of these.

    IT IS EVEN MORE SCARY NOW….

    And this thought did not cross me now…it happened many months ago when the AOL story broke out and I wondered if there is a solution for this. And then I realized that the solution is not stronger password or having to tell the computer to remember it for me or to use my mother’s maiden name to recover it.

    THE SOLUTION IS TO JUST DUMP THE PASSWORD……IT IS NO LONGER NEEDED.

    Today’s USER AUTHENTICATION system is developed for DESKTOP COMPUTING not for CLOUD COMPUTING where people exchange information between each other more regularly.
    Today, the computer is mobile be it the NetBook or your Smart Phone. You carry it where you go and with pervasive mobile internet connectivity, you can get connected from anywhere using Wi-Fi, or GPRS or EDGE.

    SO PLEASE INTERNET SECURITY EXPERTS…..WAKE UP…WE ARE NO LONGER STUCK TO A DESKTOP. AND HENCE NOT NEED TO USE A USER ID/PASSWORD TO ACCESS OUR ACCOUNTS FROM A DIFFERENT COMPUTER. WE OWN A NETBOOK OR AN IPHONE FROM WHICH WE DO MOST OF OUR ONLINE ACCESS OR WORK EXCEPT FOR WHEN WE ARE WORKING IN OUR OFFICES WHERE THE COMPANY SPENDS ZILLIONS ON SECURITY ANYWAYS.

    IBM had thought of a password free system many years back….they also filed a prior art on this.

    http://www.priorartdatabase.com/IPCOM/000039794/

    Others have followed… http://www.kirit.com/A%20simpl…..eb%20sites

    And I have filed my own patent for EasySecured which offers a unique, simpler and completely SECURED way to achieve the same concept.

    ISNT THIS AMAZING……NO PASSWORD TO REMEMBER, NO PASSWORD STORED ANYWHERE AWAITING TO BE HACKED?

    IF PASSWORDS ARE NOT STORED ON THE SERVER OR YOUR COMPUTER, THERE IS NO WAY HACKERS CAN HACK INTO ONLINE ACCOUNTS.

    AM I CRAZY? HOW DOES ONE AUTHENTICATE AN ACCOUNT IF THERE ARE NO PASSWORDS?

    The solution is downright SIMPLE, your computer is your password. By this I mean not just a desktop, your netbook, your laptop, your smartphone, IPHONE anything that is a computer. YOU ARE NOT STUCK TO A SINGLE COMPUTER.

    Your online account will open only from the computers you have registered to access. You do not have to define a password or remember it. Only your User ID which is like the PIN number of your Credit Card and which will work only from your computer or the computers you allow it to work.

    ONCE AGAIN …..NO PASSWORD…. IS STORED IN YOUR COMPUTER…. OR THE HOST SERVER.

    The password is a unique signature derived from the various parts of your computer mashed up using a patent pending technology that is generated real time every-time you try to login to you account from the registered computer.

    The server authenticates by decrypting your user account details using this real-time generated password and granting you access to your account.

    Hackers rely on stored user id and password on servers to hack accounts. In this case only your user id is stored on the server encrypted a real time generated password that is stored NOWHERE.

    IF a hacker has to gain access to your online account, he or she has to also gain access to your computer or IPHONE or NetBook along with your original User ID.

    As every User ID and critical user information such as credit card numbers etc are encrypted using a unique key generated by a physical device, there is NO WAY HACKERS CAN HACK INTO ONE ACCOUNT AND GET THE KEY TO HACK THE REST OF THE ACCOUNTS ON THE SERVER.

    I have been working on this idea and concept for months and only need industry support to make this a reality and ONCE AND ON FOR ALL PUT AN END TO THE VULNERABILITY OF ONLINE ACCOUNTS.

    You can twitter me @gurudatts to know more about this or email me.

1 Trackbacks For This Post

  1. StevieB’s Shared Items – July 21, 2009 at Lost in Cyberspace Says:

    […] Twitter’s Security Problem is Our Security ProblemJuly 20, 2009 […]