Twitter hack caused by lack of security

Basingstoke, July 2009 (Eskenzi PR) - News that Twitter has been hacked yet again comes as no surprise, given the fact that many IT staff are and managers are being pushed into adopting cloud computing services on a fasttrack basis, says Origin Storage, the storage systems integration specialist.

"Our observations suggest that a number of companies and their staff are being forced down the cloud computing route and are having to adapt their IT security systems on the fly." said Andy Cordial, Origin Storage's managing director.

"We have had concerns about this rate of change in the business sector for some time and, with all the data breaches occurring on the cloud front, it's obvious that the chickens are now coming home to roost," he added.

According to Cordial, this latest Twitter hack appears to be the result of the password of a company co-founder being guessable on the GoogleApps service which then allowed the hacker access to his personal information including details of his wife’s computer.

It is, he explained, a common problem in IT departments, but one that can be solved by applying a sizeable slice of common sense and adding a selection of encryption technologies plus policies to the mix.

Adding encryption to a company's data storage - whether in the cloud or not - he said, will ensure that data at rest, as well as on the move, is protected from prying eyes.

And if a secure password best practice is applied on top of corporate encryption policies, the resultant multiple layers of defence can help prevent human error causing a faux pas like the latest Twitter hack.

"Applying effective security is all about planning and then applying that planning, backed up by a set of solid security policies with encryption at its heart," he said.
"If Twitter had had this strategy operating at all levels of its hierarchy, rather than apparently going for user growth at any cost, it wouldn't be in the embarrassing situation it is now," he added.

For more on the latest Twitter security lapse: http://preview.tinyurl.com/nyw728

For more on Origin Storage: http://www.originstorage.com

Mark Fullbrook, UK and Ireland Country Manager for Cyber-Ark said: “I find it amazing that a company such as Twitter still holds company sensitive information such as HR records on servers that can be accessed with a simple username and password, without any ability to audit who has access.

The fact that this has come from the use of an administrators account, further underlines our advice to utilise a digital vaulting solution to store and manage highly sensitive info whether that be a file or a privileged password.”

Amichai Shulman CTO of Imperva went on record saying: “This is a great lesson in cloud security. My guess is that once the hackers got hold of the email account they used the “recover password” feature of Google Apps to compromise the Google Apps account for that individual. Not that this could not have happened to a corporate account but… in order to compromise a corporate account you’d usually go through two authentication mechanisms (VPN and then internal network login). Plus, if you had a good data loss protection solution in place, you would prevent your business sensitive documents from leaking. With a cloud service there is no one to “double check” the extraction of documents and other sensitive information.”

Calum Macleod Regional Manager of Tufin Technologies said on this issue: “This highlights one of the many security and compliance issues that cloud computing raises. Although issues such as strong authentication and securing sensitive data are clearly issues in the cloud computing scenario, fundamentally one of the areas that organizations are not addressing and in many cases not even aware of is how lax their firewall configurations are. Allowing internal users to pass through corporate firewalls and access uncontrolled services on the Internet due to a failure to properly police their firewall policies will continue to result in information leakage. Obviously these employees were allowed to access the information but surely the corporate firewall policies should ensure that only essential traffic is allowed pass through. If nothing else this should serve as a warning to any Security officer to manage their firewall policies more effectively and provide their administrators the essential tools to control who has access to what!”

<>