Thursday, July 16, 2009 5:50:39 AM
SAN FRANCISCO — You might think your password protects the confidential information stored on Web sites. But as Twitter executives discovered, that is a dangerous assumption.
Skip to next paragraph
Related
Times Topics: Twitter
Bits Blog: The Debate Over Publishing Stolen Twitter Documents
The Web was abuzz Wednesday after it was revealed that a hacker had exposed corporate information about Twitter after breaking into an employee’s e-mail account. The breach raised red flags for individuals as well as businesses about the passwords used to secure information they store on the Web.
On Web sites containing personal information like e-mail, financial data or documents, there is usually just a user name and password for protection. More individuals are storing information on Web servers, where it is accessible from any online computer through services offered by Google, Amazon, Microsoft, social networks like Facebook or back-up services like Mozy.
But password-protected sites are growing more vulnerable because to keep up with the growing number of passwords, people use the same simple ones on numerous sites across the Web. In a study last year, Sophos, a security firm, found that 40 percent of Internet users use the same password for every Web site they access.
The attack on Twitter highlights the problem. For its internal documents, the company uses the business version of Google Apps, a service that Google offers to individuals free. Google Apps provides e-mail, word processing, spreadsheets and calendars over the Web.
The content is stored on Google’s servers, which can save time and money and enable employees to work together on documents at the same time. But it also means that the security is only as good as the password. A hacker who breaks into one person’s account can access information shared by friends, family members or colleagues, which is what happened at Twitter.
The Twitter breach occurred about a month ago, Twitter said. A hacker calling himself Hacker Croll broke into an administrative employee’s e-mail account and gained access to the employee’s Google Apps account, where Twitter shares spreadsheets and documents with business ideas and financial details, said Biz Stone, a Twitter co-founder.
The hacker then sent documents about company plans and finances, confidential contracts, and job applicants to two tech news blogs, TechCrunch, in Silicon Valley, and Korben, in France. There was also personal information about Twitter employees including credit card numbers.
The hacker also broke into the e-mail account of the wife of Evan Williams, Twitter’s chief executive, and from there accessed several of Mr. Williams’ personal Internet accounts, including those at Amazon and PayPal, Mr. Stone said.
TechCrunch revealed documents showing that Twitter, a private company that so far has no revenue, projected that it will reach a billion users and $1.54 billion in revenue by 2013. Michael Arrington, TechCrunch’s founder, said in an interview that the hacker had also sent him detailed strategy documents about potential business models, the competitive threat from Facebook and when the company might be acquired.
Some analysts say the breach highlights how dangerous it can be for people and companies to store confidential documents on Web servers, or “in the cloud.”
But Mr. Stone said that the attack “isn’t about any flaw in Web apps,” but rather about a bigger issue that affects individuals and businesses alike. “It speaks to the importance of following good personal security guidelines such as choosing strong passwords,” he said.
Instead of circumventing security measures, it appears that the Twitter hacker managed to correctly answer the personal questions that Gmail asks of users to reset the password.
“A lot of the Twitter users are pretty much living their lives in public,” said Chris King, director of product marketing at Palo Alto Networks, which creates firewalls. “If you broadcast all your details about what your dog’s name is and what your hometown is, it’s not that hard to figure out a password.”
Security experts advise people to use unique, complex passwords for each Web service they use and include a mix of numbers and letters. Free password management programs like KeePass and 1Password can help people juggle passwords for numerous sites.
Andrew Storms, director of security operations for nCircle, a network security company, suggested choosing false answers to the security questions like “What was your first phone number?” or making up obscure questions instead of using the default questions that sites provide. (Of course, that presents a new problem of remembering the false information.)
For businesses, Google allows company administrators to set up rules for password strength and add additional authentication tools like unique codes.
The Twitter hacker claims to have wanted to teach people to be more careful. In a message to Korben, the hacker wrote that his attack could make Internet users “conscious that no one is protected on the Net.”
Skip to next paragraph
Related
Times Topics: Twitter
Bits Blog: The Debate Over Publishing Stolen Twitter Documents
The Web was abuzz Wednesday after it was revealed that a hacker had exposed corporate information about Twitter after breaking into an employee’s e-mail account. The breach raised red flags for individuals as well as businesses about the passwords used to secure information they store on the Web.
On Web sites containing personal information like e-mail, financial data or documents, there is usually just a user name and password for protection. More individuals are storing information on Web servers, where it is accessible from any online computer through services offered by Google, Amazon, Microsoft, social networks like Facebook or back-up services like Mozy.
But password-protected sites are growing more vulnerable because to keep up with the growing number of passwords, people use the same simple ones on numerous sites across the Web. In a study last year, Sophos, a security firm, found that 40 percent of Internet users use the same password for every Web site they access.
The attack on Twitter highlights the problem. For its internal documents, the company uses the business version of Google Apps, a service that Google offers to individuals free. Google Apps provides e-mail, word processing, spreadsheets and calendars over the Web.
The content is stored on Google’s servers, which can save time and money and enable employees to work together on documents at the same time. But it also means that the security is only as good as the password. A hacker who breaks into one person’s account can access information shared by friends, family members or colleagues, which is what happened at Twitter.
The Twitter breach occurred about a month ago, Twitter said. A hacker calling himself Hacker Croll broke into an administrative employee’s e-mail account and gained access to the employee’s Google Apps account, where Twitter shares spreadsheets and documents with business ideas and financial details, said Biz Stone, a Twitter co-founder.
The hacker then sent documents about company plans and finances, confidential contracts, and job applicants to two tech news blogs, TechCrunch, in Silicon Valley, and Korben, in France. There was also personal information about Twitter employees including credit card numbers.
The hacker also broke into the e-mail account of the wife of Evan Williams, Twitter’s chief executive, and from there accessed several of Mr. Williams’ personal Internet accounts, including those at Amazon and PayPal, Mr. Stone said.
TechCrunch revealed documents showing that Twitter, a private company that so far has no revenue, projected that it will reach a billion users and $1.54 billion in revenue by 2013. Michael Arrington, TechCrunch’s founder, said in an interview that the hacker had also sent him detailed strategy documents about potential business models, the competitive threat from Facebook and when the company might be acquired.
Some analysts say the breach highlights how dangerous it can be for people and companies to store confidential documents on Web servers, or “in the cloud.”
But Mr. Stone said that the attack “isn’t about any flaw in Web apps,” but rather about a bigger issue that affects individuals and businesses alike. “It speaks to the importance of following good personal security guidelines such as choosing strong passwords,” he said.
Instead of circumventing security measures, it appears that the Twitter hacker managed to correctly answer the personal questions that Gmail asks of users to reset the password.
“A lot of the Twitter users are pretty much living their lives in public,” said Chris King, director of product marketing at Palo Alto Networks, which creates firewalls. “If you broadcast all your details about what your dog’s name is and what your hometown is, it’s not that hard to figure out a password.”
Security experts advise people to use unique, complex passwords for each Web service they use and include a mix of numbers and letters. Free password management programs like KeePass and 1Password can help people juggle passwords for numerous sites.
Andrew Storms, director of security operations for nCircle, a network security company, suggested choosing false answers to the security questions like “What was your first phone number?” or making up obscure questions instead of using the default questions that sites provide. (Of course, that presents a new problem of remembering the false information.)
For businesses, Google allows company administrators to set up rules for password strength and add additional authentication tools like unique codes.
The Twitter hacker claims to have wanted to teach people to be more careful. In a message to Korben, the hacker wrote that his attack could make Internet users “conscious that no one is protected on the Net.”
Join the InvestorsHub Community
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.