The Twitter Break-In: Anything to learn here?
The answer is: Plenty.
In a nutshell, here is what happened as I understand it: A hacker named Hacker Croll (who has been a pain in Twitter’s behind for a while now) was able to gain access to the Gmail accounts of various twitter employees, including founder Evan Williams. He was then able to use the regular password-recovery techniques that rely on email-based mechanisms to gain access to other services being used like Paypal, GoDaddy, Amazon and Apple. But most notably, he had access to the Google Docs service that the Twitter folks were using extensively to store sensitive corporate documents. This landed Hacker Croll a goldmine (that has been shared with TechCrunch) of documents, including “financial projections, product plans and notes from executive strategy meetings”. Twitter has a lot to deal with here. But this is an important IdM and Cloud Computing related cautionary tale for all of us. And the takeaways, while obvious, bear repeating.
This episode underscores the fact that password recovery techniques that rely on email delivery of passwords or password-reset links are highly insecure. Secret question based mechanisms (aka Static Knowledge-Based Authentication) are not that much more reliable either (anyone and everyone can find out the name of any celebrity’s first car, dog, mother’s maiden name, etc). Services that deal with sensitive information NEED to rely on Dynamic Knowledge-Based Authentication (where the data source for the authentication questions could be the content stored in the service itself, which only the users should have knowledge of) or Out-Of-Band Identity Proofing (something Oracle Adaptive Access Manager can help with).
As more and more companies rely on the cloud, the security of cloud services (or lack thereof) needs to be evaluated very carefully, as will corporate security policies on access to those services. Strong passwords need to exist not only on the service access, but also on the accounts that have access to the service. Ideally, the service provider should support Multi-Factor Authentication and federated identity and authentication for higher identity assurance by corporate clients. And encryption of sensitive documents and data is a must. Cloud service providers need to understand the implications of entering the enterprise market, and that includes deploying enterprise-grade identity management and security technology.
Unfortunately this event will sow doubts in the minds of those that are considering using cloud-based services. Which is why we have to work hard to define the standards cloud services need to live up to. As Michael Arrington so bluntly put it:
It’s not our fault that Google has a ridiculously easy way to get access to accounts via their password recovery question. It’s not our fault that Twitter stored all of these documents and sensitive information in the cloud and had easy-to-guess passwords and recovery questions.
That is quite plainly an unacceptable state of affairs.