Twitter Hacking Story - Cloud Ecosystems reduce security

We had speculated the key issue was Cloud based security, possibly via man-in-the-middle type attack. It was all that, and more - quick update from a useful piece by TechCrunch.

Just to summarize the attack:

1. HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.

2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.

3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.

4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.

5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text. HC now also had control of Twitter’s domain names at GoDaddy.

6. Even at this point, Twitter had absolutely no idea they had been compromised.

Basic 80/20 lessons:

- Different Passwords for different accounts (use a naming convention to ddifferentiate)

- Don't use stuff you have in public arena as additional security questions

- Large, multi-app cloud services like the Google suite are more risky as a breakin to email breaks into calendars, office etc etc.

Is also worth thinking about password protecting key directories and files, and encrypting key data.

A prediction, by the way - within 3 months Twitter will have moved most of its internal comms, and certainly all its sensitive data, off The Cloud.