Welcome!

Containers Expo Blog Authors: Elizabeth White, Automic Blog, Pat Romanski, Liz McMillan, Jyoti Bansal

Related Topics: Weblogic, Cloud Security

Weblogic: Blog Feed Post

Twittergate Reveals E-Mail is Bigger Security Risk than Twitter

First, everyone needs to calm down Twitter.com itself was not breached

First, everyone needs to calm down. Twitter.com itself was not breached. According to Evan Williams as quoted in a TechCrunch article, the attack did not breach Twitter.com or its administrative functions, nor were user accounts affected in any way. So everyone can just stop with the “Twitter needs to revamp its security!” and “Twitter isn’t secure” headlines and articles because it’s not only blatantly wrong, it’s diverting attention that should be devoted to the real problem: e-mail and account self-service.


THE E-MAIL FACTOR


twitter_logoWhat was compromised remains somewhat of a mystery. Following through the TechCrunch article to a blog on the same subject reveals some interesting details, however. A screen shot of what appears to be an internal memo to Twitter employees requires a change in passwords (along with instructions on improving the strength of said passwords) but mentions the password to be changed is the password you use to login to internal sites. From this one might infer that a breach was perpetrated through an intra/extranet, as opposed to twitter’s core  infrastructure. Regardless, the breach of Twitter was only ancillary to the real security risk: the access to e-mail. That’s where the real meaty data was obtained; not from Twitter or its internal systems.

In this case, it was GMail access that enabled the miscreant to use password recovery techniques (“Forgot your password?”) to gain access to other related information and sites: personal credit cards, GoDaddy registrar accounts, etc… Did the attacker really need to breach Twitter’s internal applications to get that information? Probably not. Remember the successful breach of then Vice-Presidential candidate Sarah Palin’s Yahoo account?

As detailed in the postings, the Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.

Certainly gaining access to Twitter’s internal applications made accessing employees’ GMail accounts that much easier, but it likely wasn’t necessary except as a means to garner attentiongmail-logo which was, the miscreant claims, the intent of the attack. The danger of a GMail breach is that Google is very integrated across applications, so gaining access to one often makes it a no-brainer to gain access to others. And if you’re storing sensitive or even non-sensitive corporate documents in Google Docs or Apps, a breach of e-mail is likely to lead to a breach of those applications too. Which is essentially what happened to Twitter (the organization, not the service).


ANY WEB-BASED E-MAIL SERVICE IS A RISK


It isn’t just GMail or Yahoo or other hosted e-mail services that are at risk. Any one of the millions of organizations that use Microsoft’s Outlook Web Access to provide employees remote access to their e-mail is potentially at risk to be compromised. The prohibitions on the access of “personal e-mail” vary from organization to organization, so it’s likely that an attacker could succeed in compromising a corporate OWA account and then use that to compromise a “personal” account – or vice versa. That’s in addition to obtaining instant access to e-mail, phone numbers, organizational hierarchies, and sensitive data being exchanged between employees.

There are any number of known vulnerabilities in the entire software stack required to run Microsoft OWA, many of them that remain unpatched. These open vulnerabilities leave organizations and their employees susceptible to attack. In some cases it’s a lack of time/availability that causes the service to remain vulnerable; in others it's simply the case that Microsoft hasn’t gotten around to addressing them yet (they do have a lot of software and a lot of patches to deal with, after all). There are best practices for securing OWA and other solutions available that can provide “virtual patching” of those vulnerabilities that shore up the overall security of the service so there’s really no good excuse for not securing OWA. Not doing so not only puts the organization at risk, but the individuals using the service (including your CEO, your CFO, and other executives) because the personal information contained in e-mail provides a cornucopia of information that makes it easier for attackers to discern passwords for other sites, which leads to breaches of other sites, which leads to… I’m sure you get the picture by now.

And of course there’s the fact that OWA is meant for mobile access, so it’s going to be accessible via the Internet. All one has to do is figure out one person’s password and from there they may be able to do a whole lot of damage to other systems. All those “password recovery” e-mail messages are likely stored somewhere in an inbox, making it a veritable cornucopia of account information.

And that’s where perhaps the biggest threat of all lies.


SELF-SERVICE IS A BIGGER THREAT


What Twittergate teaches us is that it’s not just the vulnerabilities in web applications that we need to watch out for. It’s the amazing amount of information that can be pulled together on any individual using various applications on the Internet that can make it a nearly brainless task to discern passwords. It’s the current mechanisms we use for account “self-service” that are also partially to blame, as they rely heavily on e-mail as a method of identity verification and as we’ve seen in this case – and others – that’s not always a sure bet.

Secret questions, e-mail based verification, and other modern implementations of self-service are inadequate. They do not provide enough obfuscation to protect the actual password of any given individual. Yes, I said obfuscation in relation to security, but in this case, it’s accurate and necessary. There should never be a question for which the answer would give a hint about the password. Never. And yet many sites and applications still rely upon the “hint” question as a means to reduce the costs associated with password and account support.

Rather than using a hint, don’t allow password recovery. Allow password reset, but only after the user has answered a series of completely unrelated questions. Good options include:

  • Name of the author of your favorite book
  • First musical instrument you learned to play
  • Name of the first person you ever kissed
  • When you look out your kitchen window, what do you see?

There are myriad good questions that could be used in lieu of a password hint. Anything that isn’t likely to be divulged in public is a good option, and there needs to be more than one just in case one of those odd-ball questions has been answered someone in the ether. The problem is that this requires a bit more work to implement, as it’s a process, not a simple “forgot your password” button that dumbly sends off the password to an associated e-mail account.

Again: password recovery is a bad idea. Password reset is better if the “security” questions required are diverse and obscure enough to make it difficult to pull the information from a quick Google search or a perusal of the individual’s Facebook page. But any process that ends with “your password has been mailed to you” is a risk. 


PAY ATTENTION TO WHAT MATTERS


Sure it’s more exciting to talk about Twitter and its security breach, and to write a bazillion blogs and articles about how Twitter isn’t secure and how it’s dangerous to businesses and blah, blah, blah. But that completely ignores what really happened and what that says about the security methods being used in our businesses and personal lives – and how the two are now intimately interconnected.

We need to make sure our own backyard is secure before we start making fun of Twitter, and that means tightening up security of our own external e-mail and applications. It means enacting and enforcing strong password policies in the workplace, and taking that policy home with us. It means as individuals we need to be proactive in choosing better security related questions when they are offered and being aware that if a hint is going to lead us to the right password, it just may do the same thing for an attacker. 
 

Follow me on Twitter View Lori's profile on SlideShare friendfeedicon_facebook AddThis Feed Button Bookmark and Share

Related articles and blogs:

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

@ThingsExpo Stories
The 21st International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Digital Transformation, Machine Learning and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding busin...
SYS-CON Events announced today that Hitachi Data Systems, a wholly owned subsidiary of Hitachi LTD., will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City. Hitachi Data Systems (HDS) will be featuring the Hitachi Content Platform (HCP) portfolio. This is the industry’s only offering that allows organizations to bring together object storage, file sync and share, cloud storage gateways, and sophisticated search and...
SYS-CON Events announced today that delaPlex will exhibit at SYS-CON's @CloudExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. delaPlex pioneered Software Development as a Service (SDaaS), which provides scalable resources to build, test, and deploy software. It’s a fast and more reliable way to develop a new product or expand your in-house team.
SYS-CON Events announced today that Progress, a global leader in application development, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Enterprises today are rapidly adopting the cloud, while continuing to retain business-critical/sensitive data inside the firewall. This is creating two separate data silos – one inside the firewall and the other outside the firewall. Cloud ISVs oft...
SYS-CON Events announced today that Peak 10, Inc., a national IT infrastructure and cloud services provider, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Peak 10 provides reliable, tailored data center and network services, cloud and managed services. Its solutions are designed to scale and adapt to customers’ changing business needs, enabling them to lower costs, improve performance and focus intern...
SYS-CON Events announced today that Cloud Academy will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloud Academy is the industry’s most innovative, vendor-neutral cloud technology training platform. Cloud Academy provides continuous learning solutions for individuals and enterprise teams for Amazon Web Services, Microsoft Azure, Google Cloud Platform, and the most popular cloud computing technologies. Ge...
Existing Big Data solutions are mainly focused on the discovery and analysis of data. The solutions are scalable and highly available but tedious when swapping in and swapping out occurs in disarray and thrashing takes place. The resolution for thrashing through machine learning algorithms and support nomenclature is through simple techniques. Organizations that have been collecting large customer data are increasingly seeing the need to use the data for swapping in and out and thrashing occurs ...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
SYS-CON Events announced today that Interoute has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Interoute is the owner operator of Europe's largest network and a global cloud services platform, which encompasses over 70,000 km of lit fiber, 15 data centers, 17 virtual data centers and 33 colocation centers, with connections to 195 additional partner data centers. Our full-service Unifie...
SYS-CON Events announced today that Fusion, a leading provider of cloud services, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Fusion, a leading provider of integrated cloud solutions to small, medium and large businesses, is the industry’s single source for the cloud. Fusion’s advanced, proprietary cloud service platform enables the integration of leading edge solutions in the cloud, including cloud...
SYS-CON Events announced today that WineSOFT will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Based in Seoul and Irvine, WineSOFT is an innovative software house focusing on internet infrastructure solutions. The venture started as a bootstrap start-up in 2010 by focusing on making the internet faster and more powerful. WineSOFT’s knowledge is based on the expertise of TCP/IP, VPN, SSL, peer-to-peer, mob...
SYS-CON Events announced today that DivvyCloud will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. DivvyCloud software enables organizations to achieve their cloud computing goals by simplifying and automating security, compliance and cost optimization of public and private cloud infrastructure. Using DivvyCloud, customers can leverage programmatic Bots to identify and remediate common cloud problems in rea...
Detecting internal user threats in the Big Data eco-system is challenging and cumbersome. Many organizations monitor internal usage of the Big Data eco-system using a set of alerts. This is not a scalable process given the increase in the number of alerts with the accelerating growth in data volume and user base. Organizations are increasingly leveraging machine learning to monitor only those data elements that are sensitive and critical, autonomously establish monitoring policies, and to detect...
SYS-CON Events announced today that Linux Academy, the foremost online Linux and cloud training platform and community, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Linux Academy was founded on the belief that providing high-quality, in-depth training should be available at an affordable price. Industry leaders in quality training, provided services, and student certification passes, its goal is to c...
SYS-CON Events announced today that HTBase will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. HTBase (Gartner 2016 Cool Vendor) delivers a Composable IT infrastructure solution architected for agility and increased efficiency. It turns compute, storage, and fabric into fluid pools of resources that are easily composed and re-composed to meet each application’s needs. With HTBase, companies can quickly prov...
SYS-CON Events announced today that Systena America will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Systena Group has been in business for various software development and verification in Japan, US, ASEAN, and China by utilizing the knowledge we gained from all types of device development for various industries including smartphones (Android/iOS), wireless communication, security technology and IoT serv...
SYS-CON Events announced today that CollabNet, a global leader in enterprise software development, release automation and DevOps solutions, will be a Bronze Sponsor of SYS-CON's 20th International Cloud Expo®, taking place from June 6-8, 2017, at the Javits Center in New York City, NY. CollabNet offers a broad range of solutions with the mission of helping modern organizations deliver quality software at speed. The company’s latest innovation, the DevOps Lifecycle Manager (DLM), supports Value S...
SYS-CON Events announced today that Infranics will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Since 2000, Infranics has developed SysMaster Suite, which is required for the stable and efficient management of ICT infrastructure. The ICT management solution developed and provided by Infranics continues to add intelligence to the ICT infrastructure through the IMC (Infra Management Cycle) based on mathemat...
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
SYS-CON Events announced today that Loom Systems will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2015, Loom Systems delivers an advanced AI solution to predict and prevent problems in the digital business. Loom stands alone in the industry as an AI analysis platform requiring no prior math knowledge from operators, leveraging the existing staff to succeed in the digital era. With offices in S...