Welcome!

Containers Expo Blog Authors: Liz McMillan, Pat Romanski, Yeshim Deniz, Elizabeth White, Zakia Bouachraoui

Related Topics: Weblogic, Cloud Security

Weblogic: Blog Feed Post

Twittergate Reveals E-Mail is Bigger Security Risk than Twitter

First, everyone needs to calm down Twitter.com itself was not breached

First, everyone needs to calm down. Twitter.com itself was not breached. According to Evan Williams as quoted in a TechCrunch article, the attack did not breach Twitter.com or its administrative functions, nor were user accounts affected in any way. So everyone can just stop with the “Twitter needs to revamp its security!” and “Twitter isn’t secure” headlines and articles because it’s not only blatantly wrong, it’s diverting attention that should be devoted to the real problem: e-mail and account self-service.


THE E-MAIL FACTOR


twitter_logoWhat was compromised remains somewhat of a mystery. Following through the TechCrunch article to a blog on the same subject reveals some interesting details, however. A screen shot of what appears to be an internal memo to Twitter employees requires a change in passwords (along with instructions on improving the strength of said passwords) but mentions the password to be changed is the password you use to login to internal sites. From this one might infer that a breach was perpetrated through an intra/extranet, as opposed to twitter’s core  infrastructure. Regardless, the breach of Twitter was only ancillary to the real security risk: the access to e-mail. That’s where the real meaty data was obtained; not from Twitter or its internal systems.

In this case, it was GMail access that enabled the miscreant to use password recovery techniques (“Forgot your password?”) to gain access to other related information and sites: personal credit cards, GoDaddy registrar accounts, etc… Did the attacker really need to breach Twitter’s internal applications to get that information? Probably not. Remember the successful breach of then Vice-Presidential candidate Sarah Palin’s Yahoo account?

As detailed in the postings, the Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.

Certainly gaining access to Twitter’s internal applications made accessing employees’ GMail accounts that much easier, but it likely wasn’t necessary except as a means to garner attentiongmail-logo which was, the miscreant claims, the intent of the attack. The danger of a GMail breach is that Google is very integrated across applications, so gaining access to one often makes it a no-brainer to gain access to others. And if you’re storing sensitive or even non-sensitive corporate documents in Google Docs or Apps, a breach of e-mail is likely to lead to a breach of those applications too. Which is essentially what happened to Twitter (the organization, not the service).


ANY WEB-BASED E-MAIL SERVICE IS A RISK


It isn’t just GMail or Yahoo or other hosted e-mail services that are at risk. Any one of the millions of organizations that use Microsoft’s Outlook Web Access to provide employees remote access to their e-mail is potentially at risk to be compromised. The prohibitions on the access of “personal e-mail” vary from organization to organization, so it’s likely that an attacker could succeed in compromising a corporate OWA account and then use that to compromise a “personal” account – or vice versa. That’s in addition to obtaining instant access to e-mail, phone numbers, organizational hierarchies, and sensitive data being exchanged between employees.

There are any number of known vulnerabilities in the entire software stack required to run Microsoft OWA, many of them that remain unpatched. These open vulnerabilities leave organizations and their employees susceptible to attack. In some cases it’s a lack of time/availability that causes the service to remain vulnerable; in others it's simply the case that Microsoft hasn’t gotten around to addressing them yet (they do have a lot of software and a lot of patches to deal with, after all). There are best practices for securing OWA and other solutions available that can provide “virtual patching” of those vulnerabilities that shore up the overall security of the service so there’s really no good excuse for not securing OWA. Not doing so not only puts the organization at risk, but the individuals using the service (including your CEO, your CFO, and other executives) because the personal information contained in e-mail provides a cornucopia of information that makes it easier for attackers to discern passwords for other sites, which leads to breaches of other sites, which leads to… I’m sure you get the picture by now.

And of course there’s the fact that OWA is meant for mobile access, so it’s going to be accessible via the Internet. All one has to do is figure out one person’s password and from there they may be able to do a whole lot of damage to other systems. All those “password recovery” e-mail messages are likely stored somewhere in an inbox, making it a veritable cornucopia of account information.

And that’s where perhaps the biggest threat of all lies.


SELF-SERVICE IS A BIGGER THREAT


What Twittergate teaches us is that it’s not just the vulnerabilities in web applications that we need to watch out for. It’s the amazing amount of information that can be pulled together on any individual using various applications on the Internet that can make it a nearly brainless task to discern passwords. It’s the current mechanisms we use for account “self-service” that are also partially to blame, as they rely heavily on e-mail as a method of identity verification and as we’ve seen in this case – and others – that’s not always a sure bet.

Secret questions, e-mail based verification, and other modern implementations of self-service are inadequate. They do not provide enough obfuscation to protect the actual password of any given individual. Yes, I said obfuscation in relation to security, but in this case, it’s accurate and necessary. There should never be a question for which the answer would give a hint about the password. Never. And yet many sites and applications still rely upon the “hint” question as a means to reduce the costs associated with password and account support.

Rather than using a hint, don’t allow password recovery. Allow password reset, but only after the user has answered a series of completely unrelated questions. Good options include:

  • Name of the author of your favorite book
  • First musical instrument you learned to play
  • Name of the first person you ever kissed
  • When you look out your kitchen window, what do you see?

There are myriad good questions that could be used in lieu of a password hint. Anything that isn’t likely to be divulged in public is a good option, and there needs to be more than one just in case one of those odd-ball questions has been answered someone in the ether. The problem is that this requires a bit more work to implement, as it’s a process, not a simple “forgot your password” button that dumbly sends off the password to an associated e-mail account.

Again: password recovery is a bad idea. Password reset is better if the “security” questions required are diverse and obscure enough to make it difficult to pull the information from a quick Google search or a perusal of the individual’s Facebook page. But any process that ends with “your password has been mailed to you” is a risk. 


PAY ATTENTION TO WHAT MATTERS


Sure it’s more exciting to talk about Twitter and its security breach, and to write a bazillion blogs and articles about how Twitter isn’t secure and how it’s dangerous to businesses and blah, blah, blah. But that completely ignores what really happened and what that says about the security methods being used in our businesses and personal lives – and how the two are now intimately interconnected.

We need to make sure our own backyard is secure before we start making fun of Twitter, and that means tightening up security of our own external e-mail and applications. It means enacting and enforcing strong password policies in the workplace, and taking that policy home with us. It means as individuals we need to be proactive in choosing better security related questions when they are offered and being aware that if a hint is going to lead us to the right password, it just may do the same thing for an attacker. 
 

Follow me on Twitter View Lori's profile on SlideShare friendfeedicon_facebook AddThis Feed Button Bookmark and Share

Related articles and blogs:

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

IoT & Smart Cities Stories
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
Machine learning has taken residence at our cities' cores and now we can finally have "smart cities." Cities are a collection of buildings made to provide the structure and safety necessary for people to function, create and survive. Buildings are a pool of ever-changing performance data from large automated systems such as heating and cooling to the people that live and work within them. Through machine learning, buildings can optimize performance, reduce costs, and improve occupant comfort by ...
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
René Bostic is the Technical VP of the IBM Cloud Unit in North America. Enjoying her career with IBM during the modern millennial technological era, she is an expert in cloud computing, DevOps and emerging cloud technologies such as Blockchain. Her strengths and core competencies include a proven record of accomplishments in consensus building at all levels to assess, plan, and implement enterprise and cloud computing solutions. René is a member of the Society of Women Engineers (SWE) and a m...
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
As IoT continues to increase momentum, so does the associated risk. Secure Device Lifecycle Management (DLM) is ranked as one of the most important technology areas of IoT. Driving this trend is the realization that secure support for IoT devices provides companies the ability to deliver high-quality, reliable, secure offerings faster, create new revenue streams, and reduce support costs, all while building a competitive advantage in their markets. In this session, we will use customer use cases...