Welcome!

Containers Expo Blog Authors: Mehdi Daoudi, Derek Weeks, Jyoti Bansal, Eric Robertson, Yeshim Deniz

Related Topics: Weblogic, Cloud Security

Weblogic: Blog Feed Post

Twittergate Reveals E-Mail is Bigger Security Risk than Twitter

First, everyone needs to calm down Twitter.com itself was not breached

First, everyone needs to calm down. Twitter.com itself was not breached. According to Evan Williams as quoted in a TechCrunch article, the attack did not breach Twitter.com or its administrative functions, nor were user accounts affected in any way. So everyone can just stop with the “Twitter needs to revamp its security!” and “Twitter isn’t secure” headlines and articles because it’s not only blatantly wrong, it’s diverting attention that should be devoted to the real problem: e-mail and account self-service.


THE E-MAIL FACTOR


twitter_logoWhat was compromised remains somewhat of a mystery. Following through the TechCrunch article to a blog on the same subject reveals some interesting details, however. A screen shot of what appears to be an internal memo to Twitter employees requires a change in passwords (along with instructions on improving the strength of said passwords) but mentions the password to be changed is the password you use to login to internal sites. From this one might infer that a breach was perpetrated through an intra/extranet, as opposed to twitter’s core  infrastructure. Regardless, the breach of Twitter was only ancillary to the real security risk: the access to e-mail. That’s where the real meaty data was obtained; not from Twitter or its internal systems.

In this case, it was GMail access that enabled the miscreant to use password recovery techniques (“Forgot your password?”) to gain access to other related information and sites: personal credit cards, GoDaddy registrar accounts, etc… Did the attacker really need to breach Twitter’s internal applications to get that information? Probably not. Remember the successful breach of then Vice-Presidential candidate Sarah Palin’s Yahoo account?

As detailed in the postings, the Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.

Certainly gaining access to Twitter’s internal applications made accessing employees’ GMail accounts that much easier, but it likely wasn’t necessary except as a means to garner attentiongmail-logo which was, the miscreant claims, the intent of the attack. The danger of a GMail breach is that Google is very integrated across applications, so gaining access to one often makes it a no-brainer to gain access to others. And if you’re storing sensitive or even non-sensitive corporate documents in Google Docs or Apps, a breach of e-mail is likely to lead to a breach of those applications too. Which is essentially what happened to Twitter (the organization, not the service).


ANY WEB-BASED E-MAIL SERVICE IS A RISK


It isn’t just GMail or Yahoo or other hosted e-mail services that are at risk. Any one of the millions of organizations that use Microsoft’s Outlook Web Access to provide employees remote access to their e-mail is potentially at risk to be compromised. The prohibitions on the access of “personal e-mail” vary from organization to organization, so it’s likely that an attacker could succeed in compromising a corporate OWA account and then use that to compromise a “personal” account – or vice versa. That’s in addition to obtaining instant access to e-mail, phone numbers, organizational hierarchies, and sensitive data being exchanged between employees.

There are any number of known vulnerabilities in the entire software stack required to run Microsoft OWA, many of them that remain unpatched. These open vulnerabilities leave organizations and their employees susceptible to attack. In some cases it’s a lack of time/availability that causes the service to remain vulnerable; in others it's simply the case that Microsoft hasn’t gotten around to addressing them yet (they do have a lot of software and a lot of patches to deal with, after all). There are best practices for securing OWA and other solutions available that can provide “virtual patching” of those vulnerabilities that shore up the overall security of the service so there’s really no good excuse for not securing OWA. Not doing so not only puts the organization at risk, but the individuals using the service (including your CEO, your CFO, and other executives) because the personal information contained in e-mail provides a cornucopia of information that makes it easier for attackers to discern passwords for other sites, which leads to breaches of other sites, which leads to… I’m sure you get the picture by now.

And of course there’s the fact that OWA is meant for mobile access, so it’s going to be accessible via the Internet. All one has to do is figure out one person’s password and from there they may be able to do a whole lot of damage to other systems. All those “password recovery” e-mail messages are likely stored somewhere in an inbox, making it a veritable cornucopia of account information.

And that’s where perhaps the biggest threat of all lies.


SELF-SERVICE IS A BIGGER THREAT


What Twittergate teaches us is that it’s not just the vulnerabilities in web applications that we need to watch out for. It’s the amazing amount of information that can be pulled together on any individual using various applications on the Internet that can make it a nearly brainless task to discern passwords. It’s the current mechanisms we use for account “self-service” that are also partially to blame, as they rely heavily on e-mail as a method of identity verification and as we’ve seen in this case – and others – that’s not always a sure bet.

Secret questions, e-mail based verification, and other modern implementations of self-service are inadequate. They do not provide enough obfuscation to protect the actual password of any given individual. Yes, I said obfuscation in relation to security, but in this case, it’s accurate and necessary. There should never be a question for which the answer would give a hint about the password. Never. And yet many sites and applications still rely upon the “hint” question as a means to reduce the costs associated with password and account support.

Rather than using a hint, don’t allow password recovery. Allow password reset, but only after the user has answered a series of completely unrelated questions. Good options include:

  • Name of the author of your favorite book
  • First musical instrument you learned to play
  • Name of the first person you ever kissed
  • When you look out your kitchen window, what do you see?

There are myriad good questions that could be used in lieu of a password hint. Anything that isn’t likely to be divulged in public is a good option, and there needs to be more than one just in case one of those odd-ball questions has been answered someone in the ether. The problem is that this requires a bit more work to implement, as it’s a process, not a simple “forgot your password” button that dumbly sends off the password to an associated e-mail account.

Again: password recovery is a bad idea. Password reset is better if the “security” questions required are diverse and obscure enough to make it difficult to pull the information from a quick Google search or a perusal of the individual’s Facebook page. But any process that ends with “your password has been mailed to you” is a risk. 


PAY ATTENTION TO WHAT MATTERS


Sure it’s more exciting to talk about Twitter and its security breach, and to write a bazillion blogs and articles about how Twitter isn’t secure and how it’s dangerous to businesses and blah, blah, blah. But that completely ignores what really happened and what that says about the security methods being used in our businesses and personal lives – and how the two are now intimately interconnected.

We need to make sure our own backyard is secure before we start making fun of Twitter, and that means tightening up security of our own external e-mail and applications. It means enacting and enforcing strong password policies in the workplace, and taking that policy home with us. It means as individuals we need to be proactive in choosing better security related questions when they are offered and being aware that if a hint is going to lead us to the right password, it just may do the same thing for an attacker. 
 

Follow me on Twitter View Lori's profile on SlideShare friendfeedicon_facebook AddThis Feed Button Bookmark and Share

Related articles and blogs:

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

@ThingsExpo Stories
SYS-CON Events announced today that MobiDev, a client-oriented software development company, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software company that develops and delivers turn-key mobile apps, websites, web services, and complex softw...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
What sort of WebRTC based applications can we expect to see over the next year and beyond? One way to predict development trends is to see what sorts of applications startups are building. In his session at @ThingsExpo, Arin Sime, founder of WebRTC.ventures, will discuss the current and likely future trends in WebRTC application development based on real requests for custom applications from real customers, as well as other public sources of information,
As businesses adopt functionalities in cloud computing, it’s imperative that IT operations consistently ensure cloud systems work correctly – all of the time, and to their best capabilities. In his session at @BigDataExpo, Bernd Harzog, CEO and founder of OpsDataStore, will present an industry answer to the common question, “Are you running IT operations as efficiently and as cost effectively as you need to?” He will expound on the industry issues he frequently came up against as an analyst, and...
Keeping pace with advancements in software delivery processes and tooling is taxing even for the most proficient organizations. Point tools, platforms, open source and the increasing adoption of private and public cloud services requires strong engineering rigor - all in the face of developer demands to use the tools of choice. As Agile has settled in as a mainstream practice, now DevOps has emerged as the next wave to improve software delivery speed and output. To make DevOps work, organization...
My team embarked on building a data lake for our sales and marketing data to better understand customer journeys. This required building a hybrid data pipeline to connect our cloud CRM with the new Hadoop Data Lake. One challenge is that IT was not in a position to provide support until we proved value and marketing did not have the experience, so we embarked on the journey ourselves within the product marketing team for our line of business within Progress. In his session at @BigDataExpo, Sum...
Apache Hadoop is emerging as a distributed platform for handling large and fast incoming streams of data. Predictive maintenance, supply chain optimization, and Internet-of-Things analysis are examples where Hadoop provides the scalable storage, processing, and analytics platform to gain meaningful insights from granular data that is typically only valuable from a large-scale, aggregate view. One architecture useful for capturing and analyzing streaming data is the Lambda Architecture, represent...
Things are changing so quickly in IoT that it would take a wizard to predict which ecosystem will gain the most traction. In order for IoT to reach its potential, smart devices must be able to work together. Today, there are a slew of interoperability standards being promoted by big names to make this happen: HomeKit, Brillo and Alljoyn. In his session at @ThingsExpo, Adam Justice, vice president and general manager of Grid Connect, will review what happens when smart devices don’t work togethe...
SYS-CON Events announced today that Ocean9will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Ocean9 provides cloud services for Backup, Disaster Recovery (DRaaS) and instant Innovation, and redefines enterprise infrastructure with its cloud native subscription offerings for mission critical SAP workloads.
In his session at @ThingsExpo, Eric Lachapelle, CEO of the Professional Evaluation and Certification Board (PECB), will provide an overview of various initiatives to certifiy the security of connected devices and future trends in ensuring public trust of IoT. Eric Lachapelle is the Chief Executive Officer of the Professional Evaluation and Certification Board (PECB), an international certification body. His role is to help companies and individuals to achieve professional, accredited and worldw...
SYS-CON Events announced today that Technologic Systems Inc., an embedded systems solutions company, will exhibit at SYS-CON's @ThingsExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Technologic Systems is an embedded systems company with headquarters in Fountain Hills, Arizona. They have been in business for 32 years, helping more than 8,000 OEM customers and building over a hundred COTS products that have never been discontinued. Technologic Systems’ pr...
SYS-CON Events announced today that CA Technologies has been named “Platinum Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business – from apparel to energy – is being rewritten by software. From ...
The taxi industry never saw Uber coming. Startups are a threat to incumbents like never before, and a major enabler for startups is that they are instantly “cloud ready.” If innovation moves at the pace of IT, then your company is in trouble. Why? Because your data center will not keep up with frenetic pace AWS, Microsoft and Google are rolling out new capabilities In his session at 20th Cloud Expo, Don Browning, VP of Cloud Architecture at Turner, will posit that disruption is inevitable for c...
SYS-CON Events announced today that Cloudistics, an on-premises cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloudistics delivers a complete public cloud experience with composable on-premises infrastructures to medium and large enterprises. Its software-defined technology natively converges network, storage, compute, virtualization, and management into a ...
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
SYS-CON Events announced today that Loom Systems will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2015, Loom Systems delivers an advanced AI solution to predict and prevent problems in the digital business. Loom stands alone in the industry as an AI analysis platform requiring no prior math knowledge from operators, leveraging the existing staff to succeed in the digital era. With offices in S...
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 20th International Cloud Expo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buyers...
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...
SYS-CON Events announced today that Infranics will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Since 2000, Infranics has developed SysMaster Suite, which is required for the stable and efficient management of ICT infrastructure. The ICT management solution developed and provided by Infranics continues to add intelligence to the ICT infrastructure through the IMC (Infra Management Cycle) based on mathemat...