CYBEREYE—Commentary

Tweeters beware: All is not secure on the cyber front

Proceed with caution when adopting new technologies

The Twitter microblogging service gets a lot of publicity, but recently that publicity has been increasingly bad as the company has become the victim of a series of hacks.

The most recent incident, which came to light last week, initiated an industry squabble over whether cloud computing is inherently unsecure or whether Twitter executives are just guilty of using bad security practices. It seems that a poorly protected password allowed a hacker to gain access to company records in Google Apps, a suite of online office services Twitter uses.

But the hacks, along with misuse of Twitter accounts that could compromise users, also highlight the danger of adopting new technologies as business tools before they are ready to be folded into the enterprise.

It is not surprising that Twitter and its management are not particularly focused on security because the service was started with no meaningful purpose. The site proclaims that it is intended for “the exchange of quick, frequent answers to one simple question: What are you doing?” Anyone who wants to frequently update the world on what he or she is doing in 140 characters or less probably has no life to speak of, and the people who want to read those updates probably are just as lacking. A tweet essentially is a postcard without the pretty picture, thus there is no reason for it to be any more secure than a postcard.

The novelty quickly became popular, however, and is becoming more widely used as a way to broadcast alerts and notices. A new, tech-savvy administration and Congress is adopting it, and according to the Web site GovTwit.com, there are more than 2,000 Twitter users either in government or commenting on government, with more than 17 million followers. From the Air Force to the White House, 375 agencies or offices use the service, along with 91 U.S. senators, congressmen and Hill staffers.

Those who seek ill-gotten gains have noticed the site's popularity. Not only has Twitter itself become a target, the site has become a vector for phishing attacks and links to Web sites containing malware. People who are used to thinking of Twitter as a nerdy toy use it in the workplace and expose the enterprise to risk.

This grassroots adoption is not a new story. It happened with texting, instant messaging, even with e-mail and the Internet itself. Today, these are accepted workplace tools, but years later the workplace still is suffering because of the vulnerabilities that these tools have introduced. They were developed without much thought for security, and even with the technologies and policies that have been bolted on later, networks tend to remain dangerously porous. These tools are common channels for both bad stuff coming into the enterprise and data leaving it.

The lesson we are being forced to learn once again is that technology often is thrust upon us and that administrators need to be aware of the implications of new tools such as Twitter. Banning their use probably is not necessary and might even be impossible, but policies to ensure responsible use and adequate security need to be in place as soon as new technology shows up in the workplace. Just because Twitter lets itself be hacked is no reason that users in your office should not be required to use strong passwords and common sense.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Mon, Jul 27, 2009 Seph Washington DC

Also - you should really ditch the editorial review of comments on this page. It's pretty annoying and doesn't lead to good collaboration or discussion.

Mon, Jul 27, 2009 Seph Washington DC

Concur with the above - people are making every effort to attack this as a twitter vulnerability, but it was an end user issue and had nothing to do with the security of the site itself. Please stop printing misleading information. Those government users that use Twitter are still just fine - plus it's all public information anyway, so it's not like the security of the US government is compromised by a Twitter hack in any case.

Tue, Jul 21, 2009 Jim Washington, DC

The following ComputerWord article accurately characterizes the situation as a password issue and not anything new or specific to the cloud: http://www.computerworld.com/s/article/9135668/Why_Twitter_Hack_is_NOT_a_Cloud_Security_Wake_up_Call?source=rss_security Readers need to put everything into perspective. If you recall, OSD SBU's email, a traditional client/server behind the firewall system, was also hacked into. See http://fcw.com/articles/2008/03/06/osd-cio-network-configuration-scanning-softened-cyberattack-blow.aspx Excerpt: "The hackers took advantage of a known Microsoft software vulnerability and sent spoof e-mail messages with the names of staff in Clem’s division. When the messages were opened, the code sent back the user names and passwords, which allowed access to the network. In follow-up forensics, Clem discovered that the hackers accessed sensitive information, which they encrypted as they transmitted it back to their sites." In fact, many of the top defense system integrators, who also use traditional systems, apparently have also been hacked at various times, see http://www.nextgov.com/nextgov/ng_20090430_6202.php?oref=rss?zone=ngtoday

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above