Twitter Password Breach Is Tip Of The Iceberg

Everyone should use the latest social media scare with Twitter as a prompt to review their password management. This means across all social media, websites, PCs and any other devices they use. Passwords should be treated like toothbrushes – not shared, and changed reasonably often.

Twitter’s detected breach resulted in them suggesting 250,000 users should change their passwords. Yet users who heed that advice may still find that apps they’ve given permission to access their Twitter account using the Twitter API, including the company’s own, allow the service to be used without asking users to enter the new password. This is an example of technology working to make things easier for us, whilst inadvertently leaving a back door open to hackers through other services.

Swift reaction

Whilst 250,000 is a small proportion of Twitter’s users, and Twitter reacted swiftly as you would expect, it still highlights how careful we all need to be with our IT security. Complacency can indeed be a killer, especially where it comes to personal and financial data. Most of us concentrate on making sure our computer and IT equipment are working as we wish, and are oblivious to the fact that a small minority of people are hell-bent on getting our data.

Human nature and behaviours are the root of most security problems – namely laziness, apathy, time pressures, negative naïve attitudes to possible impacts, and most commonly – total lack of awareness. What I would say to people is this: would you walk up to a stranger in the street, hand over your birth certificate, banking details and passport, wish them a good day and then walk on. It sounds ridiculous; in fact that’s exactly what people are doing who take no information and online security precautions whatsoever.

Watch out – you are the human ‘product’

Your data is highly valuable, otherwise why are social networks free? Twitter and Facebook, for example, are free. What people should realise is that if a service is free then invariably you are the product! i.e.: your information has enough value to these sites to spend many millions on infrastructure and development without asking you to pay for it. Think about it.

Anything of value will attract thieves, and data is therefore wonderful stuff to steal. It’s not like a car, which you notice has vanished from your drive; since data can be copied remotely then it isn’t usually apparent it’s even been accessed, never mind copied and illegally traded by others for financial gain. Data is also easy and fast to move around, a lot easier and faster than cars.

The criminal mind

Understanding the motivation of the criminal is very important; why do people hack websites and steal usernames and passwords? There are several main reasons:

  • To show that they can (demonstrating their “talents”)
  • To publicly embarrass service providers or organisations
  • To get big lists of users that they can use to try other websites, hack your email, and generally either sell you things or make attempts to steal your online identity
  • To sell to other people. These are generally the ones that don’t hit the press: it’s possible to buy huge lists of user data – email addresses, names, address info, passwords etc. that have been collected from various websites. The people who sell those don’t want you to know they’ve got your password, otherwise the list has less use.

Sony were fined £250,000 by the UK Information Commissioner’s Office last year for losing customer data through poor security. Those details went for sale very quickly and even though companies like Sony reacted fairly quickly, the data will have most likely used by one or more criminals.

My company designs infrastructure, processes and training programs that help avoid these IT security disasters, and we also provide tools and guidance on how to monitor, review and audit your security risks. However, time and again we see security regarded as a ‘bolt-on’, rather than something that should be ‘built-in’ to business planning and even the day-to-day workings of an individual’s online existence.

Password creation training for users

Everyone knows that they should create good passwords but very little advice or training is given in how to do it! How many people know about and use password wallets? Ok, it potentially creates a single point of failure but nothing is 100% fail safe and they really help with password management. Good password management needs to be thought about carefully.

I want users to have good passwords, where “good” means complex and not just a word you’d find in a dictionary – e.g. use “1 l0ve MY wife!” instead of just your wife’s name. Using a good password means you don’t have to change it so often – part of the reason for changing so often is to do with the length of time it takes a hacker to “break” your password, and a short, obvious one takes less time, so therefore change it often and foil him – theoretically.

What I would love is for everyone to have a different password for everything that is well-chosen and “good”. However, many people have lots of passwords to remember (Facebook, Email, Chat, Amazon, eBay etc.) and either just get their browsers to remember their passwords or use the same ones. There are lots of apps around that will take care of that for you – just remember one “big” password, and let the app take care of the passwords for each site.

Writing passwords down isn’t always a terrible thing – it certainly is if it’s in your office on your desk, but if it’s your home PC and you have a book of passwords next to it, then the only additional risk is from burglars or other family members. It’s important to remember why you should have different passwords for each service.

It doesn’t matter if you have a 60-character password that is really complicated – if the company doesn’t practice good information security and your password can be accessed, then it will be – it’s only a matter of time. If that happens and you’re using the same email address (associated with you as a person) and the same password elsewhere, then it’s only a small step for even the most untalented hacker to get into your other accounts. If that happens, it’s not the other website that has been compromised, it’s you.

We must all be increasingly vigilant.

Unashamedly a geek, Nick Besant has been doing InfoSec work for nearly 15 years across a wide range of industries including media and content services, payments, banking, and the public sector, from board-level strategic review to detailed technical analysis. He is a consultant at Panoplia, an information security services organisation, and enjoys taking things apart (and putting them back together in new and interesting ways), building things, and writing code. His primary responsibilities at Panoplia include security consultancy and the architecture of their horizon scanning platform, Theia, and their secure file exchange platform, Doqex.