Comments on: Lessons from Twitter's security breach

Information taken from the hacking of some of Twitter's employees a few months ago is finally coming to light. Can this happen to other companies?

[bschmock]

Twitter got pwned.
[CNET editor's note: Offensive comment deleted.]

[gidstelios]

@ [CNET editor's note: Offensive comment deleted.]
User bschmock

The Net interprets censorship as damage and routes around it.

@Article
I am not surprised. There is nothing that we can't do with computers.
Even crack twitter itself if there is a security hole.

People should design the sites better if they don't want sb messing around their accounts.

Lol Twitter! OMG I love Twitter! I hope its unbreakable cause I have all my TWEETS there lol!

[ca5ter]

Oh gee, look CNET has another story about Twitter...

You should change the name from Webware to Twitter Talk

[ZetaZeta_]

Twitter happens to be all the rage right now, in case you haven't noticed, and Twitter will be trying to gain a foothold as it starts to monetize, etc., so of course web news articles are going to focus on it.

[uusirna]

There ARE secure web apps. Check out ThreeTags (www.threetags.com) for example.

[T-Guy]

So, have you used ThreeTags? I'm just curious how password recovery works since it's not obvious from the site. And changing passwords seems to be a pain: backup, delete, import...

I think this article quote sums up my area of curiosity: "You can't make something easy to access and terribly secure at the same time. Those are diametrically opposed goals."

[jessiethe3rd]

I think this comment about Twitter getting hacked goes to show that having all your information (whether Google Docs, Twitter, MS Office Online/Live, or any other service provider) leaves data control OUT of your hands... you do not know who is rooting through your stuff, who has access to it, etc.

Seriously - this whole web shift to applications on the cloud is a clouded security reality in itself.

[unifex_]

Indeed, that's why I am not using web apps. This way my data are secure on my desktop, which I actually turn off when I am not using it. This, I believe, is secure - try to hack something from a powered down computer. As to accessing your information from anywhere - how much data you may need at any given time? For me my USB key is enough.

[gggg sssss]

of course when the valet borrows your usb key from your keychain, or when you drop it at the bus stop, then you are also toast. Not only does someone else have your data, you dont have it any more as well.

[johnfranks1234]

David Scott, author of I.T. WARS, believes these data breaches and thefts are largely due to a lagging business culture. Google ?I.T. WARS? and you can read a good bit of it on Google Books ? it?s also in many libraries. Read some fresh and original thinking here - http://www.businessforum.com/DScott_02.html - I urge every business person and IT person, management or staff, to get hold of a copy of ?I.T. Wars: Managing the Business-Technology Weave in the New Millennium.? It has an excellent chapter on security, and how to scale security for any organization, any budget. It also has a plan template with all considerations. Our CEO has read this book. Our project managers are on their second reading. Our vendors are required to read it (they can borrow our copies if they don?t want to purchase it). Any agencies that wish to partner with us: We ask that they read it. Do yourself a favor and read this book - then ask your boss to read it - then ask your staff and co-workers to read it.

[johnfranks1234]

David Scott, author of I.T. WARS, believes these data breaches and thefts are largely due to a lagging business culture. Google ?I.T. WARS? and you can read a good bit of it on Google Books ? it?s also in many libraries. Read some fresh and original thinking here - http://www.businessforum.com/DScott_02.html - I urge every business person and IT person, management or staff, to get hold of a copy of ?I.T. Wars: Managing the Business-Technology Weave in the New Millennium.? It has an excellent chapter on security, and how to scale security for any organization, any budget. It also has a plan template with all considerations. Our CEO has read this book. Our project managers are on their second reading. Our vendors are required to read it (they can borrow our copies if they don?t want to purchase it). Any agencies that wish to partner with us: We ask that they read it. Do yourself a favor and read this book - then ask your boss to read it - then ask your staff and co-workers to read it.

[BethJones-Sophos]

At first glance the article and blog post imply that Twitter may need to readdress their password policies. However, unless users are fully informed of the measures that are in place and familiar with the policies, they may not be able to come up with a "strong enough" password or passphrase.

Another bit of (hopefully) useful advice is "don't use the same password everywhere", (unlike 33% of users in a Sophos survey http://www.sophos.com/pressoffice/news/articles/2009/03/password-security.html ). A strong password cannot protect you from phishing or keylogging but using a different password at each site can minimize the impact of a password loss.

[gggg sssss]

This could not have happened to a better victim. A cloud company keeping their data in the cloud gets taken down. ROTFLMAO. Maybe people will learn that the internet is not the place to keep important and or confidential informationm. Not at twitter, not at yahoo, not at google, not at sales force, not at amazon. Today a hacker, tomorrow the IRS, next week DHS, after that your ex wife's lawyer.

[Harrison912]

I use Twitter mainly for socially marketing my safety and security web site so I'm always interested in any security breaches there. Thanks, Josh and Caroline.

[Dave_IronKey]

This shows the need for cloud computing services to offer strong 2-factor authentication. There are so many ways to steal a user's password (phishing, malware, pharming, man-in-the-middle, brute force, pharming) that an enterprise cannot know if their user's accounts on a third party cloud service have been compromised. Cloud computing services need to offer corporate customers two-factor authentication devices (USB fobs or one-time-password devices) so that even if a user's password is stolen, a hacker cannot log into their account without physically possessing the user's device. http://blog.ironkey.com/?p=739

[krosafcheg]

Simple fix really. Don't send private, proprietary company information to ANY personal email account. People should be fired. Tech Security 101