Twitter's latest email account hack was multi-vectored, but tapped into poor security safeguards, according to Imperva. Amichai Shulman, the data security specialist's chief technology officer, says: "As expected … it is possible for a hacker to retrieve an account password for a legitimate user's cloud-based email service."
And he adds: "If you examine what actually happened, it's clear that the security system for retrieving an account password in the cloud needs to be every bit as rigorous as a customer calling, for example, their bank and identifying themselves over the phone."
Shulman suggests that people using cloud-based services are happy to respond to secret questions, such as 'your childhood hero', 'your pet's name' and 'your mother's maiden name'.
While these answers, he says, are likely to be unique and relatively difficult to guess, they can often be second guessed by careful observation of a person's social networking site records, which then paint a picture of likes and dislikes.
"Because of these security shortcomings – which legal professionals may yet argue about in court if Twitter does decide to sue those concerned for publishing the data – the big question is who is to blame for this highly public account hack?"
His view: it's a combination of circumstances and security failures that have conspired to create the situation.
"Companies should take note of this risk and plan their security safeguards accordingly. Today, most companies haven't properly considered the implications of employees using social networking," says Shulman.
|