Questions about cloud security and the feasibility of storing critical information in Web-based services are being raised in the wake of a hacking incident involving Twitter and Google Apps.
A hacker obtained and distributed more than 300 confidential documents pertaining to Twitter's business affairs that were stored on Google Apps.
Insufficient password strength has been pegged as a root cause, but industry observers are debating whether Google or Twitter is most at fault. “It's not clear to me whether it's a black mark on Google or a black mark on Twitter at this point,” says Pund-IT analyst Charles King.
Shortly after the data theft was reported, Twitter CEO Evan Williams used his own Twitter account to note that he was “having a bad night.”
Google has bolstered the security of its office productivity tools, for example earlier this year adding a feature that lets administrators set password length requirements and view password strength indicators.
But Gartner analyst John Pescatore says customers should remember that “Twitter and most of Google Apps until, say, 18 months ago, were built as consumer-grade services to share information very widely and easily, not to protect information and prevent information from flowing.”
Twitter, for its part, absolved Google Apps of any blame in a blog post Wednesday by Twitter co-founder Biz Stone. Rather than any vulnerability within the Google service, Stone said the incident speaks more to the importance of choosing strong passwords.
“About a month ago, an administrative employee here at Twitter was targeted and her personal e-mail account was hacked. From the personal account, we believe the hacker was able to gain information, which allowed access to this employee's Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company. Since then, we have performed a security audit and reminded everyone of the importance of personal security guidelines,” Stone writes. “This attack had nothing to do with any vulnerability in Google Apps which we continue to use,” Stone continues. “This is more about Twitter being in enough of a spotlight that folks who work here can become targets. In fact, around the same time, Evan's wife's personal e-mail was hacked and from there, the hacker was able to gain access to some of Evan's personal accounts such as Amazon and PayPal but not e-mail. This isn't about any flaw in Web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords.”
Google issued a statement in response to a request from Network World, but did not comment specifically about the Twitter data exposure.
“We are highly aware of the importance of our users' data, and we have extensive policies and procedures in place to help provide high levels of data protection,” Google said. “We haven't received any communication from customers about this issue, and therefore we can't confirm or comment on specifics at this time.”
But in response to the Twitter breach, several industry observers raised concerns about storing sensitive information in cloud-based services, including Google platforms such as Gmail and Google Docs.
Albert Wenger, who is a partner at Union Square Ventures, argues that tougher authentication measures are needed to prevent cloud security breaches. The venture firm has invested in Twitter, as well as numerous other Web-based services.
“This brings the security of cloud computing [and] Web apps very close to home, especially as we are contemplating moving all of USV to Gmail and Google Docs,” Wenger writes in a blog post. “The threat of access by a third party increases exponentially with the move to the cloud, because the machines that now contain the documents and the links to those documents (as sent by e-mail) are accessible to the Internet at large. With anybody with an Internet connection potentially being able to access, a simple username/password scheme is clearly insufficient for authentication. This is especially true given password reset mechanisms based on ‘canned' questions with easily guessed answers.”
Wenger goes on to suggest a two-factor security system utilizing text messaging, in which a user receives a text with a secret code after inputting a username and password.
“I am hoping that nothing worse than the Twitter breach has to happen before providers such a Google and Microsoft will offer stronger authentication as an option,” Wenger concludes.
Another venture capitalist, Michael Eisenberg of Benchmark Capital, offers his take that customers need to be wary of using Google to store critical documents.
“The bottom line is that many startups and an increasing number of large companies are using Google Apps for critical company documents. Most of them think that they are living securely. They are not,” Eisenberg writes.
Eisenberg cautions customers to examine security procedures and document storage policies of cloud providers. “While Twitter thought they were secure and [that] they had outsourced their security to Google, in reality they were exposed,” he writes.
The Twitter breach came to light Tuesday when TechCrunch reported that it had received a zip file containing 310 confidential Twitter documents, including “executive meeting notes, partner agreements and financial projections to the meal preferences, calendars and phone logs of various Twitter employees.”
TechCrunch says the documents came from a hacker who calls himself “Hacker Croll. This hacker has also reportedly compromised Twitter accounts of celebrities such as Britney Spears and Ashton Kutcher, and Twitter CEO Williams.
Ultimately, users have to be responsible for the strength of their own passwords, King says. But vendors can play a role by offering stronger authentication systems, he notes.
“To their credit I think some vendors have been more insistent about users supplying better passwords than their names spelled backward, or their birthday, or ABC and 123,” King says.
Burton Group analyst Dan Blum says customers should be wary of cloud services that rely primarily on passwords without other controls, such as device identification, or locking out users who type incorrect passwords several times in a row.
“I wouldn't store sensitive documents in a cloud-based service unless I had a lot of confidence in the specific service,” Blum says. “I'd hold them to the same standards that you hold for your own internal applications. If you expect your internal applications to be accessed only through two-factor authentication then the cloud should be at least as secure as that.”