FTC and the Twitter Hacks
From Merriam-Webster, one of the oldest meanings of the word “hack,” dating from the early 1700s:
1 : working for hire especially with mediocre professional standards
2 : performed by, suited to, or characteristic of a hack
It was not so much that Twitter was hacked. It seems, instead, that Twitter had hacks.
The Guardian reports the FTC has reached settlement with Twitter over security breaches involving users’ data. No fines were assessed, but an outside auditor must review Twitter’s security practices for the next ten years and Twitter is enjoined from making false statements about its security practices for 20 years. (Personally, I think the bloom will be off the Tweet long before then.)
Hackers (the geeky kind, that is) gained access to Twitter users’ data because of poor security practices by Twitter employees. The short version is that Twitter employees with various levels of administrative rights were not practicing sound password security. From the Guardian’s story:
The January case was interesting: “a hacker used an automated password-guessing tool to gain administrative control of Twitter, after submitting thousands of guesses into Twitter’s login webpage. The administrative password was a weak, lower case, common dictionary word. Using the password, the hacker reset numerous user passwords and posted some of them on a website, where other people could access them. Using these fraudulently reset passwords, other intruders sent phony tweets from approximately nine user accounts.
The Philadelphia Inquirer, reporting on the same story, included a list of password security practices that the FTC reports were not used:
- requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks;
- prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts;
- suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts;
- providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
- enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days;
- restricting access to administrative controls to employees whose jobs required it; and
- imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.
Many of these are similar to ones that Jeffrey passed along in a podcast last fall; his clear explanation of a method for creating hard-to-crack passwords changed my password practices for any site for which security is important–that is, any site where I store data, including my computers.
(I do have a stupid password that I use over and over again for sites like some newspapers, who want users to log in just so they can track readership. I don’t store any data on those sites and I don’t care if someone finds out I have visited, say, the L. A. Times website.)