Welcome!

Weblogic Authors: Yeshim Deniz, Elizabeth White, Michael Meiner, Michael Bushong, Avi Rosenthal

Related Topics: Weblogic, Cloud Security

Weblogic: Blog Feed Post

Twittergate Reveals E-Mail is Bigger Security Risk than Twitter

First, everyone needs to calm down Twitter.com itself was not breached

First, everyone needs to calm down. Twitter.com itself was not breached. According to Evan Williams as quoted in a TechCrunch article, the attack did not breach Twitter.com or its administrative functions, nor were user accounts affected in any way. So everyone can just stop with the “Twitter needs to revamp its security!” and “Twitter isn’t secure” headlines and articles because it’s not only blatantly wrong, it’s diverting attention that should be devoted to the real problem: e-mail and account self-service.


THE E-MAIL FACTOR


twitter_logoWhat was compromised remains somewhat of a mystery. Following through the TechCrunch article to a blog on the same subject reveals some interesting details, however. A screen shot of what appears to be an internal memo to Twitter employees requires a change in passwords (along with instructions on improving the strength of said passwords) but mentions the password to be changed is the password you use to login to internal sites. From this one might infer that a breach was perpetrated through an intra/extranet, as opposed to twitter’s core  infrastructure. Regardless, the breach of Twitter was only ancillary to the real security risk: the access to e-mail. That’s where the real meaty data was obtained; not from Twitter or its internal systems.

In this case, it was GMail access that enabled the miscreant to use password recovery techniques (“Forgot your password?”) to gain access to other related information and sites: personal credit cards, GoDaddy registrar accounts, etc… Did the attacker really need to breach Twitter’s internal applications to get that information? Probably not. Remember the successful breach of then Vice-Presidential candidate Sarah Palin’s Yahoo account?

As detailed in the postings, the Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.

Certainly gaining access to Twitter’s internal applications made accessing employees’ GMail accounts that much easier, but it likely wasn’t necessary except as a means to garner attentiongmail-logo which was, the miscreant claims, the intent of the attack. The danger of a GMail breach is that Google is very integrated across applications, so gaining access to one often makes it a no-brainer to gain access to others. And if you’re storing sensitive or even non-sensitive corporate documents in Google Docs or Apps, a breach of e-mail is likely to lead to a breach of those applications too. Which is essentially what happened to Twitter (the organization, not the service).


ANY WEB-BASED E-MAIL SERVICE IS A RISK


It isn’t just GMail or Yahoo or other hosted e-mail services that are at risk. Any one of the millions of organizations that use Microsoft’s Outlook Web Access to provide employees remote access to their e-mail is potentially at risk to be compromised. The prohibitions on the access of “personal e-mail” vary from organization to organization, so it’s likely that an attacker could succeed in compromising a corporate OWA account and then use that to compromise a “personal” account – or vice versa. That’s in addition to obtaining instant access to e-mail, phone numbers, organizational hierarchies, and sensitive data being exchanged between employees.

There are any number of known vulnerabilities in the entire software stack required to run Microsoft OWA, many of them that remain unpatched. These open vulnerabilities leave organizations and their employees susceptible to attack. In some cases it’s a lack of time/availability that causes the service to remain vulnerable; in others it's simply the case that Microsoft hasn’t gotten around to addressing them yet (they do have a lot of software and a lot of patches to deal with, after all). There are best practices for securing OWA and other solutions available that can provide “virtual patching” of those vulnerabilities that shore up the overall security of the service so there’s really no good excuse for not securing OWA. Not doing so not only puts the organization at risk, but the individuals using the service (including your CEO, your CFO, and other executives) because the personal information contained in e-mail provides a cornucopia of information that makes it easier for attackers to discern passwords for other sites, which leads to breaches of other sites, which leads to… I’m sure you get the picture by now.

And of course there’s the fact that OWA is meant for mobile access, so it’s going to be accessible via the Internet. All one has to do is figure out one person’s password and from there they may be able to do a whole lot of damage to other systems. All those “password recovery” e-mail messages are likely stored somewhere in an inbox, making it a veritable cornucopia of account information.

And that’s where perhaps the biggest threat of all lies.


SELF-SERVICE IS A BIGGER THREAT


What Twittergate teaches us is that it’s not just the vulnerabilities in web applications that we need to watch out for. It’s the amazing amount of information that can be pulled together on any individual using various applications on the Internet that can make it a nearly brainless task to discern passwords. It’s the current mechanisms we use for account “self-service” that are also partially to blame, as they rely heavily on e-mail as a method of identity verification and as we’ve seen in this case – and others – that’s not always a sure bet.

Secret questions, e-mail based verification, and other modern implementations of self-service are inadequate. They do not provide enough obfuscation to protect the actual password of any given individual. Yes, I said obfuscation in relation to security, but in this case, it’s accurate and necessary. There should never be a question for which the answer would give a hint about the password. Never. And yet many sites and applications still rely upon the “hint” question as a means to reduce the costs associated with password and account support.

Rather than using a hint, don’t allow password recovery. Allow password reset, but only after the user has answered a series of completely unrelated questions. Good options include:

  • Name of the author of your favorite book
  • First musical instrument you learned to play
  • Name of the first person you ever kissed
  • When you look out your kitchen window, what do you see?

There are myriad good questions that could be used in lieu of a password hint. Anything that isn’t likely to be divulged in public is a good option, and there needs to be more than one just in case one of those odd-ball questions has been answered someone in the ether. The problem is that this requires a bit more work to implement, as it’s a process, not a simple “forgot your password” button that dumbly sends off the password to an associated e-mail account.

Again: password recovery is a bad idea. Password reset is better if the “security” questions required are diverse and obscure enough to make it difficult to pull the information from a quick Google search or a perusal of the individual’s Facebook page. But any process that ends with “your password has been mailed to you” is a risk. 


PAY ATTENTION TO WHAT MATTERS


Sure it’s more exciting to talk about Twitter and its security breach, and to write a bazillion blogs and articles about how Twitter isn’t secure and how it’s dangerous to businesses and blah, blah, blah. But that completely ignores what really happened and what that says about the security methods being used in our businesses and personal lives – and how the two are now intimately interconnected.

We need to make sure our own backyard is secure before we start making fun of Twitter, and that means tightening up security of our own external e-mail and applications. It means enacting and enforcing strong password policies in the workplace, and taking that policy home with us. It means as individuals we need to be proactive in choosing better security related questions when they are offered and being aware that if a hint is going to lead us to the right password, it just may do the same thing for an attacker. 
 

Follow me on Twitter View Lori's profile on SlideShare friendfeedicon_facebook AddThis Feed Button Bookmark and Share

Related articles and blogs:

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

@ThingsExpo Stories
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interopera...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
SYS-CON Events announced today that App2Cloud will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. App2Cloud is an online Platform, specializing in migrating legacy applications to any Cloud Providers (AWS, Azure, Google Cloud).
IoT is at the core or many Digital Transformation initiatives with the goal of re-inventing a company's business model. We all agree that collecting relevant IoT data will result in massive amounts of data needing to be stored. However, with the rapid development of IoT devices and ongoing business model transformation, we are not able to predict the volume and growth of IoT data. And with the lack of IoT history, traditional methods of IT and infrastructure planning based on the past do not app...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. Jack Norris reviews best practices to show how companies develop, deploy, and dynamically update these applications and how this data-first...
Internet-of-Things discussions can end up either going down the consumer gadget rabbit hole or focused on the sort of data logging that industrial manufacturers have been doing forever. However, in fact, companies today are already using IoT data both to optimize their operational technology and to improve the experience of customer interactions in novel ways. In his session at @ThingsExpo, Gordon Haff, Red Hat Technology Evangelist, shared examples from a wide range of industries – including en...
Intelligent Automation is now one of the key business imperatives for CIOs and CISOs impacting all areas of business today. In his session at 21st Cloud Expo, Brian Boeggeman, VP Alliances & Partnerships at Ayehu, will talk about how business value is created and delivered through intelligent automation to today’s enterprises. The open ecosystem platform approach toward Intelligent Automation that Ayehu delivers to the market is core to enabling the creation of the self-driving enterprise.
"We're a cybersecurity firm that specializes in engineering security solutions both at the software and hardware level. Security cannot be an after-the-fact afterthought, which is what it's become," stated Richard Blech, Chief Executive Officer at Secure Channels, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Consumers increasingly expect their electronic "things" to be connected to smart phones, tablets and the Internet. When that thing happens to be a medical device, the risks and benefits of connectivity must be carefully weighed. Once the decision is made that connecting the device is beneficial, medical device manufacturers must design their products to maintain patient safety and prevent compromised personal health information in the face of cybersecurity threats. In his session at @ThingsExpo...
SYS-CON Events announced today that Grape Up will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company specializing in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the U.S. and Europe, Grape Up works with a variety of customers from emergi...
Detecting internal user threats in the Big Data eco-system is challenging and cumbersome. Many organizations monitor internal usage of the Big Data eco-system using a set of alerts. This is not a scalable process given the increase in the number of alerts with the accelerating growth in data volume and user base. Organizations are increasingly leveraging machine learning to monitor only those data elements that are sensitive and critical, autonomously establish monitoring policies, and to detect...
SYS-CON Events announced today that Massive Networks will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Massive Networks mission is simple. To help your business operate seamlessly with fast, reliable, and secure internet and network solutions. Improve your customer's experience with outstanding connections to your cloud.
Because IoT devices are deployed in mission-critical environments more than ever before, it’s increasingly imperative they be truly smart. IoT sensors simply stockpiling data isn’t useful. IoT must be artificially and naturally intelligent in order to provide more value In his session at @ThingsExpo, John Crupi, Vice President and Engineering System Architect at Greenwave Systems, will discuss how IoT artificial intelligence (AI) can be carried out via edge analytics and machine learning techn...
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution and join Akvelon expert and IoT industry leader, Sergey Grebnov, in his session at @ThingsExpo, for an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
With tough new regulations coming to Europe on data privacy in May 2018, Calligo will explain why in reality the effect is global and transforms how you consider critical data. EU GDPR fundamentally rewrites the rules for cloud, Big Data and IoT. In his session at 21st Cloud Expo, Adam Ryan, Vice President and General Manager EMEA at Calligo, will examine the regulations and provide insight on how it affects technology, challenges the established rules and will usher in new levels of diligence a...
In the enterprise today, connected IoT devices are everywhere – both inside and outside corporate environments. The need to identify, manage, control and secure a quickly growing web of connections and outside devices is making the already challenging task of security even more important, and onerous. In his session at @ThingsExpo, Rich Boyer, CISO and Chief Architect for Security at NTT i3, discussed new ways of thinking and the approaches needed to address the emerging challenges of security i...
SYS-CON Events announced today that Datera, that offers a radically new data management architecture, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera is transforming the traditional datacenter model through modern cloud simplicity. The technology industry is at another major inflection point. The rise of mobile, the Internet of Things, data storage and Big...
An increasing number of companies are creating products that combine data with analytical capabilities. Running interactive queries on Big Data requires complex architectures to store and query data effectively, typically involving data streams, an choosing efficient file format/database and multiple independent systems that are tied together through custom-engineered pipelines. In his session at @BigDataExpo at @ThingsExpo, Tomer Levi, a senior software engineer at Intel’s Advanced Analytics ...
SYS-CON Events announced today that Datera will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera offers a radically new approach to data management, where innovative software makes data infrastructure invisible, elastic and able to perform at the highest level. It eliminates hardware lock-in and gives IT organizations the choice to source x86 server nodes, with business model option...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, Cloud Expo and @ThingsExpo are two of the most important technology events of the year. Since its launch over eight years ago, Cloud Expo and @ThingsExpo have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, I provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading the...