Twitter Theft: It's Really All About Google

Lost in the brouhaha Michael Arrington stirred up on Techcrunch about the ethics of posting to Techcrunch the documents stolen by a hacker from Twitter, is a most important nugget that Arrington brings out in the comments:

Michael Arrington (@arrington) - July 14th, 2009 at 11:22 pm PDT

the original security hole seems to be Google, via Google Apps for your Domain. Some passwords were guessed and things started to fall apart from there. Most (or all) of these documents were downloaded from Google’s servers.

A hacker breaks into Google's Apps for your domain and while Twitter thought they were secure and they had outsourced their security to Google, in reality they were exposed.

The bottom line is that many startups and an increasing number of large companies are using Google Apps for critical company documents. Most of them think that they are living securely. They are not. This happens in the evolution of the software industry. Microsoft was impacted by viruses, and their software is notoriously buggy and often not secure on release. This is a risk for Google going forward and an interesting nod that cloud security companies are needed.

One last word: As you move your company to cloud apps, it would be wise of these companies to check into security procedures and see if they can augment their security in some way. Additionally, document storage policies need to be examined on an ongoing basis.

Update: I received this note from Andrew Covacs at Google's corporate communications group.

Great, thanks for the reply. Have you seen Biz's post here?

He clarifies:
This attack had nothing to do with any vulnerability in Google Apps which we continue to use....This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines, such as choosing strong passwords.

Comments

[Koby Menach...:]

You would never trust small startup with your online documents but when it comes to Google, you trust them 100%.

The funny part is that Google SLA is poor but we still trust them...

Reminder: seekingalpha.com/artic... (only 4 months ago)

Jul 15 09:08 AM

[asa:]

Seems like this isn't really a question of web app security as much as people using easily guessed credentials. If you can guess someone's login name, and you can use the Web to find their pet's name, mother's maiden name, etc. you can often get the password reset. Once you've got one account, you can often find information in that account about others and the landslide begins.

Jul 15 01:02 PM

[zato3:]

As ASA wrote above, this seems to be about weak passwords, but it doesn't take long for the Microsoft shills to turn it into a Google failure.

Jul 15 04:11 PM

[Michael Eis...:]

Update: I received this note from Andrew Kovacs at Google Corporate Communications:


"Great, thanks for the reply. Have you seen Biz's post <blog.twitter.com/2009/...; ?

He clarifies:
This attack had nothing to do with any vulnerability in Google Apps which we continue to use....This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines <googleonlinesecurity.b...; such as choosing strong passwords. "

Jul 15 04:35 PM

[Hanlon's Razor:]

This post makes some bold -- and what turn out to be completely untrue -- assertions based only on third-hand conjecture.

Biz states in the Twitter Blog that this was a problem with personal security, not Google Apps:

blog.twitter.com/2009/...

"This attack had nothing to do with any vulnerability in Google Apps which we continue to use. This is more about Twitter being in enough of a spotlight that folks who work here can become targets. In fact, around the same time, Evan's wife's personal email was hacked and from there, the hacker was able to gain access to some of Evan's personal accounts such as Amazon and PayPal but not email. This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords."

Michael, count me unimpressed that a Benchmark partner would publish such an uninformed post.

Jul 15 04:38 PM

[PatKelly:]

Mike - weak sauce man.

This had nothing to do with Google Apps - the hacker got a hold of a user name and password, logged into her account and stole the data.

Any small, medium, or even large company who thinks their IT security standards and disaster recovery capabilities are as strong as Google's are fooling themselves.

Think you data is safer on your server in your broom closet? Not so much but that is a common perception that articles like these help perpetuate. Knock it off buster.

Jul 15 04:52 PM

[qthrul:]

I'm impressed that you updated in the comments Michael. I'd have preferred (as a new reader not familiar with your tone or practices here) to see this as an "Update:" within the bottom or the top of the original article but it was good of you to follow up with comments from the Google Apps team.

Jul 15 05:22 PM

[tully:]

This has everything to do with Google Apps, one of the most basic features of Active Directory is password strenght, complexity and lifetime. It's a minute's work for an administrator to set bottom lines for password strenght.
Google has no such feature, hence the weak password hack.

This article is dead on, no password strenght control for client organisations = bug in google's cloud.

Jul 15 05:23 PM

[pj09:]

WOW! You really need to check your facts before you go bashing any company. Hopefully this doesn't reflect on the typical "due diligence" process that Benchmark goes through and is a one-off "rash" note trying to put the blame on Google.

And yes - your update needs to be inline in the article if you are going to try and save some credibility here.

Jul 15 05:38 PM

[Michael Eis...:]

A couple of comments here:
1. My post was written before the Twitter blog post and based on Arrington's comment.
2. I "updated" on the instablog post in line and NOT in comments. seekingalpha.com/insta... On the SA post, i do not know how to update inline. Otherwise i would have
3. I received multiple emails from companies saying that they concurred with the assessment and were worried about cloud app security. See Also Peter Kafka's similar trend assessment published after Twitter's blog post seekingalpha.com/artic...
4. One of our security companies has found numerous holes in hosted app services.

However, I accept the criticism that it would have been better to get Google's reaction first and not only rely on Arrington's comment.

Jul 16 11:47 AM

[Alex Williams:]

Google is passing the blame. They rely on user name/pwd protocols to keep account secure. They can do better. And they know it.

Jul 19 02:05 AM

[SEO Promoti...:]

Twitter is emerging as a new threat to Google. I wonder what will happen if google launches services like Twitter. It will be Gwitter ! haha

Jul 29 09:37 AM