Twitter Hack Ratchets Up Security Jitters
What price cybersecurity? That's likely one of the questions Twitter executives were asking Monday after revealing that a quarter-million of their users might have had their information stolen by hackers. The Twitter hack, along with breaches at The New York Times, The Wall Street Journal and other organizations, may signify a new wave of highly sophisticated cyberattacks capable of evading many security defenses.
Feb 5, 2013 5:00 AM PT
Twitter has joined a rapidly growing list of U.S. companies to report a major cybersecurity incident. The social network admitted late last week that it was able to shut down a live attack, but not before hackers may have been able to access personal information on 250,000 users.
The social network said in a Friday blog post that the usernames, email addresses, session tokens and encrypted versions of passwords may have been taken.
After discovering the breach, Twitter said it reset passwords and revoked session tokens for the compromised accounts. The company notified affected users via email and provided instructions on how to create a new password.
Twitter suggested that users who were not affected by the attack should be vigilant about protecting personal data online. It reminded users that strong passwords with at least 10 characters of mixed letters, numbers and symbols, and varying login credentials for different accounts, can add more layers of protection.
Twitter did not respond to our request for further details.
Another Overseas Attack?
The cyberattack happened during the same week that The New York Times and The Wall Street Journal also revealed that hackers had infiltrated their systems, installing malware and stealing employee passwords. Chinese hackers are believed to be responsible for those security breaches.
Twitter did not say if it believed the same group was also responsible for its breach. It did mention the Times and Journal incidents in the blog post that revealed its own attack, however, and said it believed other organizations have recently experienced similar hacks. The social networking site said it believed the attackers were "extremely sophisticated" and that it was not an isolated incident.
If some of the hackers are from countries or organizations that have an issue with the way the U.S. conducts business, the ramifications for the future of data protection could be great, said Avivah Litan, security analyst at Gartner.
"The implication is that hackers are politically motivated, come from foreign nations, and are from societies where free speech is not a constitutional right," Litan said. "They are spying on their citizenry, trying to exfiltrate sensitive and confidential information concerning their nation's activities and stealing information for financial gain. This has grave consequences on our ability to exercise free speech in the United States since that speech can be used against us in unpredictable ways."
More Hacks to Come?
Even if Chinese hackers weren't responsible for its attack, Twitter is likely correct that the hack wasn't an isolated incident, Litan told TechNewsWorld. More publications, financial and political institutions are likely to be hit as well.
"We can expect more advanced targeted attacks for political and financial gain," she predicted. "The bad guys are often more sophisticated than the good ones. It's obvious from their successes."
That's partly because of the highly complex software and server systems that run massive websites, said Chiranjeev Bordoloi, CEO of Top Patch.
It's difficult enough for individual users to protect a single computer. When an organization must support thousands or hundreds of thousands of servers, many lines of software, power sources and applications, the opportunity for hackers to worm their way in rapidly increases, he pointed out. That's especially the case when major institutions don't understand the best ways to stay secure.
"We're going to see this happening fairly frequently, mainly because the software running these grids is extremely vulnerable," Bordoloi told TechNewsWorld. "Twitter in particular is a big Linux user, so they have free and open source contributions from everywhere. Even if they do find security holes, a patch is easier said than done when you've got thousands of servers with different versions of Linux."
Twitter responded in the best way possible considering its situation, but there are always additional measures it can take to improve its security going forward, said Gartner's Litan.
"Twitter needs to put in context-aware, layered security systems, including advanced threat detection, file and user monitoring, application access controls, endpoint protection and more," she advised.
The Cost of Better Cyberprotection
With so many recent high-profile attacks, mainstream publications, financial institutions and corporations are increasingly realizing that cybersecurity can't be ignored. The problem is that developing more complex security comes at a very high cost.
"Senior and executive management are not driven to spend money on security until after they have a serious incident or two," Litan noted. "So security staff have a hard time convincing their managers that they need to be proactive rather than reactive, when it's too late. Management would rather spend money on revenue-generating activities than on security, where it's very hard to prove a return on investment."
Security is too high on the priority scale to be dismissed because of cost, Bordoloi noted. To get started, organizations need to at least protect their most critical data.
"We go to great lengths to convince businesses they can make security cost-efficient by taking a risk-based approach to protecting data," he said. "If you can look at the data you want to protect and use a tool that can consolidate those security efforts across operating systems and applications and servers, it doesn't have to be a very expensive painful process."