Twitter/Google Apps hack raises questions about cloud security.

Byline: jeevan@cpidubai.com (Staff)

Questions about cloud security and the feasibility of storing critical information in Web-based services are being raised in the wake of a hacking incident involving Twitter A Web site and service that lets users send short text messages from their cellphones to a group of friends. Launched in 2006, Twitter (www.twitter.com) was designed for people to broadcast their current activities and thoughts. and Google Apps A collection of Google applications and utilities that is offered as a package either free or paid. In 2007, Google combined its e-mail, instant messaging, calendar, word processing, spreadsheet and Web authoring applications along with administration utilities into Standard and Premier . A hacker obtained and distributed more than 300 confidential documents pertaining to Twitter's business affairs that were stored on Google Apps. Insufficient password strength The term password strength is a security measure of passwords. The necessary quality of the password depends on how well the password system limits attempts to guess a user's password, whether by a person who knows the user well, or a computer trying millions of possibilities. has been pegged as a root cause, but industry observers are debating whether Google or Twitter is most at fault. "It's not clear to me whether it's a black mark on Google or a black mark on Twitter at this point," says Pund-IT analyst Charles King Charles King may refer to:

Charles King (composer) - An English composer and musician of the 17th and 18th century.
Charles Bird King (1785-1862) - a United States portrait painter
Charles King (1844-1933) - A United States general and author
Charles D. B.

. Shortly after the data theft was reported, Twitter CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. Evan Williams Evan Williams is the name of several people. They include:

Evan Williams, an American brand of bourbon whiskey.
Evan Williams, an Australian politician.
Evan Williams, an Australian reporter.
Evan Williams, an entrepreneur and blogger.

used his own Twitter account to note that he was "having a bad night." Google has bolstered the security of its office productivity tools, for example earlier this year adding a feature that lets administrators set password length requirements and view password strength indicators. But Gartner analyst John Pescatore says customers should remember that "Twitter and most of Google Apps until, say, 18 months ago, were built as consumer-grade services to share information very widely and easily, not to protect information and prevent information from flowing." Twitter, for its part, absolved Google Apps of any blame in a blog post Wednesday by Twitter co-founder Biz Stone. Rather than any vulnerability within the Google service, Stone said the incident speaks more to the importance of choosing strong passwords. "About a month ago, an administrative employee here at Twitter was targeted and her personal e-mail account e-mail account n → cuenta de correo was hacked. From the personal account, we believe the hacker was able to gain information, which allowed access to this employee's Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company. Since then, we have performed a security audit and reminded everyone of the importance of personal security guidelines," Stone writes. "This attack had nothing to do with any vulnerability in Google Apps which we continue to use," Stone continues. "This is more about Twitter being in enough of a spotlight that folks who work here can become targets. In fact, around the same time, Evan's wife's personal e-mail was hacked and from there, the hacker was able to gain access to some of Evan's personal accounts such as Amazon and PayPal but not e-mail. This isn't about any flaw in Web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords." Google issued a statement in response to a request from Network World, but did not comment specifically about the Twitter data exposure. "We are highly aware of the importance of our users' data, and we have extensive policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental in place to help provide high levels of data protection," Google said. "We haven't received any communication from customers about this issue, and therefore we can't confirm or comment on specifics at this time." But in response to the Twitter breach, several industry observers raised concerns about storing sensitive information in cloud-based services, including Google platforms such as Gmail and Google Docs A family of Web-based applications from Google that includes word processing, spreadsheet and presentations. Launched in 2006, the word processor in Google Docs was formerly Writely, developed by Upstartle, LLC and acquired by Google. . Albert Wenger, who is a partner at Union Square Ventures, argues that tougher authentication measures are needed to prevent cloud security breaches. The venture firm has invested in Twitter, as well as numerous other Web-based services. "This brings the security of cloud computing (1) Running applications in or from network servers. Computing "in the cloud" may refer to a company's own network, but often refers to the Internet and the use of Web browser-based or rich client applications. [and] Web apps very close to home, especially as we are contemplating moving all of USV USV Unterbrechungsfreie Stromversorgung (German; uninterruptible power supply)
USV Unmanned Surface Vehicle
USV United States Volunteers (Civil War)
USV Universal Steering Vector
USV US Visits System to Gmail and Google Docs," Wenger writes in a blog post. "The threat of access by a third party increases exponentially with the move to the cloud, because the machines that now contain the documents and the links to those documents (as sent by e-mail) are accessible to the Internet at large. With anybody with an Internet connection potentially being able to access, a simple username/password scheme is clearly insufficient for authentication. This is especially true given password reset mechanisms based on 'canned' questions with easily guessed answers." Wenger goes on to suggest a two-factor security system utilizing text messaging Sending short messages to a smartphone, pager, PDA or other handheld device. Text messaging implies sending short messages generally no more than a couple of hundred characters in length. , in which a user receives a text with a secret code after inputting a username and password. "I am hoping that nothing worse than the Twitter breach has to happen before providers such a Google and Microsoft will offer stronger authentication as an option," Wenger concludes. Another venture capitalist Venture Capitalist

An investor who provides capital to either start-up ventures or support small companies who wish to expand but do not have access to public funding.

Notes:
Venture capitalists usually expect higher returns for the additional risks taken. , Michael Eisenberg of Benchmark Capital Benchmark Capital is a venture capital firm responsible for the early stage funding of some very successful startups, including eBay. In 1995, the firm invested $6.7 million in eBay, which became worth more than $5 billion by the spring of 1999 and resulted in one of Silicon , offers his take that customers need to be wary of using Google to store critical documents. "The bottom line is that many startups and an increasing number of large companies are using Google Apps for critical company documents. Most of them think that they are living securely. They are not," Eisenberg writes. Eisenberg cautions customers to examine security procedures and document storage policies of cloud providers. "While Twitter thought they were secure and [that] they had outsourced their security to Google, in reality they were exposed," he writes. The Twitter breach came to light Tuesday when TechCrunch reported that it had received a zip file (1) A file that contains one or more files that have been compressed into the ZIP format. Also called a "ZIP archive," "zipped file" or "zipped archive," the ZIP algorithm is the most popular compression method in use.

Not Just the . containing 310 confidential Twitter documents, including "executive meeting notes, partner agreements and financial projections to the meal preferences, calendars and phone logs of various Twitter employees." TechCrunch says the documents came from a hacker who calls himself "Hacker Croll. This hacker has also reportedly compromised Twitter accounts of celebrities such as Britney Spears and Ashton Kutcher, and Twitter CEO Williams.Ultimately, users have to be responsible for the strength of their own passwords, King says. But vendors can play a role by offering stronger authentication systems, he notes. "To their credit I think some vendors have been more insistent about users supplying better passwords than their names spelled backward, or their birthday, or ABC ABC
in full American Broadcasting Co.

Major U.S. television network. It began when the expanding national radio network NBC split into the separate Red and Blue networks in 1928. and 123," King says. Burton Group analyst Dan Blum says customers should be wary of cloud services that rely primarily on passwords without other controls, such as device identification, or locking out users who type incorrect passwords several times in a row. "I wouldn't store sensitive documents in a cloud-based service unless I had a lot of confidence in the specific service," Blum says. "I'd hold them to the same standards that you hold for your own internal applications. If you expect your internal applications to be accessed only through two-factor authentication then the cloud should be at least as secure as that."Copyright 2009 IDG IDG International Data Group
IDG Integrated Drive Generator
IDG Installation Design Guide
IDG Internet Discussion Group
IDG Inset Dielectric Guide
IDG International Dangerous Goods (mail, shipping) Middle East. All rights reserved.

Provided by Syndigate.info an Albawaba.com company

COPYRIGHT 2009 Al Bawaba (Middle East) Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Publication:	Network World Middle East
Date:	Jul 19, 2009
Words:	1102
Previous Article:	BMC brings management to the cloud.
Next Article:	Mainframe-to-Windows migrations eyed for small businesses.
Topics:	Computer hackers