Network Security News

Technologies like OpenID, OAuth and other of the kind are spreading quickly. Nowadays, a single account at, say, Google may be a key to hundred other accounts supporting OpenID authorization. It means a user hasn't to invent a hunder more name and password pairs and can only use their Google (or LJ, or Yahoo etc) account. But the ironic saying that a keyring is the best means to lose all the keys attaching to it is true. Trusted.md elaborates this in TwitterGate Debacle Highlights Security Risks of Google Health.

The story goes, hacker's breach of Twitter security demonstrates how easy could someone break into your Google Health records

Last week the Internet technology community experienced a true bombshell. Twitter, a darling of the media, a star of Silicon Valley, a poster child of cloud computing has been hacked. Company's secrets have become public.

I am not going to rehash details of the story, broken and thoroughly covered by TechCrunch (In Our Inbox: Hundreds Of Confidential Twitter Documents). Nor will I dive into the substance of the documents released, though they are truly worthwhile reading. I would like to highlight how exactly was Twitter hacked and how it could happen to your medical records.

Let us thank Hacker Croll for sharing the details on his break-in!

After receiving the confidential documents from the hacker, TechCrunch offered him an opportunity to explain how we managed to pull off his break in. The result is a rather long post outlining the step-by-step process for finding and exploiting the security holes: The Anatomy Of The Twitter Attack. If you have time, it is a very worthwhile reading. Here I would just summarize the basics.

Humans are usually the weakest link in any secure system

If you store documents in a collaborative online environment, all it takes is to find one individual using a weak password to gain a foot in the door. How weak could a password be? In case of Twitter, one of the individuals with access used the word "password" as a password. An automated hacking program can quickly run through the list of common "weak" passwords and find the key that matches.

Once a hacker has "foot in the door" by compromising say your Google account, they are going to find *LOTS* of different services accessible through the same login. Your Gmail or Google Docs got broken into? Well, now they can do anything they want with your Google Health too! If your email or documents store other logins and passwords (can you remember them without saving them somewhere?) they can be swiped and used to deepen the breach. A small breach could set off a cascade of dominoes, because of shared and interlinked online accounts.

In such a case no monitoring of your network services is enough to detect security breach and an attempt to gain control over all your resources. When shared-access resources are compromised, that would affect many people, and the effect may be very unpleasant, since one can't detect someone else' account being hacked. The real problem is always the loss of trust. All the other incidents may be cured or handled more or less quickly, but the loss of trust takes too much to restore.

There are two possible solutions. First, keep all your credentials secure. Make passwords strong. Change them often. Don't use the same shared ID (such as OpenId) for both private, public, business etc. activity. Make backups of your data, and so on and so forth. The other solution is to add security measures, out of reach of those knowing your shared ID, preventing people from changing crucial data (at least, you won't lose control). It means, inevitably, introducing more credentials, but please remember: if all your vital data are depending upon a single ID, its loss can be catastrophic.

This article was brought to you by the developers of IPHost Network Monitor, network and server monitoring software.