Earlier tonight, I received an email I would just as soon not have gotten from Twitter, along with 250,000 Twitter users who had their password reset. Twitter security director Bob Lord explained why I’d received the email on the company blog:
“This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.”
Mike Isaac has been following the story the hack at Twitter at AllThingsD, if you want the latest news tonight.
After the password reset, I went through revoked Twitter authorization access to a number of unused apps, something I’ve been doing periodically for years now. That habit is among Twitter’s security recommendations.
I’m thinking about other social media accounts now, too. Shortly after Nicole Perloth began covering IT security for the New York Times, she shifted her practices:
“Within weeks, I set up unique, complex passwords for every Web site, enabled two-step authentication for my e-mail accounts, and even covered up my computer’s Web camera with a piece of masking tape — a precaution that invited ridicule from friends and co-workers who suggested it was time to get my head checked.”
She talked to two top-notch security experts and wrote up a useful list of good digital security practices. Unfortunately, it may be that it takes getting hacked and embarrassed (as I was on Twitter, on Christmas Eve a couple years ago) to change what how people approach securing their digital lives.
I don’t recommend that sort of experience to anyone. I was lucky, was tipped nearly right away and was able to quickly get help from the remarkable Del Harvey, head of the Twitter Safety team.
It could have been much, much worse. I’m thinking of Mat Honan, a Wired journalist who experienced an epic hacking that came about through a chain of compromised accounts at Amazon, iTunes, Gmail and Twitter. After a lot of work, Honan managed to recover his data, including some precious pictures of his child. In the wake of the hack, he turned on 2-factor authentication on Google and Facebook, turned off “Find my” Apple device, and set up dedicated, secret accounts for password management. Honan isn’t alone in the tech journalist ranks: he just happens to have a bigger platform than most and was willing to make his own painful experience the subject of an extensive story.
A jarring reality is that even people who are practicing reasonably good security hygiene can and do get p0wned. Unfortunately, the weakest point in many networks are the humans — that’s reportedly how Google ran into trouble, when key employees were “spear phished” during “Operation Aurora,” targeted with social engineering attacks that enabled hackers to access the networks.
The last paragraph of Lord’s post suggests that a similar expertise was at work at Twitter, although he does not specify a source.
“This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.”
It’s been true for a decade but it’s even clearer in the second month of 2013: practicing basic information security hygiene is now a baseline for anyone else online, particularly those entrusted with handling confidential sources or sensitive information.
Chris Soghoian was clear about the importance of journalists and media companies getting smarter about keeping sources and information safe in 2011. Tonight, I am not sanguine about how much has changed since in the news industry and beyond.
Two days ago, the New York Times disclosed that hackers had infiltrated …the New York Times. The next day, The Wall Street Journal has disclosed similar intrusions. Earlier today, Brian Krebs reported that the Washington Post was broadly infiltrated by Chinese hackers in 2012. The Post confirmed the broad outlines of an attack on its computers.
If you’re a journalist & you’re not using a password manager+unique, long random passwords per website: stop, install and configure one now.
— Christopher Soghoian (@csoghoian) February 2, 2013
If you have a moment this weekend, think through how you’re securing your devices, networks and information. If you use Twitter, visit Twitter.com and update your password. If you haven’t turned on 2-factor authentication for Facebook and Gmail, do so. Update your Web browser and use HTTPS to connect to websites. disable Java in your Web browser. Think through what would happen if you were hacked, in terms of what numbers you would call and where and how your data is backed up. Come up with tough passwords that aren’t easily subject to automated cracking software.
And then hope that researchers figure out a better way to handle authentication for all of the places that require a string of characters we struggle to remember and protect.