Rethinking security after the Twitter/TechCrunch fiasco | Dafacto

The personal website of Matt Henderson.

Rethinking security after the Twitter/TechCrunch fiasco

19 July 2009

In case you missed it, TechCrunch received some 300+ confidential documents related to Twitter (the company), which were attained by a hacker. These documents contained minutes of meetings, business plans, talks with companies like Google and Microsoft. In short, a disaster for Twitter.

This morning TechCrunch published an article [ ] detailing how the hacker attained these documents, and it really highlights the need to frequently reassess our computer security.

In short, the hacker exploited a common feature of web services, in which a new password can be sent to the user’s default email account. Having gained access to one email account, the hacker could then one-by-one gain access to a variety of the user’s subscribed web services. Gaining that access was tremendously helped by the fact that the target used the same password for multiple services.

It’s clear that, today, security is a domino context, in which the compromising of one weak link can bring down the whole structure.

After reading the TechCrunch article, I did a quick review of my own security policies, and noted the following:

  • It is important to review security policies periodically. Regardless how solid a policy appeared in the year 2000, it can become quite brittle and fragile in the context of the year 2009.

  • I am once again reminded how happy I am to be using a tool like 1Password, to create strong, random, unique passwords for all the web services I use.

  • I'm glad I took the decision to use PGP to encrypt the entire disk on my MacBook.

  • I wish everyone used PGP, so that I could encrypt all my email.

Enjoy this article? — You can find similar content via the category and tag links below.

Questions or comments? — Feel free to email me using the contact form below, or reach out on Twitter.