Advertisements
 
 

We have met the enemy… again!


My last entry was about the enormous security holes created by clear-text passwords and similar vulnerabilities as the result of bad IT practices.  I’d like to think I had great timing but by pure coincidence the Federal Trade Commission issued a press release the very next day related to the very same subject.

Seems our friends at Twitter just settled charges that it failed to protect consumers’ personal information.  Their site was allegedly hacked on two separate occasions in 2009 resulting in the hacker(s) gaining administrative control.

The first breach was the result of an insecure (read: ridiculously insecure) password and a lack monitoring.

The administrative password was a weak, lowercase, common dictionary word. Using the password, the hacker reset several passwords, and posted some of them on a website, where other people could access them.

The second instance was, you guessed it, because an employee had his/her passwords stored in plain text.  This time the hacker was able to reset at least one Twitter user’s password and could access non-public user information and tweets for any user.

“…a hacker was able to guess the administrative password of a Twitter empoyee (stat) after compromising the employee’s personal email account where two similar passwords were stored in plain text.”

You may be thinking to yourself… “So what? It’s only Twitter. It’s not like they store credit card information or medical records. Who cares?”

Think again.

Under the terms of the settlement, Twitter will be compelled to “…establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years.”  They are also “…barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information…

Not only do those actions affect Twitter’s operating costs, in the future, each violation of such an order may result in a civil penalty of up to $16,000!

This is just plain dumb.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Advertisements

~ by Marc Hedish on July 2, 2010.

6 Responses to “We have met the enemy… again!”

  1. **face in palm**

    Do you think shaving their heads and tattooing “My password is password” on their foreheads would teach them a lesson?

    • It’s a start. 😉
      After all, we both know these are the same folks that set their own accounts to not require periodic changes so it’s not as if there would be any issue with the permanent tattoo.

  2. Dumbasses will remail dumbasses, regardless of what you do.

    You can force them to attend classes, read manuals and memorize infdormation, but you can’t force them to actually learn anything!

    And, by the way, my password is not GHEOD42^%#!2Gtts…

    Be good!

    Oded

  3. My brother suggested I would possibly like this web site.
    He was entirely right. This post truly made my day.
    You can not imagine just how much time I had spent for this
    info! Thank you!

  4. Thanks for finally writing about >We have met the enemy
    again! | Marc’s AIM <Loved it!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: