Today, there is drama surrounding the trendy social networking website Twitter. To summarize, someone managed to get into their corporate Google Apps account and then proceeded to email confidential documents to (at least) TechCrunch. TechCrunch is run by Michael Arrington, who has begun publishing those documents. It's important that everyone understand that this drama has absolutely nothing to do with Google Apps security. In fact, Mr. Arrington states incorrectly "the original security hole seems to be Google, via Google Apps for your Domain."
Update: This statement was later removed, but there is another statement "It's not our fault that Google has a ridiculously easy way to get access to accounts via their password recovery question." The word "Google" in that sentence really should be replaced with "Google's Gmail service."
Tell you what, how about you try and hack OUR Google Apps? Go to http://mail.blisstechnology.net/ and look down where it says "Can't access your account?" and click on it.
You will get nowhere.
And this is the DEFAULT setting for Google Apps across the board. There is no "security question" for Google Apps users, period.
Now, Gmail is a different story. So are a million other online services that offer security questions as a "password backup." What happened was someone at Twitter, Inc. had a gmail account (@gmail.com, not @twitter.com) which had a very poor security question that someone guessed. From inside the gmail account, they were able to find an email that provided access to Twitter's Google Apps. Oops.
So what lessons can we learn here? Google Apps is stronger than Gmail. Security questions are not something anyone should use ever and if a security question is required, then you make up something utterly ridiculous and unguessable as your answer and write it down in a secure place. Never use personal email for business. Think seriously about security in general in 2009 and beyond - it's way past time to be nonchalant about the subject. Oh, and don't read TechCrunch.
Now, Bliss Technology can't comprehend why Michael Arringon would sacrifice good sense for a quick rush of drama through publishing "secret" documents he obtained, but in our opinion, it's probably not a wise idea to annoy Twitter and their users. A quick search of http://search.twitter.com/ shows his "cool commodity" dropping like a lead stone into a bottomless pit, the social wildfire burning with hatred across the twittersphere, instant and raging.
As we take security seriously, we advise clients about these issues all the time. We also realize that Google Apps, cloud computing, and the online world in general have some PR challenges ahead, in spite of the extensive and shockingly awful history of true hacks and exploits (not just password-guessing) of software, usually Microsoft, that is not in the cloud. That is why I wrote this - to explain clearly the issues surroudning this drama and add our voice to reason, voices who loudly support Google and the cloud, who sing every day about the need to take security seriously, and who speak with distaste when reporters just get our industry flat wrong.
Posts
No comments:
Post a Comment