Tweeters beware: All is not secure on the cyber front

Proceed with caution when adopting new technologies

The Twitter microblogging service gets a lot of publicity, but recently that publicity has been increasingly bad as the company has become the victim of a series of hacks.

The most recent incident, which came to light last week, initiated an industry squabble over whether cloud computing is inherently unsecure or whether Twitter executives are just guilty of using bad security practices. It seems that a poorly protected password allowed a hacker to gain access to company records in Google Apps, a suite of online office services Twitter uses.

But the hacks, along with misuse of Twitter accounts that could compromise users, also highlight the danger of adopting new technologies as business tools before they are ready to be folded into the enterprise.

It is not surprising that Twitter and its management are not particularly focused on security because the service was started with no meaningful purpose. The site proclaims that it is intended for “the exchange of quick, frequent answers to one simple question: What are you doing?” Anyone who wants to frequently update the world on what he or she is doing in 140 characters or less probably has no life to speak of, and the people who want to read those updates probably are just as lacking. A tweet essentially is a postcard without the pretty picture, thus there is no reason for it to be any more secure than a postcard.

The novelty quickly became popular, however, and is becoming more widely used as a way to broadcast alerts and notices. A new, tech-savvy administration and Congress is adopting it, and according to the Web site GovTwit.com, there are more than 2,000 Twitter users either in government or commenting on government, with more than 17 million followers. From the Air Force to the White House, 375 agencies or offices use the service, along with 91 U.S. senators, congressmen and Hill staffers.

Those who seek ill-gotten gains have noticed the site's popularity. Not only has Twitter itself become a target, the site has become a vector for phishing attacks and links to Web sites containing malware. People who are used to thinking of Twitter as a nerdy toy use it in the workplace and expose the enterprise to risk.

This grassroots adoption is not a new story. It happened with texting, instant messaging, even with e-mail and the Internet itself. Today, these are accepted workplace tools, but years later the workplace still is suffering because of the vulnerabilities that these tools have introduced. They were developed without much thought for security, and even with the technologies and policies that have been bolted on later, networks tend to remain dangerously porous. These tools are common channels for both bad stuff coming into the enterprise and data leaving it.

The lesson we are being forced to learn once again is that technology often is thrust upon us and that administrators need to be aware of the implications of new tools such as Twitter. Banning their use probably is not necessary and might even be impossible, but policies to ensure responsible use and adequate security need to be in place as soon as new technology shows up in the workplace. Just because Twitter lets itself be hacked is no reason that users in your office should not be required to use strong passwords and common sense.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Mon, Aug 3, 2009 Trevor Vancouver, Canada

Check out http://politwitter.ca/ for Canadian political twitter. Keeping a detailed list of federal and provincial MP's and MLA's. Also allowing any Canadian to join the conversation through tracking keywords and hash tags. This service stands as the initial Canadian domestic Twitter site as well as it intends to have a broader range than alternative countries’ domestic Twitter mashups.

Tue, Jul 21, 2009 RayW

Unlike another poster, I saw a coherent article that covers what many people ignore, security, why there is a lack of it, and why it has to change. Skipping the current 'fad' of Twitter and the various cousins and having been around computers and the 'internet' since the late 60's, it is easy to see how we have the insecure system that we do. Most of the predecessor technologies were designed with an inherent 'trust' built in. Only certain people could use them, it was a 'small' group and mostly people with more or less a common goal. The internet became a commercial enterprise where the cost outweighed security and business concerns preempted a lot of other issues and the net is now used by anyone with a multitude of agendas present, not all good ones. Email, for example, was once thought of as not needed, but now most businesses could not survive without it. Even in the feds, Email is often the main or only method of pushing appointments, instructions, and other "do or get fired" type directions. But the biggest point made in this article about Twitter that is ignored by people is that it is a company. All of your typing goes through them. People who are in a position of power (but not necessarily knowledge), need to realize that although they can blast instructions out to their followers, that the information is also going somewhere else. And unless the other company is trusted (and the weak password means that they were NOT the most trusted), designed from the ground up to be secure (it was not, it was a fad to help pass time for those who had nothing better to do), then you should be leery of using it for something you do not want the world (or your enemy/competition) to know about. I read a lot of Sci-FI, and things like Twitter may evolve into something that is indispensable to anyone above a subsistence level existence if you consider how often the better writers have had a glimmer of technology to come. While I am not a fan of putting my underwear out on the net (paraphrased from my 16 year old on the subject of Twitter), I can see how this may take the place of email in a business environment for the smaller stuff like appointments or short directives like "snow day, do not come to work, and go home if you are here" type messages. Gotta have imagination to see that a device for bored people might have benefits beyond entertainment if implemented differently, but there are many similar systems out there that may eclipse what some think of as a Holy Grail.

Tue, Jul 21, 2009 Fernando Virginia

I agree with Anthony's comments. The author is taking an issue totally disconnected with the realities of twitter usage and instilling a culture of "fear" that pervades Washington. Security is important, no question about it, but people working in, or around Government tend to blow things out of proportion. More than any other professional industries, which by the way are far more secure. When are we going to learn to be less paranoid and more effective with our security practices? Paranoia does not equal better security. Thumbs down to this lousy article

Tue, Jul 21, 2009 Jim Washington, DC

The following ComputerWorld article accurately characterizes the situation as a password issue and not anything new or specific to the cloud: http://www.computerworld.com/s/article/9135668/Why_Twitter_Hack_is_NOT_a_Cloud_Security_Wake_up_Call?source=rss_security Readers need to put everything into perspective. If you recall, OSD SBU's email, a traditional client/server behind the firewall system, was also hacked into. See http://fcw.com/articles/2008/03/06/osd-cio-network-configuration-scanning-softened-cyberattack-blow.aspx Excerpt: "The hackers took advantage of a known Microsoft software vulnerability and sent spoof e-mail messages with the names of staff in Clem’s division. When the messages were opened, the code sent back the user names and passwords, which allowed access to the network. In follow-up forensics, Clem discovered that the hackers accessed sensitive information, which they encrypted as they transmitted it back to their sites." In fact, many of the top defense system integrators, who also use traditional systems, apparently have also been hacked at various times, see http://www.nextgov.com/nextgov/ng_20090430_6202.php?oref=rss?zone=ngtoday

Tue, Jul 21, 2009 Paul DC

Although I do not "tweet" or subscribe to any Twitter service, I found nothing in this article to deter me, despite the egregiously alarmist headline. An analogous point is that it is unsafe to shop at WalMart because someone stole records from an office in Bentonville. Really?

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above