September 21st, 2009

Are Twitter direct messages safe?

Posted by Michael Krigsman @ 6:03 pm

Categories: CIO issues, Enterprise 2.0, Failure 2.0, IT issues, Security and privacy

Tags: Twitter Inc., Michael Krigsman

A twitter colleague sent me a direct message that apparently ended up in another user’s mailbox. This error suggests that private information sent on Twitter could be exposed to non-intended recipients.

Here is a screen capture of the private message, annotated according to the following legend:

1. Recipient: Susan Scrupski
2. Sender: @zolierdos
3. Intended recipient: @mkrigsman
4. Message text, which I blurred to maintain confidentiality

The sequence unfolded this way: Twitter user @zolierdos sent a private direct message to me. That message ended up in the Twitter account of mutual friend Susan Scrupski. Susan then told Zoli and me that Twitter sent her the private message.

Zoli sent the message using a Twitter client, so perhaps the problem lies there. However, whether due to a Twitter snafu or a third-party bug, this issue raises serious questions about the confidentiality of private information sent through Twitter.

Until this issue is resolved and you can be sure private messages remain confidential, I suggest you adjust your direct message habits accordingly.

Have you experienced similar errors? Let us know.

Update 9/21/09, 11:15PM EDT: Twitter support contacted both Zoli and me to investigate. The company is taking the problem seriously.

Update 9/22/09, 8:00PM EDT: Twitter support says the problem was operator error and not a bug. While there is no way to prove this assertion, I’ve heard anecdotal evidence about direct messages ending up in the wrong hands. My advice: be careful sending sensitive information through Twitter.

July 16th, 2009

Twitter data theft: the human element

Posted by Michael Krigsman @ 7:10 am

Categories: CIO issues, Cultural issues, Enterprise 2.0, IT issues, Security and privacy

Tags: Cloud Computing, U.K., Twitter, Data Breach, Security, Michael Krigsman

Data security hit center stage this week following the theft of confidential personal and business information belonging to Twitter and it founders. A hacker gained access by infiltrating a Twitter founder’s email account protected by weak password security.

This breach raises issues about Twitter’s maturity as an organization, particularly concerning security practices, but also paints a black eye on cloud computing in general. Enterprise blogger, Jeff Nolan, commented:

If Twitter were using something other than a public cloud for their documents and messaging, well it would have been a hell of a lot more difficult for someone to login with a password retrieved via the recovery feature in Gmail.

However, ZDNet’s Editor in Chief, Larry Dignan, dismisses any notion this situation represents a general cloud computing problem:

Bottom line: Twitter used an easy-to-guess password and recovery question. That’s how the hacker was able to get in - not because Google has some sort of security hole.

THE PROJECT FAILURES ANALYSIS

To place the matter in context, consider the broader subject of data breaches. The following diagram from the I’ve Been Mugged blog, which covers data breaches and identity theft, illustrates the basic truism that most folks consider security a hassle:

Read the rest of this entry »

March 6th, 2009

Twitter and identity theft

Posted by Michael Krigsman @ 3:46 pm

Categories: CIO issues, Enterprise 2.0, Failure 2.0, Security and privacy

Tags: Twitter, Identity Theft, Security, Michael Krigsman

Someone hacked the Twitter account of ZDNet colleague, Dennis Howlett, exposing security as a serious Twitter weakness.

Dennis described the incident in a blog post titled, “I’m a porn star:”

For several hours this evening my 3,000+ Twitter followers thought I was a 23 year old porn star. No - I’m not giving out the link but apparently my account had been hacked. I wouldn’t mind except I see my Twitter account as something of value and while many of my regular followers saw it as a joke it is far from funny.

On the surface, the hack might seem funny, and one can easily imagine the jokes it could inspire. However, for the victim, such attacks represent a serious problem indeed.

Aside from the inconvenience of repairing the damage, identity theft can hurt precious reputations and damage valuable relationships. Imagine a work associate receiving a hacked Twitter private message - how would the recipient even know the account had been hacked?

Although rapid growth takes many social networking vendors by surprise, it does not alleviate the vendor’s obligation to maintain proper security. Twitter has not adequately met its responsibility to protect users.

February 16th, 2009

Yes, Twitter is still dangerous

Posted by Michael Krigsman @ 8:49 am

Categories: CIO issues, Enterprise 2.0, IT issues, Politics, Risk, Security and privacy, Tools

Tags: Twitter, Security, Michael Krigsman

Twitter’s power to broadcast confidential information unobtrusively remains a genuine security risk to government and private sector organizations. For example, CBS News reports that a Congressman disclosed confidential information on Twitter during a secret trip to Iraq:

Congressman Pete Hoekstra (R-Michigan), a ranking member of the House Intelligence Committee, caused what some have argued was a major lapse in security last week when he used the micro-blogging site Twitter to post real-time updates about a secret congressional envoy into Iraq.

Congressional Quarterly reports the Pentagon is reviewing policy following the Pete Hoekstra situation:

Read the rest of this entry »

January 30th, 2009

Hackers program highway sign with Zombie warning

Posted by Michael Krigsman @ 12:23 pm

Categories: Security and privacy, Uncategorized

Tags: Photograph, Michael Krigsman

Here’s a lighthearted failure suitable for Friday afternoon.

In a true “sign of the times”, so to speak, someone reprogrammed an electric highway sign to warn motorists of impending zombies:

CAUTION ZOMBIES AHEAD!!!

THE END IS NEAR!!!!!!!!!

RUN FOR COLD CLIMATES

Here are the photos:

Read the rest of this entry »

December 23rd, 2008

IT ethics and the recession

Posted by Michael Krigsman @ 7:34 am

Categories: IT issues, Research and statistics, Security and privacy

Tags: Recession, Information Technology, Ethics, Worker, Business Ethics, Leadership, Management, Michael Krigsman

With a major recession in full-swing, someone had to come up with a survey covering the ethics of office workers in three countries. The punch line: a large percentage of folks surveyed would steal confidential company data in the event of layoff rumors. The results are fairly ugly, painting a negative picture of ethics in the workplace.

Security firm, Cyber-Ark, conducted the survey, called The Global Recession and its Effect on Work Ethics. The company interviewed 600 workers in the US, UK, and the Netherlands.

When asked how far respondents would go to keep their job, 15 percent of Americans said they would consider blackmailing their boss! At first, I thought this was a joke, but it appears to be serious after all.

Unfortunately, the answers are not a positive reflection upon my fellow citizens:

Read the rest of this entry »

December 10th, 2008

6 tips to avoid security policy failure

Posted by Michael Krigsman @ 8:38 am

Categories: CIO issues, End-user impact, IT issues, Research and statistics, Security and privacy

Tags: Clavister, Security, Michael Krigsman

Security breaches expose millions of consumers to identity theft every year, making this a particularly rampant form of IT-related failure. A new study pinpoints human error as the primary cause and offers recommendations for creating and enforcing usable policies.

It’s common for data breaches to result from incidents involving lost laptops, inadequate system testing, poor physical shipping practices, and sheer carelessness. In many cases, these breaches occur when employees violate established security procedures required by either government regulation or existing organizational policies.

A research report sponsored by security solution provider, Clavister, affirms the view that workers cause most security problems by ignoring established policies:

Read the rest of this entry »

December 1st, 2008

Former inmate accused of hacking prison IT

Posted by Michael Krigsman @ 7:28 am

Categories: CIO issues, Government projects, IT issues, Project failures, Security and privacy

Tags: Hacking, Information Technology, Prison, Access Control, Computer, Productivity, Security, Michael Krigsman

Federal authorities charged a former inmate with successfully breaking into prison computer systems during his incarceration and stealing identity information on prison personnel.  Beware: if hacking can happen under the noses of federal prison authorities, then your company is certainly not immune.

A press release from the Attorney General’s office in Boston describes the indictment:

[Francis G. Janosko, age 42,] is alleged to have obtained the password to a prison management program and to have made available to other inmates a report listing the names, dates of birth, Social Security numbers, some addresses and telephone numbers of over 1,100 current and former prison personnel.

According to the release, the prison allowed inmates computer access to a system containing legal research information and “nothing else.” Janosko bypassed security by, “exploiting a previously-unknown idiosyncrasy in the legal research software:”

Read the rest of this entry »

November 7th, 2008

Bank of Ireland: data breach repeat offender

Posted by Michael Krigsman @ 6:55 am

Categories: CIO issues, IT issues, Security and privacy

Tags: Bank Of Ireland, Memory, Flash Memory, Semiconductors, Hardware, Components, Michael Krigsman, Bank For Ireland, Ken, Identity Theft

A Bank of Ireland employee lost an unencrypted USB memory stick containing personal information belonging to 894 customers. Stopping this problem requires more stringent government enforcement.

Finextra reports:

The personal information, including account numbers, phone numbers and addresses, was copied onto the USB device in contravention of the bank’s policies and procedures.

The Bank for Ireland has a history of allowing private customer information to escape. Earlier this year, the bank lost data on 10,000 customers when four laptops were stolen. Perhaps unsurprisingly, that data was also not encrypted:

Read the rest of this entry »

October 16th, 2008

Android kill switch: Is Google evil?

Posted by Michael Krigsman @ 6:03 am

Categories: CIO issues, End-user impact, Google, IT issues, Security and privacy

Tags: Google Inc., Telecom & Utilities, Michael Krigsman, Computer World, Dennis, Web Browsers, Handhelds, Internet, Hardware

Google’s new Android phone includes a “kill switch,” allowing the company to delete applications users purchase from the Android Market. Frankly, I don’t trust Google’s intentions.

Computer World describes the situation:

In the Android Market terms of service, Google expressly says that it might remotely remove an application from user phones. “Google may discover a product that violates the developer distribution agreement … in such an instance, Google retains the right to remotely remove those applications from your device at its sole discretion,” the terms, linked to from the phone, read.

Some Google users, including ZDNet’s Christopher Dawson, call the company a friend; others question whether Google lives up to its “do no evil” corporate mantra. For example, Dennis Howlett blogged about Google’s original license (which they later modified) for its Chrome browser:

Read the rest of this entry »