January 7th, 2009

A roadmap for the Twitter CSO

Posted by Adam O'Donnell @ 12:30 pm

Categories: Hackers, Phishing, Social Networking Applications, Spam and Phishing, Web 2.0, Web Applications

Tags: Password, Twitter, Phishing, Security, Spam And Phishing, Adam O'Donnell

The folks at Twitter had to deal with an attack from both phishers and hackers over the past few days. As someone who has been in their shoes many times before, I deeply sympathize with their team and I understand the amount of work that they need to do. For those of you who never had rapidly triage security for a service, I have created a sample task list so you have some idea what needs to be done.

This weekend Twitter was hit first by a phishing attack that was seen across multiple social networks. During the initial attack, one of the support individuals had their account compromised via a password brute force, which allowed for an external party to have super-user access to the Twitter backend.

After the team is able to stanch the immediate bleeding, they will have to go back to the basics of network and system security, and implement a revised security policy for both their employees and their users. To keep user frustration to a minimum, the user policy will have separate considerations for both standard and high-profile, high-compromise-value user accounts. After the stakeholders agree upon the security principles, I would expect their plan would look something like this:

In the following few days:

• Buy every employee a password vault, like 1Password or Norton’s Password Manager. Once deployed, enforce a ridiculously strict password complexity policy, forcing the employees to use the software.
• Identify and monitor high-value accounts, or accounts that belong to celebrities, politicians, and other influential hubs.

In following few weeks:

• Implement two factor authentication of access and password reset using both SMS and e-mail tokens for high-value accounts.
• Separate Twitter employee accounts from Twitter administration accounts. Segregate the administration accounts onto a separate monitored webserver that is protected via VPN access, which in turn requires two-factor authentication.
• Establish a traditional network and system security policy that includes patch management, monitoring, and an incident response process.
• Create a separate authentication token, accessible by the user upon request, that allows for temporary, read-only access to a user’s profile. This token can then be handed to 3rd party applications that do Twitter content analysis.
• Engage an 3rd party security firm, such as iSec Partners, IO Active, or Matasano, to audit all user facing code.

In the following few months:

• Establish a separate support and escalation policy for high-value accounts.
• Offer anomaly-based alerting to high-value account holders, such as SMS messages when the account is accessed from too many IP addresses from too short a period of time.
• Remediate all high-impact, high-probability issues found by the 3rd party audit.

This plan is by no means complete nor authoritative, but it should give you some insight into the workload that the service’s security team now faces.