Small business online security – lessons from the Twitter hacker

The hacking of confidential Twitter business documents highlights the vulnerability of online security for startups and small businesses. Here are some tips on how to make your business safer online.

By
20th July 2009 at 12:15 pm

For those that aren’t immersed in news about web startups and the world of social media, you might have missed the biggest story of recent weeks, the hacking of Twitter business documents by a Frenchman dubbed Hacker Croll.

By breaking into a personal email account of a Twitter employee, he was able to infiltrate most of the company’s highly confidential documents, email and other details held on their own servers and in Google’s ‘cloud-based’ applications.

He then passed over 300 of these documents to the world’s most widely read blog about web startups, TechCrunch.

For the geeks among you the fascinating details of the hack were revealed by TechCrunch yesterday.

Small business password security - Twitter FAIL whale

Twitter security FAIL. But how robust are the passwords of your staff?

Lots has been made of the fact that Twitter’s security house of cards came tumbling down because like many a good web startup the company used cloud services.

Their documents, email etc were all held online on other people’s servers, like Google, rather than on their own hardware in a broom cupboard.

But the reality is it’s people that are the problem, not where your data is.

The key component of Hacker Croll’s successful break in was being able to guess the personal Gmail password of a Twitter employee.

Because, like the huge majority of people, this individual often used the same password for many accounts and also had the answers to additional security questions like ‘what’s the name of your pet’ inadvertantly spread around the web on social networks, the French hacker soon had his hands on Twitter’s crown jewels.

Secure passwords are at the heart of the problem. Most people simply don’t use them, because they can’t remember a four digit pin number let alone unique passwords for every application, computer or web service they’re signed up to.

This is a major problem. And it’s not just online security that suffers in this way.

I used to work at a FTSE 100 bank where everybody in the department had their computer password written down in the team personal assistant’s rolodex.

So how do you improve password security online and off for your business? Here are some tips:

  1. establish a password policy for your business to which all staff are required to adhere;
  2. encourage staff to use unique passwords for each computer or service they use;
  3. make sure all passwords have eight or more characters;
  4. do not allow passwords to contain real, comprehensible words otherwise guessing is about as hard as playing hangman;
  5. suggest ways to make passwords, long, secure, but memorable: for example pick a favourite line from a song, poem or nursery rhyme and use the first letters of each word to form a password i.e. “You have brains in your head. You have feet in your shoes.” could be Yhbiyh!YHFIy5;
  6. remember to mix upper and lowercase characters in the password together with special characters and numbers.  In the example above, the exclamation mark is used in place of a full stop (which you couldn’t use in a password anyway) and the last ‘S’ is turned into the number 5;
  7. make sure answers to password hints are false i.e. if asked ‘what is the name of your pet’ make sure the answer is the name of a friend’s dog, not your cat;
  8. if you really have to write down passwords, don’t store them on a computer, but write them on a piece of paper and put them in the company safe.

Just the above measures will dramatically improve your online and physical computing security, but it’s not an extensive list.

Let us know, if you have any password security tips we’ve missed.

#646464

Alex is the founder and editor of SmallBizPod, the UK's first podcast dedicated to small business, start-ups and entrepreneurship. Alex writes about topical small business issues, entrepreneurs and anything else that catches his eye here on the small business blog. http://www.smallbizpod.co.uk

Commenting Is Easy

Do you agree with this blog post? Disagree? Have something to add that others might find helpful? Then please leave a comment in the box below.

If you'd like to have your image included next to your comments here, then you can set yourself up with an avatar in just a couple of clicks.

  1. This post doesn’t seem to address any of the problems specific to webapps. There will always be users in your organization who don’t follow these rules and without knowing everyone’s password how are you going to enforce these rules?

    When businesses run applications themselves they can usually set password policies, firewalls, logging etc. In cloud-based applications you don’t have any of these options.

  2. Richard, I defer to your greater expertise in this area and agree that you’re reliant on the common sense of people you work with.

    I thought in the case of Google Apps Premium you had pretty good control of passwords e.g.
    http://tinyurl.com/8j4l3h

  3. That’s interesting that Google is doing that! I couldn’t see it mentioned on their site. Another thing that would be useful to see would be a list of failed logins with times and IPs so that you could monitor security. Also flagging access from unusual IPs or even limiting some content by IP address (sensitive stuff that shouldn’t be accessed outside the main office).

    I don’t have Google Apps Premium so I don’t know if it has that.

  4. Unless I’ve missed it, which is possible, I don’t think that level of reporting or IP control is available.

    I’m sure Google has something in place to prevent brute force attacks. The Twitter hacker didn’t use brute force, but cunning and human frailty.

  5. I’m sure google do have something for brute force.

    Though it might have stood to staff there out that the content was being accessed from Europe rather than the main office or any homes of the staff. The person using the account went on undetected.

  6. Great point Richard.

Leave a comment

Photostream

Listen to the sales podcast for SMEs Subscribe to the podcast on iTunes

PARTNER PROMOTIONS

If looking to boost your businesses performance with promotional marketing, travel incentives or incentive schemes get it touch with NDL Group