Security, Privacy and The Law : Security & Privacy Lawyer & Attorney : Foley Hoag Law Firm : Boston, Washington D.C.

Today, the Federal Trade Commission (FTC) and Twitter announced that Twitter has agreed to settle FTC charges that the company failed to take sufficient security measures to protect user privacy settings.  

The FTC charges stem from breaches in security that occurred in 2009, when hackers accessed Twitter employee accounts and used administrative controls to access the Twitter accounts of high-profile users, including Barack Obama.  (Under hacker control, President Elect Obama's Twitter account apparently "offered his more than 150,000 followers a chance to win $500 in free gasoline.")  Twitter candidly announced the first security incident in January 2009 and blogged about a second incident in April 2009.

The FTC Complaint (.pdf) lists the following security flaws among Twitter's failings:

• Twitter allegedly did not have policies that required their administrators to select hard-to-guess passwords and instead, administrators were permitted to use "weak, lowercase, letter-only, common dictionary word[s]" as administrative passwords.
   
• Twitter employees were allowed to store administrative passwords in plaint text form, so that once hackers broke into their accounts, the hackers had full administrative access to other users' accounts.
   
• Twitter did not disable administrative accounts after a number of unsuccessful attempts, allowing hackers easily run automated tools to break into the accounts.
   
• Twitter administrators were not required to change their passwords regularly.
• Twitter did not limit administrative access to user accounts to those employees that needed such access.
   
• Twitter did not do enough to restrict administrative access to authorized individuals, including by requiring administrators to log into a separate employee website or restrict administrator access to specific IP addresses.

What may be a key issue for many online businesses developing social networking sites is that, according to the FTC, users' privacy settings may impose an implicit duty on the website operator to take certain security precautions in order to preserve the user's settings. In Twitter's case, the site allowed users to make some "tweets" (short user messages/postings) private and the alleged lack of security allowed hackers to access those private messages.  The FTC Complaint (.pdf) claims that "Twitter has engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security to: prevent unauthorized access to nonpublic user information and honor the privacy choices exercised by its users in designating certain tweets as nonpublic."  According to the FTC, the lack of security was so severe that Twitter's claim that user's privacy was protected amounted to a deceptive act under the FTC Act. 

In its Agreement (.pdf) with the FTC, Twitter consented to adopt a comprehensive information security program and submit independent security assessments to the FTC every other year for the next 10 years.  In today's blog posting, Twitter indicated that "[e]ven before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Back in October you may remember our post on Elcomsoft, a Russian software company that came out with program to decrypt common wireless network signals.  Well, they're back this week with a program that will "enable[ ] forensic access" to password-protected backups for Apple iPhone and iPod touch devices.  In other words, if someone obtains access to the computer you use to sync your iPhone they could also get access to "backups containing address books, call logs, SMS archives, calendars, camera snapshots, voice mail and email account settings, applications, Web browsing history and cache."  And while the program is in beta testing, Elcomsoft is even giving the program away for free. 

The program apparently uses the computing power of the latest generation of video cards to perform a dictionary or "wordlist-based attack" to recover the password needed to unlock the backup files.  This means that if your password can be found in a dictionary or a hacker's wordlist, there is a program out there that will unlock it.  With technology like this out there to decode commercially available encryption schemes, the best protection we may have is to select a sufficiently complex password to defeat wordlist based attacks (and not to use the same password for all your online activities as Twitter's recent incident and Trusteer's recent survey (.pdf) have suggested are rampant problems). 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Rumors are circulating that Special Agents from the Transportation Security Administration (TSA) have been posing as a Connecticut blogger on Twitter to find out who leaked airport security screening procedures put in place after the recent attack by the "underwear bomber."  This is a new twist in what some are describing as an overzealous investigation of government documents posted online.

As many of us found out on Christmas Day, a 23 year old Nigerian man identified as Umar Farouk Abdulmutallab apparently ignite an incendiary or explosive device in his lap while he was sitting on Northwest Airlines Flight 253 to Detroit.  While no passengers were harmed, the same cannot be said for the would-be bomber's lap, which combusted.  In reaction to the attack, issued Security Directive 1544-09-06 directing TSA airport officers to pat down 100% of all passengers, "concentrating on upper legs and torso," with the notable exception of heads of state. 

Two days later on December 27, 2009, the TSA Security Directive was posted to the Flying with Fish blog run by Steven Frischling and Chris Elliot's blog at Elliot.org.  TSA was not pleased with this attention.  Apparently, the TSA considered the Security Directive secret, even though it was sent to thousands of airports and airlines around the world and arguably was somewhat obvious to anyone in an airport around Christmas-time.  The agency launched an immediate investigation, sending agents and subpoenas to Frishling's and Elliot's homes (the text of which is available at his blog). 

Frischling ultimately cooperated with the probe, gave them access to his BlackBerry, iPhone and computers and let TSA agents know that his source had contacted him anonymously using a free email service. 

Then an unusual message appeared on blogger Steven Frischling's Twitter account:

To the gentleman who sent Flying With Fish the TSA Security Directive … Thank You! Can you drop me an email?I have a question. Thanks-Fish.

According to sources interviewed by Wired, a TSA agent took possession of Frischling's BlackBerry, typed the Twitter update into the device and then directed Frischling to click on the “send” button to post the message to his Twitter page.  According to Wired's source, this was an attempt to induce the anonymous informer to send Frischling an email and draw him or her out of hiding.  Of course, implicit in this strategy is that the TSA already had or expected to gain access to Frischling's email, as well.  The TSA deny this account.  Other bloggers, such as TechCrunch's Michael Arrington, have pointed the finger at Frischling and have criticized him for caving to government pressure and cooperating in the effort to oust his own confidential source.

No doubt, the TSA is under considerable pressure to heighten its security since early December, when an employee inadvertently posted online the agency's highly classified airport security operating manual.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

1.  Iranian Cyber Army Puts Twitter On Hold

Around 10 pm last night, popular social networking site Twitter, was apparently hacked by a group calling themselves the Iranian Cyber Army.  Iran and Twitter have had a rocky relationship since last summer when Iranian citizens spread the protests over Iranian elections to the popular web site.  During that time, links circulated on Twitter that allowed users to participate in DoS (Denial of Service) attacks on Iranian government websites.  Given the name adopted by Twitter's hackers, it may be no coincidence that the New York Times interview with a U.S. computer security expert in June 2009 described the Twitter DoS attacks as allowing Twitter users to "'become part of the cyber-army,' in Iran."

2. $26 Russian Software Has Been Intercepting U.S. Military Drone Video Feeds In Iraq

Ever since Iraq invaded Kuwait in 1990, we laypeople have been introduced to video from U.S. military missiles right before something like a building exploded in fuzzy black and white.  Then came more advanced military drones, remote controlled airplanes, with greater resolution and improved arsenal.  If you have been craving some low res military action, it may only cost you a satellite dish and $26.  Using a $26 software package developed by Russian software company called SkyGrabber, Iraqi insurgents have reportedly been tapping into live video feeds from U.S. drone aircraft.  This news comes from a U.S. official speaking anonymously with the Wall Street Journal who reported that U.S. troops have recovered laptops used by the insurgents with "days and days and hours and hours" of intercepted military video. 

The SkyGrabber software, which allows users to tap into unencrypted satellite connections, apparently has been successfully used against the military feeds because they were (you guessed it) unencrypted.  U.S. military officials commented to CNN that encrypting the signals is problematic because it slows down video transmissions that need to be seen by a number of different operators at the same time.  Query as to whether having your adversaries monitoring your battlefield surveillance will justify adding encryption to the military's systems.  (Just remember when you do that another Russian software application is capable of decoding the WPA encryption standard.) 

Lest we begin criticizing the military too strongly, however, a moment of self-reflection might be worthwhile.  The next time you connect to the Internet using a wireless connection, whether at home or at a coffee shop, ask yourself whether you are taking any precautions to prevent your activity from being intercepted or whether you are just rolling the dice that no one in 100 yards has purchased some software from Russia recently.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Are you having trouble making sense of social networking sites like Twitter?  It may be because you are trying to read an encoded command to a malware-infected computer.  Security consultant Jose Nazario at Arbor Networks has discovered that popular social networking sites like Twitter and Jaiku are being used to control botnets, armies of computers that have infected with malware enabling the individual controlling the botnet to steal user information and direct the computers to attack others.  Botnet commanders often use IRC (Internet Relay Chat) messages to control the "slave" computers, but Nazario discovered encoded gibberish in a user's tweets and decoded them to find that the messages directed infected computers to download additional payloads of malware.  According to Nazario's post on the Arbor Networks blog, the original botnet commands appear to have been used to steal user information.

This raises a number of concerns for any website that permits users to generate content. In addition to copyright infringement and other abuse concerns, clearly this highlights another type of content that website administrators should be policing. Also, as companies and institutions begin to view particular websites as being involved in botnet infections, even inadvertently, system administrators may begin blocking access to these sites. As a result, this is a concern both for companies that maintain social networking sites, blogs and other user-generated content, as well as employers and other companies that provide access to those sites.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This week, Twitter co-founder Evan Williams confirmed that the company has been the victim of an attack that compromised a number of employee personal accounts at Amazon, PayPal and AT&T, employee personal email and Twitter's internal company documents.  The hacker, who goes by the handle "Hacker Croll," has apparently emailed a collection of 310 internal Twitter documents to TechCrunch, including a presentation for a proposed reality television show called "Final Tweet" and a February 2009 financial forecast.  Many wait to see what other documents will come to light while TechCruch negotiates with Twitter's lawyers.

Postings on the French website Korben.info claim that Hacker Croll obtained a list of employees, along with employees' credit card numbers, telephone numbers, meeting reports, time sheets, salary information, confidential Twitter contracts with Microsoft, Nokia, Samsung and other companies, as well as a list of celebrity  "High Profile Users." (an English translation of the French website is available here).

Twitter's Evan Williams stated "This had nothing to do with the security of twitter.com, and there were no user accounts compromised here."  This was reiterated in Biz Stone's post on the Twitter blog, appropriately entitled "Twitter, Even More Open Than We Wanted."  Stone notes "This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords." 

This is not the first time that poor password security has led to a noteworthy breach (see WIRED Magazine's account of how one hacker used publicly available information to hack into Sarah Palin's email).  This may serve as a good reminder to many of us that we may want to take the time to change our passwords today (and select a combination with at least 6 characters, at least one capital letter and at least one number).

Links:

• TechCrunch's report and follow up posts on Final Tweet and Twitter's financial projections
• Twitter Blog Post, "Twitter, Even More Open Than We Wanted"

• Email This
• Print
• Comments
• Trackbacks
• Share Link