Organizations should never undermine the power of deterrence when it comes to fending off the hackers, since the latter gain mischief specifically by exploiting and relying upon a lack of knowledge and security on the part of individuals, employees, corporate and state governments. Users and employees play a key role in the hacking process, hence, they must be cautioned that data access and communication are limited only to those people who actually need this high level of access.
Twitter Hacking Case
Twitter is a popular social networking and micro blogging service. On May 1, 2009, a French hacker going by the alias of Hacker Croll indicated that he had hacked Twitter security and accessed the company records. Carr (2011), says that screenshots of a few of them were posted as a proof on one of French websites, namely the forum known as zataz.com. After the hacking had been carried out, Evan Williams, Twitter CEO, announced that “a thorough independent security audit of all internal systems and implementing additional anti-intrusion measures to further safeguard user data” (Carr, 2011).
The hacker Croll did not use any hacking tools. He rather followed a simple process to crack Twitter security system and gain access to files. Carr (2011), says that the hacker used publicly available information to build a profile of the company with an emphasis on creating an employee list. Foe every employee identified, the hacker looked for email addresses, birth dates, names of pets, spouses and children. After gaining this information, he started popular web services that each employee may have an account with for example Gmail, Yahoo, Hotmail, YouTube, MySpace and Facebook. Using the discovered email addresses as the username, Croll initiated steps to recover the password. The service provided an option to email forgotten password to a secondary email address. Carr (2011), noted that the hacker’s patient enabled him to discover personal data combined with flawed security design and sheer luck to enable a successful hacking.
The hacker tried to access a Twitter employee’s Gmail account. He opted for emailing the forgotten password to a secondary email address. Gmail provides users with a clue as to which email address they had picked by obscuring the first part but revealing the service (Carr, 2011). When the hacker saw that it was a Hotmail account, he went to Hotmail and attempted to log in with the same username. The reply the hacker got was that the account was no longer active. After that, Croll immediately re-registered the account with a password that he picked then went back to Gmail immediately re-registered the account with a password that he picked, and requested that the forgotten password be emailed to the secondary account which the hacker now owned (Carr, 2011). Gmail reset the password and sent out a new one to the Hotmail account, thus giving Croll full access to employee’s Twitter personal data.
Armed with a valid username and a password, Croll dug further into the employees Gmail archives until he discovered that Twitter used Google Apps for domains as their corporate email solution (Carr, 2011). Croll logged in with his stolen employee username and password and began searching through all of that employee’s company emails, downloading attachments, and in the process, discovered the usernames and passwords for at least three senior Twitter executives, including CEO and founder Evan Williams and co-founder BizSone, whose email accounts he promptly logged into as well. The hacker got information about names of job applicants, internal meetings, confidential contracts with the companies like Microsoft and Nokia and information regarding staff wages. The incidence revealed that Twitter was storing a lot of corporate information on Google Servers in the cloud. Carr (2011), says that the result of the hacking was seen online; when TechCrunch published some of the stolen information, and the rest found its way online through other channels.
The Computer Misuse Act, 1990 is and How it Applies to Twitters Case
The Computer Misuse Act 1990, was passed to dealwith a number of misuses as the use of computers became widespread. Doyle (2007), says that the Act makes it an offence to; deliberately transfer or plant the viruses to a computer system in order to damage data and programs. The act terms it as an offence to use office computers to carry out unauthorized work. Under the act, hacking into someone else’s computer system with an aim to seeing the information or altering it is also considered an offence (Doyle, 2007).
According to Duquenoy, Jones & Blundell (2007), the Computer Misuse Act 1990, applies to the Twitter hacking case because the hacker had unauthorized access to data saved on computer with the intent to commit or facilitate commission of further offences such as exposing the company’s memos and private data to TechCrunch. By gaining access to employee’s emails and passwords with an intent to secure access to attachments sent via the company’s corporate mail, the hacker in the Twitter case committed offence under section one of the Computer Misuse Act 1990. Doyle (2000), says that the hacker knew that the intended access was unauthorized. The hacker was guilty of an offence under section two of the Act because he committed an offence under section one of the Act with the intent of committing a further offence of blackmail, theft of the Twitter Memos and financial records.
Under the Computer Misuse Act 1990, the offence committed by Hacker Croll on Twitter has a penalty of at least five years imprisonment (Duquenoy, Jones & Blundell, 2007). According to Duquenoy, Jones & Blundell (2007), Twitter hacking case also applies to the Computer Misuse Act 1990, because the hacker gained access to emails containing attachments of company data and copied it to his own system. This implies that if caught he is reliable to prosecution under not only the 1990 Computer Misuse Act, as amended by The Police and Justice Act 2006, but also the 1998 Data Protection Act. On looking at whether an offence under this Act has taken place, it is important to bear in mind that it is necessary to prove the initial intent. With this Act, the need to prove the intent is a main obstacle to overcome in bringing such cases to court.
Three Physical, Software, Electronic or Managerial Solutions for Twitter
Twitter can employ a number of security solutions in order to reduce the security risks the company encountered in 2009. Morley & Parker (2009), notes that security risks can be reduced by carefully controlling access to Twitter facilities and computer network to ensure that only authorized individuals are granted access.
Access Control Systems
One important security precaution is controlling access to facilities, computer networks, company databases, individual web site accounts and other assets. Morley & Parker (2009), says that to protect against unauthorized access, the company should secure its network by changing the router or access point settings to enable one of the encryption standards and to assign a network key or a password that must be supplied in order to access the company’s secured network.
The company can also hide the name of its network by turning off the SSID broadcast feature. Morley & Parker (2009), says that while hiding the network name will not deter serious hackers, but may reduce the number of neighbors accessing the network. Access control systems will ensure that users who want to connect or access to corporate data or communication network should either select or supply the network SSID name depending on whether or not the SSID is being broadcasted and then enter the network key assigned to that network (Morley & Parker, 2009).
Use of Firewalls and Encryption
A firewall is a security system that essentially creates a wall between a computer or a network and the internet in order to protect against unauthorized access. Morley & Parker (2009), says that in the case of Twitter firewalls will enable the administrator to check all incoming and outgoing traffic and only allow authorized traffic to pass through.Since the PCs used by Twitter have direct connections to the internet the company should use a firewall to ensure that PCs using dial-up internet access are relatively safe from hackers (Morley & Parker, 2009).
Twitter should use encryption techniques especially to its memos, email attachments and also private and confidential corporate data. Encryption scrambles data as it is passed along communications lines or wirelessly so that even if it is intercepted, it makes no sense to the hacker (Doyle, 2000). According to Morley & Parker (2009), Twitter should incorporate private key encryption in its programs such as Microsoft Office, the WinZip file compression and Adobe Acrobat to encrypt documents created in those programs. Once documents are encrypted, the password assigned to those files must be entered to open the original file or any copies of the file such as those sent via employee’s emails (Morley & Parker, 2009).
The company should use public key encryption to send its email messages. Morley & Parker (2009), says that once the recipient’s public key has been used to encrypt the file or e-mail message and that document is received, the recipient’s private key decrypts the encrypted message or contents. It should be noted that the stronger the encryption the more difficult it is to crack.
Use of Strong Passwords
Twitter should enforce the rule that each employee uses strong passwords which have a minimum of eight characters with at least one number or several characters in it. Rossberg & Redler (2005), says that employees should not make it easy for attackers to crack passwords. Critical passwords should be changed often and should have a combination of alpha numeric and upper and lowercase letters.
Screen Potential New Hires Carefully
Twitter should carefully investigate the background of all potential employees. Morley & Parker (2009), says that Twitter should ensure that new recruits have no criminal records or are not currently charged with crime. Twitter should note that a significant number of security breaches are the responsibility of insiders. The company should educate its employees so that they do not expose the company’s information.
In conclusion, it should be noted that by allowing its employees to send such confidential information over a cloud email system, Twitter was undermining the security of that data which could then be hacked by the simplest of means. Twitter should note that there is no single solution to the issue of protecting its data and private information against hackers and their malicious deeds, and it is never possible to be 100% hacker proof. Therefore the company and its employees should implement sufficient layers of protection that will prevent and defend the company against most hackers. It therefore pays to employ the above solutions, as well as it pays for employers to be cautious with their employees.