The Business Web 2.0
As CEO of business-based social networking site WeCanDo.BIZ, read my take on the role Web 2.0 technologies can play helping businesses to grow.
Friday 17 July 2009, 10:50 AM
Does TwitterGate point towards bigger Cloud security issues?
Twitter co-founder Evan Williams’ Google Apps account getting hacked has got a lot of coverage this week. And it’s reaised a lot of questions about just how secure The Cloud, hosted business applications and Web 2.0 services are.
I write this as the former managing director of an information security company, long time hosted applications user and founder of a Web 2.0 company -- and I have to say, the biggest threat to online security is ignorance and laziness!
First off, let’s be clear, it was not Twitter the Application that was hacked in this affair, but Twitter the Staff -- it was actually Williams’ Gogle Apps password that was compromised, giving access to the documents now in circulation. Twitter staff got targeted because they are high profile and the hacker knew the press would be interested in the story.
How did this happen? Simple: Williams’ password was guessed. Or to put it another way, he simply didn’t set a strong enough password and has now paid the price.
There are very obvious benefits to using web based services, not least of all in their convenience and availability. Because they are web based, so available to any member of the public, they are at greater risk that an application or data store on a stand alone server in a locked office that you need to walk over to to use; but that isn’t very convenient. Broadly speaking, the risks of attack are offset by the convenience of the services -- there is risk, but it’s worth taking for the upside.
But whether you use Cloud based applications or on-premise, it pays to follow these basic rules on password security:
1. NEVER write your passwords down — make them easy to remember but personal to you so you don’t need to write them down
2. Use a password system no one could ever guess. Here’s a suggestion: take the first letters of a sentence you can easily remember, e.g. Ian Watches Formula 1 Every Other Sunday would become IWF1EOS — who is ever going to guess that as a password? Factor in that the sentence could be about ANY aspect of your life and it becomes harder still for anyone to guess
3. Never use the same password on more than one website — introduce just the smallest change between them, inspired by something about the site or service, e.g. add BA at the start or end for your online Barclays account, HO for Hotmail, WE for your WeCanDo.BIZ login etc.
4. If you are asked to set a password reminder question, make it the most obscure option offered (things like your date of birth or mother’s maiden name may not be hard to find out) — make it something very few, if any people at all, know about you. You might even want to lie about the answer, but if you do make the answer memorable!
Your comments and questions welcomed, just post below.
Ian Hendry
CEO, WeCanDo.BIZ
http://www.wecando.biz
I write this as the former managing director of an information security company, long time hosted applications user and founder of a Web 2.0 company -- and I have to say, the biggest threat to online security is ignorance and laziness!
First off, let’s be clear, it was not Twitter the Application that was hacked in this affair, but Twitter the Staff -- it was actually Williams’ Gogle Apps password that was compromised, giving access to the documents now in circulation. Twitter staff got targeted because they are high profile and the hacker knew the press would be interested in the story.
How did this happen? Simple: Williams’ password was guessed. Or to put it another way, he simply didn’t set a strong enough password and has now paid the price.
There are very obvious benefits to using web based services, not least of all in their convenience and availability. Because they are web based, so available to any member of the public, they are at greater risk that an application or data store on a stand alone server in a locked office that you need to walk over to to use; but that isn’t very convenient. Broadly speaking, the risks of attack are offset by the convenience of the services -- there is risk, but it’s worth taking for the upside.
But whether you use Cloud based applications or on-premise, it pays to follow these basic rules on password security:
1. NEVER write your passwords down — make them easy to remember but personal to you so you don’t need to write them down
2. Use a password system no one could ever guess. Here’s a suggestion: take the first letters of a sentence you can easily remember, e.g. Ian Watches Formula 1 Every Other Sunday would become IWF1EOS — who is ever going to guess that as a password? Factor in that the sentence could be about ANY aspect of your life and it becomes harder still for anyone to guess
3. Never use the same password on more than one website — introduce just the smallest change between them, inspired by something about the site or service, e.g. add BA at the start or end for your online Barclays account, HO for Hotmail, WE for your WeCanDo.BIZ login etc.
4. If you are asked to set a password reminder question, make it the most obscure option offered (things like your date of birth or mother’s maiden name may not be hard to find out) — make it something very few, if any people at all, know about you. You might even want to lie about the answer, but if you do make the answer memorable!
Your comments and questions welcomed, just post below.
Ian Hendry
CEO, WeCanDo.BIZ
http://www.wecando.biz
Previous
