People

Control issues: How Twitter is forcing companies to rethink security and access

For a few hours last week, Twitter lost control of its platform. While the outcome could have been much worse, it's a wake-up call for anyone managing information security and employee access to data.

An iPhone with the Twitter logo on the screen.

As more and more companies move critical applications to cloud services and use third-party enterprise software tools, modern identity management software has become a very important part of the tech department's toolkit.

Photo: Sara Kurfeß on Unsplash
Twitter's harrowing security incident last week is a good reminder that many companies need to reassess the internal controls governing access to their tools and data, because it's never been harder to stop the bad guys at the perimeter.

For administrators at a big, very visible company like Twitter, it's not if your network defenses will be penetrated; it's when. It took Twitter several hours to regain control of its systems Wednesday after a small group of hackers were able to obtain the login credentials of a Twitter staffer and commandeer its account tools.

Twitter's experience was an extreme one, and while we don't know exactly how much information was compromised, the outcome could have been much, much worse. But it's clear that steps taken to improve controls in the aftermath of two other high-profile incidents — a 2010 settlement with the Federal Trade Commission over account access issues and the 2018 indictment of two employees who were spying for the Saudi Arabian government — were not enough, and there are lessons for everyone in the aftermath.

In a blog post Monday, security expert Bruce Schneier called the Twitter incident a "class break," describing this category as "security vulnerabilities that break not just one system, but an entire class of systems." "Class breaks are endemic to computerized systems," he wrote, "and they're not something that we as users can defend against with better personal security."

As more and more companies move critical applications to cloud services and use third-party enterprise software tools, modern identity management software has become a very important part of the tech department's toolkit. This need has only accelerated in a pandemic, during which so many employees are working from their home networks and outside of the traditional defenses around corporate networks.

Software from companies like Okta allows workers to securely access the internal corporate applications they need to do their jobs with "single sign-on" technology, sort of like a password manager for work. Then, once workers pass that test, other tools are needed that grant certain people access only to specific data sets or controls, so that one breach doesn't open up the entire company to an attacker.

At Twitter, lots of employees have access to user accounts. Any attempt to provide customer service requires that, to some extent, but it's also clear that the company needs to consider additional controls, such as requiring two employees to sign off on proposed changes to prominent user accounts.

Companies also need to move past the idea that a user who has entered the proper login credentials is a valid user — the so-called "zero trust" approach. The central idea here is paranoia: No person or device should be automatically trusted outside or inside a network, and Google pioneered this line of thinking over the last decade with an internal service called BeyondCorp.

It's not clear what type of approach is in place at Twitter, but the company has been operating without a chief information security officer in 2020, according to The Wall Street Journal. That vacancy will likely be filled in short order, and like lots of companies re-evaluating their internal processes in the wake of this incident, one of that person's first jobs will be to rethink how Twitter manages identity and access to its systems.

 Tom Krazit

Tom Krazit ( @tomkrazit) is Protocol's enterprise editor, covering cloud computing and enterprise technology out of the Pacific Northwest. He has written and edited stories about the technology industry for almost two decades for publications such as IDG, CNET, paidContent, and GeekWire, and served as executive editor of Gigaom and Structure.

twitter hack security scam cloud
Protocol | Policy

5 things to know about FCC nominee Gigi Sohn

The veteran of some of the earliest tech policy fights is a longtime consumer champion and net-neutrality advocate.

Gigi Sohn, who President Joe Biden nominated to serve on the FCC, is a longtime net-neutrality advocate.

Photo: Alex Wong/Getty Images

President Joe Biden on Tuesday nominated Gigi Sohn to serve as a Federal Communications Commissioner, teeing up a Democratic majority at the agency that oversees broadband issues after months of delay.

Like Lina Khan, who Biden picked in June to head up the Federal Trade Commission, Sohn is a progressive favorite. And if confirmed, she'll take up a position in an agency trying to pull policy levers on net neutrality, privacy and broadband access even as Congress is stalled.

Keep Reading Show less
Ben Brody

Ben Brody (@ BenBrodyDC) is a senior reporter at Protocol focusing on how Congress, courts and agencies affect the online world we live in. He formerly covered tech policy and lobbying (including antitrust, Section 230 and privacy) at Bloomberg News, where he previously reported on the influence industry, government ethics and the 2016 presidential election. Before that, Ben covered business news at CNNMoney and AdAge, and all manner of stories in and around New York. He still loves appearing on the New York news radio he grew up with.

fcc policy
sponsored content
Sponsored Content

Four processes to keep you innovating through change

If you've ever tried to pick up a new fitness routine like running, chances are you may have fallen into the "motivation vs. habit" trap once or twice. You go for a run when the sun is shining, only to quickly fall off the wagon when the weather turns sour.

Similarly, for many businesses, 2020 acted as the storm cloud that disrupted their plans for innovation. With leaders busy grappling with the pandemic, innovation frequently got pushed to the backburner. In fact, according to McKinsey, the majority of organizations shifted their focus mainly to maintaining business continuity throughout the pandemic.

Keep Reading Show less
Gaurav Kataria
Group Product Manager, Trello at Atlassian
sponsored content sponsored
Protocol | Workplace

Adobe wants a more authentic NFT world

Adobe's Content Credentials feature will allow Creative Cloud subscribers to attach edit-tracking information to Photoshop files. The goal is to create a more trustworthy NFT market and digital landscape.

Adobe's Content Credentials will allow users to attach their identities to an image

Image: Adobe

Remember the viral, fake photo of Kurt Cobain and Biggie Smalls that duped and delighted the internet in 2017? Doctored images manipulate people and erode trust and we're not great at spotting them. The entire point of the emerging NFT art market is to create valuable and scarce digital files and when there isn't an easy way to check for an image's origin and edits, there's a problem. What if someone steals an NFT creator's image and pawns it off as their own? As a hub for all kinds of multimedia, Adobe feels a responsibility to combat misinformation and provide a safe space for NFT creators. That's why it's rolling out Content Credentials, a record that can be attached to a Photoshop file of a creator's identity and includes any edits they made.

Users can connect their social media addresses and crypto wallet addresses to images in Photoshop. This further proves the image creator's identity, but it's also helpful in determining the creators of NFTs. Adobe has partnered with NFT marketplaces KnownOrigin, OpenSea, Rarible and SuperRare in this effort. "Today there's not a way to know that the NFT you're buying was actually created by a true creator," said Adobe General Counsel Dana Rao. "We're allowing the creator to show their identity and attach it to the image."

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at llawrence@protocol.com.

productivity workplace
dating apps
Protocol | China

Why another Chinese lesbian dating app just shut down

With neither political support nor a profitable business model, lesbian dating apps are finding it hard to survive in China.

Operating a dating app for LGBTQ+ communities in China is like walking a tightrope.

Photo: Nicolas Asfouri/AFP via Getty Images

When Lesdo, a Chinese dating app designed for lesbian women, announced it was closing down, it didn't come as a surprise to the LGBTQ+ community.

It's unclear what directly caused this decision. 2021 hasn't been kind to China's queer communities; WeChat has deactivated queer groups' public accounts and Beijing has pressured charity organizations not to work with queer activists.

Keep Reading Show less
Zeyi Yang
Zeyi Yang is a reporter with Protocol | China. Previously, he worked as a reporting fellow for the digital magazine Rest of World, covering the intersection of technology and culture in China and neighboring countries. He has also contributed to the South China Morning Post, Nikkei Asia, Columbia Journalism Review, among other publications. In his spare time, Zeyi co-founded a Mandarin podcast that tells LGBTQ stories in China. He has been playing Pokemon for 14 years and has a weird favorite pick.
censorship dating app lgbtq social media dating apps
wearables

The Oura Ring was a sleep-tracking hit. Can the next one be even more?

Oura wants to be a media company, an activity tracker and even a way to know you're sick before you feel sick.

Over the last few years, the Oura Ring has become one of the most recognizable wearables this side of the Apple Watch.

Photo: Oura

Oura CEO Harpreet Rai swears he didn't know Kim Kardashian was a fan. He was as surprised as anyone when she started posting screenshots from the Oura app to her Instagram story, and got into a sleep battle with fellow Oura user Gwyneth Paltrow. Or when Jennifer Aniston revealed that Jimmy Kimmel got her hooked on Oura … and how her ring fell off in a salad. "I am addicted to it," Aniston said, "and it's ruining my life" by shaming her about her lack of sleep. "I think we're definitely seeing traction outside of tech," Rai said. "Which is cool."

Over the last couple of years, Oura's ring (imaginatively named the Oura Ring) has become one of the most recognizable wearables this side of the Apple Watch. The company started with a Kickstarter campaign in 2015, but really started to find traction with its second-generation model in 2018. It's not exactly a mainstream device — Oura said it has sold more than 500,000 rings, up from 150,000 in March 2020 but still not exactly Apple Watch levels — but it has reached some of the most successful, influential and probably sleep-deprived people in the industry. Jack Dorsey is a professed fan, as is Marc Benioff.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editorial director. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

wearables oura ring health tech
Latest Stories