comp527

Twitter has been in the news lately for all the wrong reasons.  It has been the target of many DDoS attacks, (other link) as well as exploits targeting its  XSS vulnerabilities (other link).
Details of a more interesting attack on Twitter appeared in July this year.

So in case you have missed it, Twitter faced an attack which led to compromise of several confidential documents. The details of this attack and how it was (supposedly) done are present here.

This attack shows some of the challenges related to securing enterprise information on the cloud. As increasingly more and more personal details of employees are available on the web, such attacks become really easy to execute.
Nevertheless this particular attack is significant for a variety of reasons.

1. The compromise of one personal Gmail account led to compromise of so much confidential information.
2. The attacked user and Twitter seemed to be completely unaware of security failure.
3. Ethics of disclosure of stolen information.

While I was reading about the attack, it got me thinking about how can one prevent or at least detect such attacks . So I came up with some ideas which can help in at least detection (and may be prevention) of these attacks on enterprise email accounts using Gmail or similar service provider:

Warning: Immature ideas follow.

• Giving some form of audit information to system administrators. While Gmail is widely used,  most of the users are not aware of its security features. (features like audit info in the footer and always use https etc). All these features require that user is informed and alert, which is a bit too much for an average user.  However it would be much better to have a functionality where audit information can be examined by system administrators (or maybe people in charge of managing access and security ). This can be simply a mailing list(s) where daily access and audit log is sent. Then an alert system admin can spot any records which do not seem right. But such a scheme can lead to too much of audit information in a moderately large organization, so we need some way to filter this information which leads us to next two points.
• Filtering/Monitoring of audit information based on IP or presence of a secret cookie. Hacking into a machine on a corporate network is usually not very easy.(I agree that this varies with organization and kind of implemented security policies but most organizations have firewall and some sort of IDS which makes it difficult). Usually the attacker targeting an official account will be attacking from an external IP.  This information can help us in creating filters for our auditing information, we can assume that the addresses inside the company are potentially safe and those from, say a different continent where the company has no business, are potentially unsafe.

There are 2 problems with this,  First it does not address the mobile users using laptops, blackberries, iphones etc. Second an attacker will most likely be using a proxy for the attack.

One solution will be to have devices used by employee have a special cryptographic cookie which is calculated based on unique id of the device and some shared secret. (Implementation appears to be tricky, I can think of a plug-in in browser for generating the secret cookie but problem will be with imap/pop access).  The other is to require audit only for special documents which are really most confidential. This brings us to the third point.

• Classification of information in categories denoting its importance and confidentiality.The idea is old yet very powerful.  The auditing option for a document can be based on its category for example only those documents which are confidential may generate an audit alert if accessed from an external IP (or maybe when accessed in between 12am to 5am etc) .

While all these policies can cause inconvenience due to some unnecessary alerts but they can reduce the surface area for attack and help in timely detection of any security failures.