Attacks/Breaches
3/15/2011
04:05 PM
50%
50%

Twitter Finalizes FTC Security Settlement

The microblogging company agrees to a biennial external audit of its security posture for the next 10 years.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches

The FTC announced on Friday that it's closed its security investigation into Twitter, after the social networking giant accepted a settlement first fielded in June 2010. The settlement stems from the FTC's charge that "Twitter deceived consumers and put their privacy at risk by failing to safeguard their personal information."

According to the FTC's settlement, Twitter must now establish and maintain "a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information." For the next 10 years, Twitter's security program must also undergo an external audit every two years.

Meanwhile, for the next 20 years, Twitter is barred from making misleading statements about "the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers," said the FTC.

The settlement is the end result of the FTC's investigation into security breaches that occurred at Twitter between January and March of 2009, when hackers twice gained administrative control of the site. Despite Twitter's previous privacy policy, which assured users that "we employ administrative, physical, and electronic measures designed to protect your information from unauthorized access," attackers hacked into the site the first time by using a brute-force password hacking tool, and the second by simply guessing an administrator's password.

The breaches gave attackers access to non-public user information, tweets that users had designated as "private," and enabled attackers to generate fake tweets. Owners of the compromised accounts included then-President-elect Barack Obama and Fox News.

Of course, those aren't the only security incidents to have involved Twitter and hijacked accounts. "Twitter has experienced numerous high-profile security incidents, including Britney Spears and U.K. members of parliament selling Viagra. And there have been many incidents that have hit users who aren't celebrities," said Rob Rachwald, director of security for Imperva, via email.

"Such incidents indicate that security was very low on Twitter's priority list," he said. "But this is nothing new. Given a choice between growth and security, companies typically skimp on security."

The FTC's settlement with Twitter, however, now requires specific security program enhancements, including designating one or more employees to coordinate and remain accountable for its information security program. Twitter must also conduct a data security risk assessment, implement "reasonable safeguards" to mitigate identified risks, and ensure that any service providers with which it works also maintain appropriate data security safeguards.

Under the settlement, Twitter faces up to a $16,000 fine for every violation of its agreement. The private company has a market value recently estimated to be $8 billion to $10 billion.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1449
Published: 2014-12-25
The Maxthon Cloud Browser application before 4.1.6.2000 for Android allows remote attackers to spoof the address bar via crafted JavaScript code that uses the history API.

CVE-2014-2217
Published: 2014-12-25
Absolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote attackers to write to arbitrary files, and consequently execute arbitrary code, via a full pathname in the UploadID metadata value.

CVE-2014-3971
Published: 2014-12-25
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

CVE-2014-7193
Published: 2014-12-25
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site ...

CVE-2014-7300
Published: 2014-12-25
GNOME Shell 3.14.x before 3.14.1, when the Screen Lock feature is used, does not limit the aggregate memory consumption of all active PrtSc requests, which allows physically proximate attackers to execute arbitrary commands on an unattended workstation by making many PrtSc requests and leveraging a ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.