Attacks/Breaches
3/15/2011
04:05 PM
50%
50%

Twitter Finalizes FTC Security Settlement

The microblogging company agrees to a biennial external audit of its security posture for the next 10 years.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches

The FTC announced on Friday that it's closed its security investigation into Twitter, after the social networking giant accepted a settlement first fielded in June 2010. The settlement stems from the FTC's charge that "Twitter deceived consumers and put their privacy at risk by failing to safeguard their personal information."

According to the FTC's settlement, Twitter must now establish and maintain "a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information." For the next 10 years, Twitter's security program must also undergo an external audit every two years.

Meanwhile, for the next 20 years, Twitter is barred from making misleading statements about "the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers," said the FTC.

The settlement is the end result of the FTC's investigation into security breaches that occurred at Twitter between January and March of 2009, when hackers twice gained administrative control of the site. Despite Twitter's previous privacy policy, which assured users that "we employ administrative, physical, and electronic measures designed to protect your information from unauthorized access," attackers hacked into the site the first time by using a brute-force password hacking tool, and the second by simply guessing an administrator's password.

The breaches gave attackers access to non-public user information, tweets that users had designated as "private," and enabled attackers to generate fake tweets. Owners of the compromised accounts included then-President-elect Barack Obama and Fox News.

Of course, those aren't the only security incidents to have involved Twitter and hijacked accounts. "Twitter has experienced numerous high-profile security incidents, including Britney Spears and U.K. members of parliament selling Viagra. And there have been many incidents that have hit users who aren't celebrities," said Rob Rachwald, director of security for Imperva, via email.

"Such incidents indicate that security was very low on Twitter's priority list," he said. "But this is nothing new. Given a choice between growth and security, companies typically skimp on security."

The FTC's settlement with Twitter, however, now requires specific security program enhancements, including designating one or more employees to coordinate and remain accountable for its information security program. Twitter must also conduct a data security risk assessment, implement "reasonable safeguards" to mitigate identified risks, and ensure that any service providers with which it works also maintain appropriate data security safeguards.

Under the settlement, Twitter faces up to a $16,000 fine for every violation of its agreement. The private company has a market value recently estimated to be $8 billion to $10 billion.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8551
Published: 2014-11-26
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to execute arbitrary code via crafted packets.

CVE-2014-8552
Published: 2014-11-26
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to read arbitrary files via crafted packets.

CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?