I’d noticed that Twitter was running slow yesterday only because by pure coincidence I had registered an account on the site the day before (for the purpose of tweeting about WhizzyDigital). Having tried to log on at a few different junctures during the day, it became obvious that there was something seriously wrong. Now the BBC reports that Twitter, Facebook and possibly Google (specifically Gmail and YouTube) were all victims of a concerted attack by unknown persons against a Georgian political activist known as Cyxymu. Other reports also claim that blogger and livejournal were also targets of a Distributed Denial of Service (DDOS) attack, an attack which effectively uses many hundreds, perhaps many thousands of individually compromised computers to request so much data from the target servers that they eventually just get overloaded and crawl to a standstill, or worse, simply crash under the strain.
Setting aside the possible reasons for the attack – which currently range from bored teenagers to a conspiracy by the Russian government – there are a number of lessons we can learn from this event, and a previous security breach at Twitter, but more on that later.
The first lesson is to take responsibility for the security of your computer, keep updating your own anti-virus and anti-malware software so that the risk of your computer being used to in a malicious DDOS attack, or worse, personal or corporate data stolen and used for illegal purposes, is reduced.
Secondly, if you have a web site yourself, ask yourself what would you do if it went down? Do you have a plan in place? It is very unlikely that you will be a victim of a DDOS attack on the scale ranged against Twitter, but what if your web site crashed? Do you have a backup? When did you last take that backup and how fast can it be restored? What would it cost your business if it couldn’t be restored? Many people fret about not being at the top of Google searches, but it doesn’t matter what position you come in the searches if your website has disappeared because your host was attacked and you have no way to restore your site.
Thirdly, already this year Twitter has already fallen prey to a hacking attack in which hundreds of internal Twitter documents were sent to a high-profile technology web site. Twitter had to respond in reassuring tones, highlighting that it was not an inherent security flaw, but that an e-mail account had been compromised because a password had been guessed:
Twitter user accounts nor were any user accounts compromised (except for a screenshot of one person’s account and we contacted that person and recommended changing their password). This was not a hack on the Twitter service, it was a personal attack followed by the theft of private company documents.
This as an acute lesson in having a company policy that requires strong passwords that are changed regularly. If your organisation is high profile and the personal details of your employees are public knowledge this can only increase the chances of success of a determined hacker with enough time to guess at passwords.
Finally, the cumulative media coverage of these two separate events is sure to place doubt in the minds of potential and existing Twitter users. Not to mention organisations like Dell that use Twitter as a marketing channel who have their own security concerns to think about. If using such a high-profile site like Twitter carries with it the risks of security breach or loss of business because Twitter cannot repel a DDOS attack (note that other named victims of the attack did not crash but managed to offer either a reduced service or no noticeable effect). If Twitter cannot deliver, perhaps there are services that can.
Of course, no one can plan for a concerted DDOS attack, and I’m being deliberately harsh, but stop for a moment and think about how the leadership of Twitter feels, and then think about how you would feel in the same situation.