Panel: What should Twitter do to protect personal data?

Security experts debate how one of the world's most popular social networks should step up its security game to better protect personal data.


SAN FRANCISCO -- Some recent high-profile hacks have many industry experts (and plenty of Internet users) hotly debating how Twitter should better protect personal data.

During a panel discussion on Thursday afternoon, a quartet of executives at growing enterprise security startups debated and offered their suggestions of what the microblogging service needs to do now.

See also: Two-factor authentication won't protect Twitter, Google: OneID

Estimating that there are more than a billion people on the Internet today, North Bridge Venture Partners partner and former Facebook exec Jonathan Heiliger noted that we've seen a rise of all kinds of cyber attacks, but the ones happening today are mostly on consumer sites as hackers leverage usernames and passwords.

"Part of the problem is that passwords are hopelessly useless," McClure said.

In regards to the recent Twitter in particular, Stuart McClure, CEO and president of data security company Cylance, said that "the mitigating control" is to create a complex password. But he admitted that's certainly not a solution.

"Part of the problem is that passwords are hopelessly useless," McClure quipped.

Also formerly the global chief technology officer at McAfee, McClure outlined that he thinks there are two core problems in security: lack of control around both exceptions and privacy.

When we talk about passwords, typically they have been used to share secrets, according to Steve Kirsch, founder and chief technology officer of digital identity management service OneID.

With a password, he continued, users are effectively sharing a "secret" via their passwords with the service in question.

For Kirsch, this is "what's at heart of the Twitter breach" because once you share secrets with someone and then develop a massive repository of secrets, they become a target.

"It's hard to engineer around human fallibility. We've been trying for thousands of years," quipped Bradley.

Kirsch declared that "the only way" to truly address this problem to get rid of shared secrets and move to a system that doesn't involve them, adding that we have the technology today to be able to that through asymmetric logins and authentications.

"They will always be able to break into Twitter," Kirsch warned. "Trying to secure your perimeter from an attack is like trying to keep ants out of your house. It's basically impossible. They're going to find a way."

"It's hard to engineer around human fallibility. We've been trying for thousands of years," said John Bradley, senior technical architect for the office of the CTO at Ping Identity, concurring that if hackers are determined enough, they'll find a way in.

The objective then, based on the panelists' comments, is to limit the number of mass breaches and attacks.

Rather than placing the blame on the end users, Kirsch said that it's more of a case of educating people at Twitter that this technology exists so that they can apply other authentication mechanisms.

Jon Callas,  co-founder and chief technology officer at communications encryption provider Silent Circle, tried to offer some credit to Twitter, citing that not a large portion of the social network's user base was harmed in the last attack.

However, Callas still concurred with Kirsch's advice for Twitter, suggesting they "just need to go the extra 10 percent" to shore up security.

"Twitter can't solve it themselves. They have to go to a third party," Kirsch said, arguing that's the "only practical" strategy for preventing similar mass breaches in the future.

More from the 2013 RSA Conference on ZDNet: