When Twitter's DNS entries were hacked on Friday and the microblogging platform's homepage was defaced, replaced by a statement of responsibility by the so-called "Iranian Cyber Army," many users had a feeling that a pretty major shakedown was in the works. Once initial investigations revealed that the website's DNS settings were hijacked, and Twitter's DNS provider, Dyn Inc, absolved itself of responsibility, stating that the records were changed by an authorized user, things really got interesting.

DNS settings essentially tell web browsers where a certain computer really is - essentially, turning domain names, like twitter.com into a physical location of an actual computer (or network of computers) that is going to serve up data from that domain name. The hackers didn't actually hack Twitter.com - they didn't appear to access Twitter's actual servers; instead, they hacked an email address, used that address to change a password (most likely using a password-recovery system which assumes that email access has not been compromised) and used that password to gain access to the DNS settings. Once they had access to the settings, changing them to point the twitter.com domain elsewhere was a fairly simple task.

This isn't the first time that Twitter has had major headaches stemming from email security. Earlier this year, Twitter was hacked and hundreds of confidential documents were stolen from Twitter's Google Docs repository in a similar incident. At that time, pundits began to wonder about the wisdom of having email be the primary assumed secure line of communication, since email is a relatively weak system. After this latest hack, critics are, no doubt, gearing up to lambast Google Docs in particular and cloud computing in general.

The problem in this latest case, as it has in the past, is with password recovery systems. Countless password recovery systems simply as users for an email address given at the time of registration and then send a new password or a link to reset the password; the move assumes implicitly that email accounts are secure. Recovery systems which ask for a bit of personal information (such as, what is your mother's maiden name) aren't much better, since most of this information is easily accessible to an even moderately dedicated hacker. Indeed, the problem of password recovery is a tricky one; any significantly advanced password recovery system will be in danger of becoming unusable to the less-savvy users, yet any less-advanced system is bound to be abused by hackers.

Introducing a human element is one option - given the size and importance of Twitter's operations, one would logically assume that they would want a relationship with their vendors wherein major changes to the system, such as the DNS settings, would be confirmed by an actual human being on the execution side before being committed and sanity-checked. However, even this line of defense is vulnerable to social engineering, that low-tech social hacking that true security analysts say is one of the most-effective.

One thing we can say for sure is that this keeps happening to Twitter, yet doesn't happen very often to other social networks like Facebook; the folks at Twitter must be asking themselves, then, what the difference is between Twitter's own security practices and those of other social networks. I know I certainly am.