Archive for the ‘Twitter’ Category

When the AP Twitter stream was hacked a few weeks
ago leading to a massive drop in the equities market,
I went off. I found the fact that the AP – a news
organization staffed by intelligent people and with a
long history of adapting to new media – could be
hacked through a phishing attack was unconscionable. It would be like Bank of America
being hacked by a group of script kiddies. Sadly, this happens over and over. Why? Thankfully
the folks at the Onion had the foresight to explain
what exactly happened when the “Syrian Electronic
Army” “hacked” their Twitter stream. If you run your company’s social media account, read
it. The takeaways are here: Make sure that your users are educated, and that
they are suspicious of all links that ask them to log
in, regardless of the sender.The email addresses for
your twitter accounts should be on a system that is
isolated from your organization’s normal email. This
will make your Twitter accounts virtually invulnerable to phishing (providing that you’re using unique, strong
passwords for every account).All twitter activity
should go through an app of some kind, such as
HootSuite. Restricting password-based access to
your accounts prevents a hacker from taking total
ownership, which takes much longer to rectify. If possible, have a way to reach out to all of your
users outside of their organizational email. In the
case of the Guardian hack, the SEA posted
screenshots of multiple internal security emails,
probably from a compromised email address that was
overlooked. I think the third suggestion is the most important –
always change your Twitter password on a regular
basis and, more important, never ever ever ever click
on a link that suggests you should change your
Twitter password via the browser. If you must change
your Twitter password, either do it through directly or, barring that, email Twitter. If
you’re the AP or the ACLU or the Boston Pony And
Terrier Lovers Of America Club, I’m sure they’ll help
out. Twitter itself needs to offer dual factor authentication
or, at the very least, send you a text when someone
changes your password. This is imperative. Twitter is
now a medium for corporate communications and for
it have the security of a web forum is unconscionable.
The person in charge of your Twitter feed should also have a completely separate email address, outside of
your domain, and that person should have a process
in place to check the URL of the password change
page and then only change the password if everything
is kosher. At the risk of raising script kiddie, I would
say that most “hackers” depend more on the stupidity of their marks and less on their technical skill. Don’t be stupid.