Attacks/Breaches
5/2/2013
11:22 AM
Connect Directly
RSS
E-Mail
50%
50%

Twitter To News Outlets: More Takeovers Ahead

Twitter memo warns of ongoing account takeover attempts, urges media businesses to prepare. Should Twitter be doing more?

Twitter this week warned news and media outlets to expect ongoing attempts to take over their Twitter accounts and offered detailed guidance for how businesses could improve their security posture.

"There have been several recent incidents of high-profile news and media Twitter handles being compromised. We believe that these attacks will continue, and that news and media organizations will continue to be high value targets to hackers," read a memo distributed this week by Twitter and reprinted by Buzzfeed.

Twitter's security outreach campaign comes in the wake of the Syrian Electronic Army this week compromising more than a dozen Twitter accounts maintained by the Guardian to decry its "lies and slander about Syria." That followed the hacktivist group last week compromising multiple Associated Press accounts and issuing a hoax tweet claiming that explosions at the White House had injured President Obama. The tweet led to a brief downturn in the stock market. The group's previous Twitter account compromises have affected Al-Jazeera English, BBC, CBS, France24, National Public Radio, Reuters and Sky News.

How does Twitter recommend that businesses at high risk of having their Twitter accounts compromised -- by a hacktivist group that's strongly aligned to Syrian President Bashar al-Assad, or anyone else with a grudge -- protect themselves?

For starters, it recommended employee training, pointing out that recent account takeovers appear to be spear-phishing attacks that target corporate email. Thus it recommends that businesses promote individual awareness of these attacks within the organization. In other words, train your employees to recognize fake emails.

[ Two-factor authentication is a step in the right direction, but it's just a start. Read Twitter Two-Factor Authentication: Too Little, Too Late? ]

Twitter also recommends that businesses set a randomly generated password that's at least 20 characters in length, to never distribute passwords via email, use password managers, regularly change passwords and also ensure that all "authorized applications" that are allowed to access a Twitter account are recognized. It also recommends tying the Twitter account email to an email system that uses two-factor authentication -- be it Gmail, Hotmail or a corporate email system -- to make it harder for attackers to use password resets to gain control of accounts.

Finally, Twitter also suggested that high-risk businesses consider setting aside one computer for tweeting and little else. "Don't use this computer to read email or surf the Web, to reduce the chances of malware infection," Twitter recommended. "This helps keep your Twitter password from being spread around."

Twitter's guidance to businesses aside, is there more that the company could do to protect its users? Notably, Twitter is reportedly beta-testing two-factor authentication for its site. But two-factor authentication won't protect Twitter users from having their credentials intercepted via malware or phishing attacks. That's why many security experts have been calling on Twitter to put more robust defenses in place for blocking account takeovers -- for example, by taking a page from Facebook and allowing users to register machines as "trusted," or requiring additional login credentials when someone tries to access an account from a new geographic region for the first time.

Twitter may also need to begin encrypting the session tokens it issues. "Not all account hijacks are based on phishing and spear-phishing. Sometimes tweets are sent out because an unencrypted session is hijacked and while this may not be the case in this instance, it's sometimes convenient for service providers to assume that security breaches are the fault of the user," said David Harley, senior research fellow at security firm ESET, in a blog post.

"There are limits to what Twitter [or the user] can do about this issue," Harley added. "However, the risk can be reduced by browsing from VPN connections and/or accessing sites via SSL, but that's not always convenient. What might also help is not having a Twitter account running permanently in the background, but that may not be convenient for many Twitter users either."

People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital How Hackers Fool Your Employees issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
5/27/2013 | 8:38:34 PM
re: Twitter To News Outlets: More Takeovers Ahead
If you are not taking
the security of your system seriously this day in age then you are not reading
the news and all the current breeches that are occurring. Most of the current
attacks are due to uninformed employees who answer these phishing emails. I agree
that with proper training an employee could spot a potentially dangerous email.
TwitterGÇÖs recommendation of using a single node in the office is not at all
realistic.at the very least look at emails more cautiously because they are now
aware of the threats that exist. This also touches on the extent that Twitter is
liable for. If a user is careless with their credentials and lacks the knowledge
to protect their own systems, then I do not believe that is TwitterGÇÖs responsibility.

Paul Sprague

InformationWeek Contributor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.