Vulnerabilities / Threats
8/8/2012
01:46 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

5 Steps To Prevent Twitter Hacks

Twitter security is in the spotlight after high-profile account hijacks that hit Reuters and a tech journalist. Here are protective moves for individuals and enterprises.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Remember when kids used to knock over garbage cans for fun? Now, at least some of that energy appears to have been redirected online, toward the takeover of Twitter accounts.

For starters, a 19-year-old who goes by the handle "Phobia" Friday hacked into journalist Mat Honan's Twitter account, after first gaining access to Honan's Amazon, Apple, and Google accounts, which he erased--together with Honan's iPhone, iPad, and Macbook Air--along the way.

Sunday, an attacker with more of a political bent hacked into the @ReutersTech Twitter feed, which has 17,000 followers, and began tweeting such messages as "White house spokesperson says financial and technical support given to #AlQaeda operatives in #Syria" and "Obama signs executive order banning any further investigation of 9/11." Security experts suspect that the Syrian Electronic Army--a self-described "virtual army" that enjoys at least tacit support from Syrian president Bashar al-Assad--was behind the takeover.

In the wake of those two high-profile Twitter account compromises--not to mention numerous past incidents involving other businesses--what can users of the online social network and microblogging service do to protect their accounts? Begin with these five steps.

1. Don't Tie Twitter To Webmail Accounts
Cloud services such as Twitter typically require an email address for a username. But one security misstep documented by Honan was the fact that he used his Gmail address--which was publicly listed on other sites--as his Twitter username. Once attackers successfully gained access to his Gmail account, they told Twitter to reset the password, which was emailed to Gmail, which allowed them to compromise the Twitter account and change the password to one of their choosing.

[ Planning is key to keeping your business going when you're hit with an exploit. Zero-Day Attacks Can Impact Business Continuity. ]

As Honan noted: "My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter." To make online services such as Twitter harder for attackers to gain access to, use an email address that isn't hosted--or accessible--by a cloud service. If you must use a Gmail address, then employ Google's free two-factor authentication system.

2. Practice Proper Access Management
Accessing Honan's Twitter account gave attackers a bonus: they were also able to post to the Gizmodo Twitter feed, which has 416,000 followers. That capability came thanks to Honan having formerly been in control of Gizmodo's Twitter account. In other words, Gizmodo's information security department--per access management best practices--should have maintained an access control list that included Twitter, and deleted the link with Honan's Twitter account after he ceased working for the company.

3. Use Unique Passwords
While it might sound basic, also ensure that all passwords for corporate Twitter accounts are unique, as well as complex. For example, following the Fox News Twitter account hack last year--attackers issued fake tweets claiming that President Obama had been killed--security experts guessed that either Fox News had been using an easy-to-guess password, or that the password had been reused elsewhere.

4. Keep Self-Hosted Web Software Updated
Collateral damage was a theme in the Honan hack, and the same is true in the case of Reuters. Notably, attackers also compromised a WordPress blog hosted by Reuters, posted a fake interview with a Syrian rebel army leader that remained online for about six hours, and issued a tweet with a link to the interview.

Attackers likely gained access to the Reuters WordPress blog by exploiting known, exploitable vulnerabilities. Mark Jaquith, a lead WordPress developer as well as a member of its security team, told The Wall Street Journal that Reuters was using version 3.1.1 instead of the current version 3.4.1, which has the most recent security patches. "If organizations ignore those notifications and stay on an outdated version, then they put themselves at risk of these sorts of breaches," said Jaquith.

5. Secure All Blogs Set To Auto-Tweet
Many WordPress accounts are also set to automatically issue a tweet whenever a new post goes live. In such cases, attackers would only need to access a business' WordPress blog to begin issuing tweets in the company's name.

With that in mind, how can software such as WordPress be kept up to date? In-application warnings alert administrators whenever there's an update, but signing up for emailed vendor updates--especially relating to security fixes--is also essential, according to Chester Wisniewski, a senior security advisor at Sophos Canada. Meanwhile, he said that any company that outsources its blog should review the outsourcer's updating policies to see how quickly the software, as well as any related add-ons or infrastructure, will be patched.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TS_Time
50%
50%
TS_Time,
User Rank: Apprentice
9/3/2012 | 5:00:05 PM
re: 5 Steps To Prevent Twitter Hacks
. And they will continue to be hacked and defrauded until they implement some form of 2FA (two-factor authentication) where you can telesign into your account.
Mack Knife
50%
50%
Mack Knife,
User Rank: Apprentice
8/8/2012 | 10:30:08 PM
re: 5 Steps To Prevent Twitter Hacks
You forgot the most important step:

Do not use Twitter. Is your personality really so shallow that you must twit your every move, thought or happening. More important, do you really think others really care that much about what you do?

Your friends have become nothing more than hash tags; people you really don't know anymore and are more likely to be a bot than a person anyway.

Can you honestly say that between twitter and facebook that you can add up all the links and come up with a real person? You shamelessly give away your profile that twitter and facebook sell for money while you get what in return? Access? Access to what?

Go outside, smile at the next person you walk past and say "hi". Unless they are like most twits and faces, completely self absorbed, they will usually smile back and return the "hi". In that instant you will have connected with another human being and accomplished more than all the days and nights you spend twitting, facing or booking.

What a day it will be when the tipping point is reached and everyone realizes that twitter and facebook are really nothing but vapor.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web