Vulnerabilities / Threats
01:46 PM

5 Steps To Prevent Twitter Hacks

Twitter security is in the spotlight after high-profile account hijacks that hit Reuters and a tech journalist. Here are protective moves for individuals and enterprises.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Remember when kids used to knock over garbage cans for fun? Now, at least some of that energy appears to have been redirected online, toward the takeover of Twitter accounts.

For starters, a 19-year-old who goes by the handle "Phobia" Friday hacked into journalist Mat Honan's Twitter account, after first gaining access to Honan's Amazon, Apple, and Google accounts, which he erased--together with Honan's iPhone, iPad, and Macbook Air--along the way.

Sunday, an attacker with more of a political bent hacked into the @ReutersTech Twitter feed, which has 17,000 followers, and began tweeting such messages as "White house spokesperson says financial and technical support given to #AlQaeda operatives in #Syria" and "Obama signs executive order banning any further investigation of 9/11." Security experts suspect that the Syrian Electronic Army--a self-described "virtual army" that enjoys at least tacit support from Syrian president Bashar al-Assad--was behind the takeover.

In the wake of those two high-profile Twitter account compromises--not to mention numerous past incidents involving other businesses--what can users of the online social network and microblogging service do to protect their accounts? Begin with these five steps.

1. Don't Tie Twitter To Webmail Accounts
Cloud services such as Twitter typically require an email address for a username. But one security misstep documented by Honan was the fact that he used his Gmail address--which was publicly listed on other sites--as his Twitter username. Once attackers successfully gained access to his Gmail account, they told Twitter to reset the password, which was emailed to Gmail, which allowed them to compromise the Twitter account and change the password to one of their choosing.

[ Planning is key to keeping your business going when you're hit with an exploit. Zero-Day Attacks Can Impact Business Continuity. ]

As Honan noted: "My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter." To make online services such as Twitter harder for attackers to gain access to, use an email address that isn't hosted--or accessible--by a cloud service. If you must use a Gmail address, then employ Google's free two-factor authentication system.

2. Practice Proper Access Management
Accessing Honan's Twitter account gave attackers a bonus: they were also able to post to the Gizmodo Twitter feed, which has 416,000 followers. That capability came thanks to Honan having formerly been in control of Gizmodo's Twitter account. In other words, Gizmodo's information security department--per access management best practices--should have maintained an access control list that included Twitter, and deleted the link with Honan's Twitter account after he ceased working for the company.

3. Use Unique Passwords
While it might sound basic, also ensure that all passwords for corporate Twitter accounts are unique, as well as complex. For example, following the Fox News Twitter account hack last year--attackers issued fake tweets claiming that President Obama had been killed--security experts guessed that either Fox News had been using an easy-to-guess password, or that the password had been reused elsewhere.

4. Keep Self-Hosted Web Software Updated
Collateral damage was a theme in the Honan hack, and the same is true in the case of Reuters. Notably, attackers also compromised a WordPress blog hosted by Reuters, posted a fake interview with a Syrian rebel army leader that remained online for about six hours, and issued a tweet with a link to the interview.

Attackers likely gained access to the Reuters WordPress blog by exploiting known, exploitable vulnerabilities. Mark Jaquith, a lead WordPress developer as well as a member of its security team, told The Wall Street Journal that Reuters was using version 3.1.1 instead of the current version 3.4.1, which has the most recent security patches. "If organizations ignore those notifications and stay on an outdated version, then they put themselves at risk of these sorts of breaches," said Jaquith.

5. Secure All Blogs Set To Auto-Tweet
Many WordPress accounts are also set to automatically issue a tweet whenever a new post goes live. In such cases, attackers would only need to access a business' WordPress blog to begin issuing tweets in the company's name.

With that in mind, how can software such as WordPress be kept up to date? In-application warnings alert administrators whenever there's an update, but signing up for emailed vendor updates--especially relating to security fixes--is also essential, according to Chester Wisniewski, a senior security advisor at Sophos Canada. Meanwhile, he said that any company that outsources its blog should review the outsourcer's updating policies to see how quickly the software, as well as any related add-ons or infrastructure, will be patched.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/3/2012 | 5:00:05 PM
re: 5 Steps To Prevent Twitter Hacks
. And they will continue to be hacked and defrauded until they implement some form of 2FA (two-factor authentication) where you can telesign into your account.
Mack Knife
Mack Knife,
User Rank: Apprentice
8/8/2012 | 10:30:08 PM
re: 5 Steps To Prevent Twitter Hacks
You forgot the most important step:

Do not use Twitter. Is your personality really so shallow that you must twit your every move, thought or happening. More important, do you really think others really care that much about what you do?

Your friends have become nothing more than hash tags; people you really don't know anymore and are more likely to be a bot than a person anyway.

Can you honestly say that between twitter and facebook that you can add up all the links and come up with a real person? You shamelessly give away your profile that twitter and facebook sell for money while you get what in return? Access? Access to what?

Go outside, smile at the next person you walk past and say "hi". Unless they are like most twits and faces, completely self absorbed, they will usually smile back and return the "hi". In that instant you will have connected with another human being and accomplished more than all the days and nights you spend twitting, facing or booking.

What a day it will be when the tipping point is reached and everyone realizes that twitter and facebook are really nothing but vapor.
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.