Vulnerabilities / Threats
01:46 PM
Connect Directly

5 Steps To Prevent Twitter Hacks

Twitter security is in the spotlight after high-profile account hijacks that hit Reuters and a tech journalist. Here are protective moves for individuals and enterprises.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Remember when kids used to knock over garbage cans for fun? Now, at least some of that energy appears to have been redirected online, toward the takeover of Twitter accounts.

For starters, a 19-year-old who goes by the handle "Phobia" Friday hacked into journalist Mat Honan's Twitter account, after first gaining access to Honan's Amazon, Apple, and Google accounts, which he erased--together with Honan's iPhone, iPad, and Macbook Air--along the way.

Sunday, an attacker with more of a political bent hacked into the @ReutersTech Twitter feed, which has 17,000 followers, and began tweeting such messages as "White house spokesperson says financial and technical support given to #AlQaeda operatives in #Syria" and "Obama signs executive order banning any further investigation of 9/11." Security experts suspect that the Syrian Electronic Army--a self-described "virtual army" that enjoys at least tacit support from Syrian president Bashar al-Assad--was behind the takeover.

In the wake of those two high-profile Twitter account compromises--not to mention numerous past incidents involving other businesses--what can users of the online social network and microblogging service do to protect their accounts? Begin with these five steps.

1. Don't Tie Twitter To Webmail Accounts
Cloud services such as Twitter typically require an email address for a username. But one security misstep documented by Honan was the fact that he used his Gmail address--which was publicly listed on other sites--as his Twitter username. Once attackers successfully gained access to his Gmail account, they told Twitter to reset the password, which was emailed to Gmail, which allowed them to compromise the Twitter account and change the password to one of their choosing.

[ Planning is key to keeping your business going when you're hit with an exploit. Zero-Day Attacks Can Impact Business Continuity. ]

As Honan noted: "My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter." To make online services such as Twitter harder for attackers to gain access to, use an email address that isn't hosted--or accessible--by a cloud service. If you must use a Gmail address, then employ Google's free two-factor authentication system.

2. Practice Proper Access Management
Accessing Honan's Twitter account gave attackers a bonus: they were also able to post to the Gizmodo Twitter feed, which has 416,000 followers. That capability came thanks to Honan having formerly been in control of Gizmodo's Twitter account. In other words, Gizmodo's information security department--per access management best practices--should have maintained an access control list that included Twitter, and deleted the link with Honan's Twitter account after he ceased working for the company.

3. Use Unique Passwords
While it might sound basic, also ensure that all passwords for corporate Twitter accounts are unique, as well as complex. For example, following the Fox News Twitter account hack last year--attackers issued fake tweets claiming that President Obama had been killed--security experts guessed that either Fox News had been using an easy-to-guess password, or that the password had been reused elsewhere.

4. Keep Self-Hosted Web Software Updated
Collateral damage was a theme in the Honan hack, and the same is true in the case of Reuters. Notably, attackers also compromised a WordPress blog hosted by Reuters, posted a fake interview with a Syrian rebel army leader that remained online for about six hours, and issued a tweet with a link to the interview.

Attackers likely gained access to the Reuters WordPress blog by exploiting known, exploitable vulnerabilities. Mark Jaquith, a lead WordPress developer as well as a member of its security team, told The Wall Street Journal that Reuters was using version 3.1.1 instead of the current version 3.4.1, which has the most recent security patches. "If organizations ignore those notifications and stay on an outdated version, then they put themselves at risk of these sorts of breaches," said Jaquith.

5. Secure All Blogs Set To Auto-Tweet
Many WordPress accounts are also set to automatically issue a tweet whenever a new post goes live. In such cases, attackers would only need to access a business' WordPress blog to begin issuing tweets in the company's name.

With that in mind, how can software such as WordPress be kept up to date? In-application warnings alert administrators whenever there's an update, but signing up for emailed vendor updates--especially relating to security fixes--is also essential, according to Chester Wisniewski, a senior security advisor at Sophos Canada. Meanwhile, he said that any company that outsources its blog should review the outsourcer's updating policies to see how quickly the software, as well as any related add-ons or infrastructure, will be patched.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/3/2012 | 5:00:05 PM
re: 5 Steps To Prevent Twitter Hacks
. And they will continue to be hacked and defrauded until they implement some form of 2FA (two-factor authentication) where you can telesign into your account.
Mack Knife
Mack Knife,
User Rank: Apprentice
8/8/2012 | 10:30:08 PM
re: 5 Steps To Prevent Twitter Hacks
You forgot the most important step:

Do not use Twitter. Is your personality really so shallow that you must twit your every move, thought or happening. More important, do you really think others really care that much about what you do?

Your friends have become nothing more than hash tags; people you really don't know anymore and are more likely to be a bot than a person anyway.

Can you honestly say that between twitter and facebook that you can add up all the links and come up with a real person? You shamelessly give away your profile that twitter and facebook sell for money while you get what in return? Access? Access to what?

Go outside, smile at the next person you walk past and say "hi". Unless they are like most twits and faces, completely self absorbed, they will usually smile back and return the "hi". In that instant you will have connected with another human being and accomplished more than all the days and nights you spend twitting, facing or booking.

What a day it will be when the tipping point is reached and everyone realizes that twitter and facebook are really nothing but vapor.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.