Twitter security is in the spotlight after high-profile account hijacks that hit Reuters and a tech journalist. Here are protective moves for individuals and enterprises.

Mathew J. Schwartz, Contributor

August 8, 2012

4 Min Read

11 Security Sights Seen Only At Black Hat

11 Security Sights Seen Only At Black Hat

11 Security Sights Seen Only At Black Hat (click image for larger view and for slideshow)

Remember when kids used to knock over garbage cans for fun? Now, at least some of that energy appears to have been redirected online, toward the takeover of Twitter accounts.

For starters, a 19-year-old who goes by the handle "Phobia" Friday hacked into journalist Mat Honan's Twitter account, after first gaining access to Honan's Amazon, Apple, and Google accounts, which he erased--together with Honan's iPhone, iPad, and Macbook Air--along the way.

Sunday, an attacker with more of a political bent hacked into the @ReutersTech Twitter feed, which has 17,000 followers, and began tweeting such messages as "White house spokesperson says financial and technical support given to #AlQaeda operatives in #Syria" and "Obama signs executive order banning any further investigation of 9/11." Security experts suspect that the Syrian Electronic Army--a self-described "virtual army" that enjoys at least tacit support from Syrian president Bashar al-Assad--was behind the takeover.

In the wake of those two high-profile Twitter account compromises--not to mention numerous past incidents involving other businesses--what can users of the online social network and microblogging service do to protect their accounts? Begin with these five steps.

1. Don't Tie Twitter To Webmail Accounts
Cloud services such as Twitter typically require an email address for a username. But one security misstep documented by Honan was the fact that he used his Gmail address--which was publicly listed on other sites--as his Twitter username. Once attackers successfully gained access to his Gmail account, they told Twitter to reset the password, which was emailed to Gmail, which allowed them to compromise the Twitter account and change the password to one of their choosing.

[ Planning is key to keeping your business going when you're hit with an exploit. Zero-Day Attacks Can Impact Business Continuity. ]

As Honan noted: "My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter." To make online services such as Twitter harder for attackers to gain access to, use an email address that isn't hosted--or accessible--by a cloud service. If you must use a Gmail address, then employ Google's free two-factor authentication system.

2. Practice Proper Access Management
Accessing Honan's Twitter account gave attackers a bonus: they were also able to post to the Gizmodo Twitter feed, which has 416,000 followers. That capability came thanks to Honan having formerly been in control of Gizmodo's Twitter account. In other words, Gizmodo's information security department--per access management best practices--should have maintained an access control list that included Twitter, and deleted the link with Honan's Twitter account after he ceased working for the company.

3. Use Unique Passwords
While it might sound basic, also ensure that all passwords for corporate Twitter accounts are unique, as well as complex. For example, following the Fox News Twitter account hack last year--attackers issued fake tweets claiming that President Obama had been killed--security experts guessed that either Fox News had been using an easy-to-guess password, or that the password had been reused elsewhere.

4. Keep Self-Hosted Web Software Updated
Collateral damage was a theme in the Honan hack, and the same is true in the case of Reuters. Notably, attackers also compromised a WordPress blog hosted by Reuters, posted a fake interview with a Syrian rebel army leader that remained online for about six hours, and issued a tweet with a link to the interview.

Attackers likely gained access to the Reuters WordPress blog by exploiting known, exploitable vulnerabilities. Mark Jaquith, a lead WordPress developer as well as a member of its security team, told The Wall Street Journal that Reuters was using version 3.1.1 instead of the current version 3.4.1, which has the most recent security patches. "If organizations ignore those notifications and stay on an outdated version, then they put themselves at risk of these sorts of breaches," said Jaquith.

5. Secure All Blogs Set To Auto-Tweet
Many WordPress accounts are also set to automatically issue a tweet whenever a new post goes live. In such cases, attackers would only need to access a business' WordPress blog to begin issuing tweets in the company's name.

With that in mind, how can software such as WordPress be kept up to date? In-application warnings alert administrators whenever there's an update, but signing up for emailed vendor updates--especially relating to security fixes--is also essential, according to Chester Wisniewski, a senior security advisor at Sophos Canada. Meanwhile, he said that any company that outsources its blog should review the outsourcer's updating policies to see how quickly the software, as well as any related add-ons or infrastructure, will be patched.

Read more about:


About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights