All the latest UK technology news, reviews and analysis


How to protect your Twitter account from hackers

10 May 2013
New Twitter logo

The use of social networking accounts by businesses for public relations and publicity is creating a fresh set of security headaches for users and service operators.

Recently, a spate of high-profile Twitter account hacks has put a focus on social networking security. News sites such as the Associated Press and The Onion have fallen prey to account thefts from phishing operations, while writer Candace Bushnell had her account breached by Guccifer, the same hacker who famously breached the account of former President George W Bush. In the case of Bushnell, the attack also led to a costly data breach as the first 50 pages of the Sex and the City author's new novel were leaked.

While Twitter is putting protection in place for individual users by adding measures such as two-factor authentication, such security precautions are less practical for corporate publicity accounts where multiple people share an account and require access independently.

The unique challenges posed by company accounts and the outbreak of attacks exploiting them is causing security experts to suggest a new approach to managing and securing accounts. Scott Hazdra, principal security consultant with Neohapsis, told V3 that in order to secure accounts where one person alone can't be responsible for access, measures have to be taken to mitigate risk.

Hazdra said that companies operating Twitter accounts designed to interact with the public should minimise the potential for a breach by keeping access to such accounts limited and by following best practices with passwords.

"They can keep the number of people who know the shared password and accounts to the bare minimum, don't involve people who post once a year. Figure out who the people are who are involved in the task and enable them," Hazdra said.

In addition, Hazdra noted that accounts that manage secured content, as in the case of Bushnell, should encrypt files before uploading to sharing sites and transmit keys to recipients via a secure medium such as a phone call.

For many firms, however, even the basic security practices are falling on deaf ears. Hazdra noted that the Bush and Bushnell attacks were likely performed by guessing recovery answers and passwords with publicly available information, while the AP and Onion attacks were apparently the result of a phishing operation. In such cases, even limiting the access of multiple users would be futile as the attacker would still be able to take over an account.

Hazdra added: "The battle cry to create strong passwords is still as relevant today as it was 10 years ago. The thing that is striking is still today phishing and guessing are attacks that succeed, some of the things we have been seeing for years still hold true."

Over the long haul, the service providers themselves may need to put business-specific protections in place. Hazdra suggests that companies such as Twitter could help to better protect corporate and publicity-oriented accounts by allowing varying levels of access and permissions.

In such a scenario, an administrator would be allowed to set up an account and set an email address for password recovery and reset. Such permissions would be limited to that administrator and other users would not have edit permissions. Lower-level users could then be added to an account and have permissions such as posting content or re-tweeting but would not be able to make the changes that would allow an attacker or malicious insider to hijack an account and prevent password recovery.

"Along with two-factor authentication social media sites should incorporate this notion of multiple levels of user access. That type of function would serve a lot of social media and broadcast sites well," Hazdra said.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Shaun Nichols
About

Shaun Nichols is the US correspondent for V3.co.uk. He has been with the company since 2006, originally joining as a news intern at the site's San Francisco offices.

More on Security
What do you think?
blog comments powered by Disqus
Poll

Windows 10 poll

What are your first impressions of Windows 10?
13%
3%
9%
4%
23%
4%
44%

Popular Threads

Powered by Disqus
V3 Sungard roundtable event - Cloud computing security reliability and scalability discussion

CIOs debate how to overhaul businesses for the digital era

V3 hosts roundtable with Sungard Availability Services

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Java Solution Architect

Java Solution Architect / Architecture / e-commerce...

Oracle DBA - Oracle EBS - London, Birmingham, Manchester

Oracle DBA - Oracle EBS/HYPERION/ESSBABSE/UNIX/LINUX...

Software Test Analyst

QA Analyst - Milton Keynes area Are you a versatile...

Oracle DBA - Oracle EBS/HYPERION/UNIX - London, North West

Oracle DBA - Oracle EBS/HYPERION/ESSBABSE/UNIX/LINUX...
To send to more than one email address, simply separate each address with a comma.