The recent spate of hacks on high-profile Twitter accounts has prompted calls from the social network and the wider security industry for organisations to bolster defences around their online profiles.
Several accounts belonging to the Guardian were compromised at the beginning of the week, leading to a slew of tweets from hackers claiming to be part of the prolific Syrian Electronic Army. Similar attacks have already struck groups such as the Associated Press, the BBC, Burger King and Jeep this year, forcing Twitter to send security advice to organisations using the social network.
“Help us protect you,” the company said in an email quoted by the BBC. “We’re working to make sure we have the most updated information on our partners’ accounts. Please send us a complete list of all accounts affiliated with your organisation, so that we can help keep them protected.”
Suggested measures included making sure passwords were more than 20 characters long and made up of random number and letter sequences. The site also advised having just “one computer to use for Twitter… This helps keep your Twitter password from being spread around.
“Don’t use this computer to read email or surf the web, to reduce the chances of malware infection,” it added.
With the practicality of using just one machine for Twitter being somewhat questionable – particularly for groups like AP and the BBC when journalists are tweeting breaking news on the move – security experts have said Twitter itself needs to introduce more sophisticated login restrictions.
“Attacks on Twitter accounts are growing, partly because there is no standard two-factor authentication in place within Twitter and partly because of the way that Twitter accounts work: everything is linked to the single email address, even when the account is shared across multiple people,” said Thomas Pedersen, CEO of OneLogin.
“One of the challenges for companies and their social media accounts is that they don’t support a standard like SAML [Security Assertion Markup Language] which uses digital certificates to sign the user into the application. But that doesn’t mean there aren’t easy ways to protect a company’s social media accounts,” Pedersen said, suggesting a wider deployment of Identity and Access Management (IAM) systems that provide an extra layer of protection between the user and the account.
“Cloud-based IAM are less vulnerable to phishing because end users never log directly into their company’s Twitter, Facebook or Linkedin account. Rather, they go through the IAM system first, which can include a second factor of authentication.”Leave a comment on this article