By Shaun Nichols | Courtesy www.v3.co.uk
The use of social networking accounts by businesses for public relations and publicity is creating a fresh set of security headaches for users and service operators.
Recently, a spate of high-profile Twitter account hacks has put a focus on social networking security. News sites such as the Associated Press and The Onion have fallen prey to account thefts from phishing operations, while writer Candace Bushnell had her account breached by Guccifer, the same hacker who famously breached the account of former President George W Bush. In the case of Bushnell, the attack also led to a costly data breach as the first 50 pages of the Sex and the City author's new novel were leaked.
While Twitter is putting protection in place for individual users by adding measures such as two-factor authentication, such security precautions are less practical for corporate publicity accounts where multiple people share an account and require access independently.
The unique challenges posed by company accounts and the outbreak of attacks exploiting them is causing security experts to suggest a new approach to managing and securing accounts. Scott Hazdra, principal security consultant with Neohapsis, told V3 that in order to secure accounts where one person alone can't be responsible for access, measures have to be taken to mitigate risk.
Hazdra said that companies operating Twitter accounts designed to interact with the public should minimise the potential for a breach by keeping access to such accounts limited and by following best practices with passwords.
"They can keep the number of people who know the shared password and accounts to the bare minimum, don't involve people who post once a year. Figure out who the people are who are involved in the task and enable them," Hazdra said.
In addition, Hazdra noted that accounts that manage secured content, as in the case of Bushnell, should encrypt files before uploading to sharing sites and transmit keys to recipients via a secure medium such as a phone call.
For many firms, however, even the basic security practices are falling on deaf ears. Hazdra noted that the Bush and Bushnell attacks were likely performed by guessing recovery answers and passwords with publicly available information, while the AP and Onion attacks were apparently the result of a phishing operation. In such cases, even limiting the access of multiple users would be futile as the attacker would still be able to take over an account.
Hazdra added: "The battle cry to create strong passwords is still as relevant today as it was 10 years ago. The thing that is striking is still today phishing and guessing are attacks that succeed, some of the things we have been seeing for years still hold true."
Over the long haul, the service providers themselves may need to put business-specific protections in place. Hazdra suggests that companies such as Twitter could help to better protect corporate and publicity-oriented accounts by allowing varying levels of access and permissions.
In such a scenario, an administrator would be allowed to set up an account and set an email address for password recovery and reset. Such permissions would be limited to that administrator and other users would not have edit permissions. Lower-level users could then be added to an account and have permissions such as posting content or re-tweeting but would not be able to make the changes that would allow an attacker or malicious insider to hijack an account and prevent password recovery.
"Along with two-factor authentication social media sites should incorporate this notion of multiple levels of user access. That type of function would serve a lot of social media and broadcast sites well," Hazdra said.