Sending
embarrassing tweets, posting merchandising spam, or deliberate lock outs are a
normal consequence of hacked twitter accounts. An account is compromised when
an unauthorized user has been able to obtain (and perhaps change) the original
username and password or has gained access to an open twitter session (such as via
access to a phone or tablet with stored credentials). Indications of a hacked
account are:
- Noticing unexpected tweets or unintended direct messages
- Hijacking of the twitter accounts, deactivation or change of username
- Access granted to new applications
- Unexpected behavior like following, unfollowing, and blocking
A hacker may
be a disgruntled friend, a prankster, someone who found your lost phone or a
professional hacker motivated by financial or ideological gain. As one would
imagine, hacking a twitter account may be as simple as seizing an opportunity
to access an unattended mobile device with an active twitter connection, using
phishing a social engineering technique to convince a user to part which
his/her credentials, or even by guessing weak passwords. Most of us fail to
follow security best practices, are security unaware or simply falling victim
to a convincing con scheme to give away our security credentials.
A small
subset of hacking attacks is technically sophisticated even beating the defense
put up by security conscious users. Typically, such attacks are targeted
against prominent individuals, media firms, companies and celebrities. The
objective of these attacks are to propagate an ideology, embarrass a firm or to
make money by sending spam to a large follower base from a celebrity twitter account.
There are
several ways twitter accounts can be hacked into. Some attacks directly compromise
twitter accounts and others indirectly, via associated email and third party
accounts. In the table below, we examine
how we can defend against seven types of attacks.
The key
objective of our exercise is (a) to defeat the attempts of non skillful
hackers, (b) to make it difficult for
professional hackers to compromise our account, and (c) to reduce the impact of
a compromise if it so happens. We must also assume that being fallible humans
it is not possible for us to follow security best practices.
Attack
|
Description
|
Defense
|
Limitation
|
Guess
You Password
|
Your weak password was
easily guessed by a hacker e.g.
twitter123
|
Use Twitter two factor
authentication (2FA) i.e additional authentication using SMS), which forces a
hacker to obtain additional access to your phone or to intercept the twitter
2FA SMS to take control of your account, which poses quite a challenge.
Use strong passwords
|
Twitter 2 FA Service
is not offered by all mobile companies
|
Password
Resets
|
Your password was
changed by a hacker who previously compromised your email id registered for twitter password resets. The hacker simply reset you twitter password,
received the reset link in the compromised email account and then changed the
twitter password
|
For both your twitter
and email accounts
Use 2FA (additional
authentication using SMS)
Use strong passwords
|
Twitter 2FA Service is
not offered through all mobile companies
Not all email services
offer 2FA
|
Obtain
Access to your cell phone or tablet
|
The hacker obtains
access to your cell phone. Normally, users remain logged on to twitter as
well as to their personal email account on mobile devices. Accounts can then
be easily used or passwords reset.
|
Password protect your
cell phone, and set the phone to lock out on ten failed tries. For a higher
level of security, one can erase the phone data on ten failed lock out
attempts. This works when you take a regular backup of the cell phone data.
Use complex passwords
as simple passwords can be easily cracked with software. This is an inconvenience,
which is worth the effort. Even a complex six digit numeric code, with ten
lock out attempts will do
Reset your twitter,
email and other passwords if your phone has been lost or stolen
|
Slight inconvenience
when using the phone or tablet.
|
Phishing
|
You part with your twitter
credentials, in response to a con mail claiming to come from either twitter
or your email providers customer support team
|
Be aware that you
should never part with your credentials. No firm asks for these credentials
|
|
Trojan
(malware) based attack
|
You download Trojans
on your desktop or phone which steals credential and forwards them to the hackers
|
Use antivirus software
Use 2FA
|
It is difficult for
users to recognize malicious apps and websites.
2FA Service is not
offered through all mobile companies
|
Exploitation
of Vulnerable Twitter API‘s
|
Your password is
stolen through the exploitation of a technical vulnerability in the Twitter service
|
Twitter, on detecting
such breaches, locks these accounts and sends a password reset notification
|
|
Exploit
third party applications
|
Access to your twitter
accounts is obtained via third party applications that have been given rights
to write to your twitter feed.
|
Review your list of
third party applications in the twitter account setting page (application
tab) and revoke these applications.
Use strong passwords
for these applications
Change the twitter
password on detection of unintended posts through these accounts
Do not grant access to
websites which promise more followers or applications which post
advertisement. Some of these may be malicious or prone to being hacked themselves
|
No comments:
Post a Comment