Monday, June 10, 2013

Protect Twitter Accounts from Seven Types of Hacking Attacks


Sending embarrassing tweets, posting merchandising spam, or deliberate lock outs are a normal consequence of hacked twitter accounts. An account is compromised when an unauthorized user has been able to obtain (and perhaps change) the original username and password or has gained access to an open twitter session (such as via access to a phone or tablet with stored credentials). Indications of a hacked account are:
  • Noticing unexpected tweets or unintended direct messages
  • Hijacking of the twitter accounts, deactivation or change of username
  • Access granted to new applications
  • Unexpected behavior like following, unfollowing, and blocking

A hacker may be a disgruntled friend, a prankster, someone who found your lost phone or a professional hacker motivated by financial or ideological gain. As one would imagine, hacking a twitter account may be as simple as seizing an opportunity to access an unattended mobile device with an active twitter connection, using phishing a social engineering technique to convince a user to part which his/her credentials, or even by guessing weak passwords. Most of us fail to follow security best practices, are security unaware or simply falling victim to a convincing con scheme to give away our security credentials.

A small subset of hacking attacks is technically sophisticated even beating the defense put up by security conscious users. Typically, such attacks are targeted against prominent individuals, media firms, companies and celebrities. The objective of these attacks are to propagate an ideology, embarrass a firm or to make money by sending spam to a large follower base from a celebrity twitter account.

There are several ways twitter accounts can be hacked into. Some attacks directly compromise twitter accounts and others indirectly, via associated email and third party accounts.  In the table below, we examine how we can defend against seven types of attacks.

The key objective of our exercise is (a) to defeat the attempts of non skillful hackers,  (b) to make it difficult for professional hackers to compromise our account, and (c) to reduce the impact of a compromise if it so happens. We must also assume that being fallible humans it is not possible for us to follow security best practices.

Attack
Description
Defense
Limitation
Guess You Password
Your weak password was easily guessed by a hacker  e.g. twitter123
Use Twitter two factor authentication (2FA) i.e additional authentication using SMS), which forces a hacker to obtain additional access to your phone or to intercept the twitter 2FA SMS to take control of your account, which poses quite a challenge.
 
Use strong passwords
Twitter 2 FA Service is not offered by all mobile companies
Password Resets
Your password was changed by a hacker who previously compromised your email id registered for twitter password resets. The hacker simply reset you twitter password, received the reset link in the compromised email account and then changed the twitter password
For both your twitter and email accounts
 
Use 2FA (additional authentication using SMS)
 
Use strong passwords
Twitter 2FA Service is not offered through all mobile companies
 
Not all email services offer 2FA
Obtain Access to your cell phone or tablet
The hacker obtains access to your cell phone. Normally, users remain logged on to twitter as well as to their personal email account on mobile devices. Accounts can then be easily used or passwords reset.
Password protect your cell phone, and set the phone to lock out on ten failed tries. For a higher level of security, one can erase the phone data on ten failed lock out attempts. This works when you take a regular backup of the cell phone data.
 
Use complex passwords as simple passwords can be easily cracked with software. This is an inconvenience, which is worth the effort. Even a complex six digit numeric code, with ten lock out attempts will do
 
Reset your twitter, email and other passwords if your phone has been lost or stolen
Slight inconvenience when using the phone or tablet.
Phishing
You part with your twitter credentials, in response to a con mail claiming to come from either twitter or your email providers customer support team
Be aware that you should never part with your credentials. No firm asks for these credentials
 
Trojan (malware) based attack
You download Trojans on your desktop or phone which steals credential and forwards them to the hackers
Use antivirus software
 
Use 2FA
It is difficult for users to recognize malicious apps and websites.
 
2FA Service is not offered through all mobile companies
Exploitation of Vulnerable Twitter API‘s
Your password is stolen through the exploitation of a technical vulnerability in the Twitter service
Twitter, on detecting such breaches, locks these accounts and sends a password reset notification
 
Exploit third party applications
Access to your twitter accounts is obtained via third party applications that have been given rights to write to your twitter feed.
Review your list of third party applications in the twitter account setting page (application tab) and revoke these applications.
 
Use strong passwords for these applications
 
Change the twitter password on detection of unintended posts through these accounts
 
Do not grant access to websites which promise more followers or applications which post advertisement. Some of these may be malicious or prone to being hacked themselves
 
 

 

No comments:

Post a Comment