Recently, we have seen a rash of high-profile takeover attacks on Twitter accounts. These Twitter attacks are targeting Western news organizations, but some organizations outside of the news realm (e.g., Burger King) have also come under attack.
Most of the takeovers are a result of classic social engineering and involve no actual malware. While this in no way takes away from malware being the most insidious of attack vectors, it does mean social engineering is alive and well.
Let’s walk through the steps of how social engineering attacks are able to takeover Twitter accounts:
- An attacker sends victims an email with a link. These emails do not contain malware.
- In the case the AP and BBC, the link’s landing page was a fake intranet portal page. In the BBC’s incident, the page was a close enough copy of their corporate intranet portal to fool employees.
- The fake page requests credentials. While we do not have the actual details of what was requested, it likely resembled the standard dialogue box presented when linking Twitter to a third-party application or service.
- Once fooled, a user enters their Twitter username and password credentials.
- The attacker uses the stolen credentials to log in to Twitter via the Web on a traditional PC.
- Since no second-factor authentication is required for Twitter, the attacker has the only credential needed: username/password.
This seriously begs the question, “What is Twitter doing about protecting its users?”
According to Mat Honan of Wired, “Twitter has a working two-step security solution undergoing internal testing before incrementally rolling it out to users, something it hopes to begin doing shortly.”
And as an Entrust product manager said in a post last week on the Associated Press Twitter account compromise, these Twitter IDs are extremely important and require authentication on par with online banking.
According to the BBC, Twitter sent emails to news organizations with some tips for staying secure.
“Advice included making sure passwords were more than 20 characters long and made up of random strings of letters and numbers.”
- Longer passwords only slow down the attackers if they’re forced to use a brute-force attack or decrypt/un-hash the password.
- Through various means (e.g., rainbow tables), once an attacker possesses either the encrypted or hashed password, getting the plaintext version is simple. The length and complexity of the password have little bearing here.
- If the attacker has a key-logger on the target machine, the password could be 100 characters and they will still obtain the password. Again, the length or complexity of the password has little bearing.
“The social network also advised having just ‘one computer to use for Twitter. This helps keep your Twitter password from being spread around,’ the site added.”
- Key-logging malware can still infect the machine.
- Most organizations have users with multiple social media assets. In this standard scenario, credentials are in numerous places. With the blurring of professional and personal lines in the social realm, this suggestion is impractical.
“Don’t use this computer to read email or surf the Web, to reduce the chances of malware infection.”
- As any security-conscious social media manager would say, this is impractical. Social media managers use a myriad of devices as part of their job. And, unfortunately, they don’t commonly get a device just for Twitter. Though, maybe, I should pitch that idea to IT.
- You have to be able to connect to the Web outside the Twitter website. Any responsible marketer will read the article he or she is tweeting about.
While showing some initiative, Twitter still missed the mark —for security as well as marketing and news usage of social networking. Many other social media and Web-based email clients have implemented a form of second-factor authentication or identity verification.
In my opinion, the fact that Twitter hasn’t done the same is somewhat irresponsible. I understand the user experience angle and the need to balance security and usability. However, organizations can deploy measures that are transparent to users the majority of the time. And it’s typically only noticed when something abnormal occurs and the user is presented with a security challenge.
All accounts — whether for basic users, politicians, news organizations or corporate social media managers — would greatly benefit from a form of second-factor authentication such as mobile application-based one-time passcodes (OTP). These applications — Google Authenticator of Entrust IdentityGuard Mobile, for example — generate soft tokens on the device and are not sent via the insecure SMS channel, which is another alternative, though not as advisable.
That said, these attacks are proving that not all accounts are created equal. For high-profile accounts — the BBC, Associated Press or the White House, for example —there is a need for more and stronger security measures.
To be clear, even a higher level of authentication may not stop something like an advanced session-riding attack. To get to that level of authentication, organizations need more advanced identity-assurance capabilities where each tweet is approved individually in an out-of-band, uninfected desktop channel.
This is highly unlikely to ever be the case as it is inhibitive to the standard Twitter experience. Each one of us has something at stake in cyberspace. And as we are seeing with recent lawsuits between victims and banks, both service providers and consumers have a responsibility to better protect digital identities.