Twitter warns news organisations over hacking amid Syrian attacks
News organisations including the BBC
have been warned by Twitter to
tighten security in the wake of several
high-profile hacks.
The Guardian became the latest
publication to be hit by a group calling
itself the Syrian Electronic Army.
A previous attack on the Associated Press
caused stocks to dip.
Security experts have said Twitter itself
needs to take more action to ensure its
users are protected.
An email sent by Twitter to news
organisations on Monday urged them to
take a close look at their internal
measures for dealing with social media.
Advice included making sure passwords
were more than 20 characters long and
made up of random strings of letters and
numbers.
The social network also advised having
just "one computer to use for Twitter".
"This helps keep your Twitter password
from being spread around," the site
added.
"Don't use this computer to read email or
surf the web, to reduce the chances of
malware infection."
Security researcher Rik Ferguson, from
TrendMicro, told the BBC this particular
piece of advice was somewhat
unworkable.
"The point of Twitter is that it's instant,
and you can react instantly.
"If you have to run back to the office to
get to a particular computer to use
Twitter, that's obviously going to impact
upon its use."
Souped-up security
Twitter also encouraged organisations to
have a closer relationship with the site to
ensure account details are kept up to
date.
"Help us protect you," the company said.
"We're working to make sure we have the
most updated information on our
partners' accounts.
"Please send us a complete list of all
accounts affiliated with your organisation,
so that we can help keep them
protected."
Beyond advice to external organisations,
there is increasing pressure on Twitter to
bolster its own security.
Specifically, there have been calls from
security professionals for two-factor
authentication.
This would require two steps, the entry of
a password as well as another action.
On Facebook, for example, two-factor
authentication is triggered when users
try to log in in an unexpected way, such
as from a computer in a different country.
A report in technology magazine Wired
last week
suggested Twitter had begun trialling two-
factor technology - but this is yet to be
confirmed by the company.
Mr Ferguson noted that as Twitter
remained a free service supported by
advertising, two-factor authentication
could prove costly.
He suggested one way to raise funds for
enhanced security would be to charge
major users to become "verified" - a
status currently given to accounts which
Twitter has checked are genuine.
"One thing Twitter should be looking at
now is for any account which is verified to
have a two factor log-in process," he told
the BBC.
"If you make a nominal fee for verifying
accounts - they can make sure that the
accounts are protected from not only
malware-based attacks, but also that staff
are more protected from phishing."
White House blast
The Syrian Electronic Army's typical tactics
to date have included sending "phishing"
emails to glean log-in information from
unsuspecting victims.
Once access to an account had been
gained, the SEA would then begin to post
tweets - in some cases mimicking the
style of the victim.
The BBC's Weather account was among
those successfully hacked
This technique was most damaging in the
case of the Associated Press. When the
news agency's main account - @AP - was
breached, the SEA posted that US
president Barack Obama had been injured
in a blast at the White House.
It was of course false, and swiftly
corrected by other organisations - and
later by AP itself - but not before $136bn
(£88bn) was temporarily wiped off the
New York Stock Exchange.
US financial authorities are to investigate
the incident to "make sure that nothing
nefarious in markets took place",
according to the New York Post.
Meanwhile, the SEA - which appears to
support the Assad regime - has vowed to
continue its attacks on media
organisations.
An anonymous user believed to be
working for the group told Vice
magazine : "They already started
suspending us from the internet by
closing our accounts, our pages and
suspending our domain names, but they
failed and they will keep failing.
"We will not stop or despair. If they close
a Twitter account, we will open a new
one; if they close a Facebook page, we
will create another one; if they suspend
our domain names, we will buy new
ones."