As Twitter investigates how several high-profile accounts were attacked, security expert Graham Cluley points to the potentials risks to all users when a system is compromised.
The question this article avoids asking is if the POTUS cannot have a Blackberry or use his own email account, what -- in the name of God's green earth is he doing on Twitter?!?
It is obvious that most of these social networking sites such as myspace, twitter and LinkedIn seldom force to use strong password policies or change them at least every 90 days. I have a vast network on LinkedIn yet I take appropriate precautions to safeguard my account.
To readers who happen to have accounts on these sites I suggest:
1.) Place strong passwords on your social networking accounts. Don’t use passwords that can be easily figured out, such as birth dates, or the last four digits of your social security number.
2.) Many people post their credentials leaving on their desks, stuck on monitors, in their wallets, etc. Avoid doing this.
3.) Don't give personal information over the phone, in the mail, or on the Internet to someone who contacts you, unless you are absolutely sure you know and trust. When in doubt, take a number and call them back. Use common sense.
4.) Don’t give out your social security number to anyone that wants it, be careful with job sites that redirect you to a malicious one. Be sure that your number is absolutely necessary and will be protected before you give it out to anyone.
5.) Shred any personal papers that you are throwing away, including charge receipts, credit applications or offers, insurance forms, physicians’ statements, expired charge cards and cancelled checks.
6.) Keep your PC virus protection, malware and spyware applications up to date. You want to block not just the viruses that damage your files, but also those that can hijack information.
7.) Don’t load financial information or other sensitive personal data on your laptop, unless you use a strong passwords and disk encryption.
8.) Don’t respond to any email that asks for “account information.” These are often scammers that are fishing for information. Even if one seems legitimate, call the financial institution directly to see if that information is truly being requested by them before giving it out.
9.) If you are disposing a computer, make sure to use a special utility program to erase the entire hard drive. Low level formats or degaussing and for the scrupulous it would be wise to just take a hammer and destroy the drive.
The article did not quite make its case. If you wander the internet without a clue then you have a problem. Using the same password on Twitter that you use somewhere else is clueless. Running a web browser without anti-phishing features enabled (which would have stopped the earlier twitter hacks cold) is clueless. Running a network connected system without malware and anti-virus features enabled is clueless. So this article could have been written for any web-site or service that requires authentication. @DigitalBeat on TwitterDigitalBeat.com
I have a feeling that the article is skirting around the main two issues here: 1. There is no inherent privacy on the internet (especially on social networking sites) and 2. security breaches (like car accidents) happen, it's how you deal with them that matters. I would have expected a bit more of an in-depth analysis from Mr.Cluley, just saying that the perpetrators could induce people to 'bad sites' by using a fake 'new Obama speech' does not really add anything new to how phishing generally works. Things that could have been addressed in this article could be: what should the average internet user learn from this, how should they protect themselves better, what duty of care do companies like Twitter have towards their clients, etc..
1. This was not a hack, a brute force password cracker was used to guess a password and it happened to be an employees account. No whiz bang technical magic there
2. The fault is on the user. One site one password and the issue threat is diminished.
We need to focus more on inforamtino security at a grass roots level and stop trying to leave everything up to a technical solution.
Ms. Goodman's points are echoed on ifiwereabadguy.com The compromise is over, now what happens and are we even looking at it?
To the question of Obama having a twitter account, it was used during the campaign and is obviously not used by him but by his people.
The interesting challenge for individuals with twitter, et al, is that you are 1) providing data about yourself, your job, your communities of interest, and 2) Twitter (et al) encourages creating trust relationships based on what are now "shared secrets" -- and you have little control on who you are sharing those secrets with. Social networking tools that ignores the problem of internet anonymity makes it that much harder for users to recognize and defend against targeted social engineering attacks. This creates an attack space that is not a technology / toolset challenge, and is much harder for an organization to defend against.
3 Ways a Twitter Hack Can Hurt You
As Twitter investigates how several high-profile accounts were attacked, security expert Graham Cluley points to the potentials risks to all users when a system is compromised.
» View Article
The question this article avoids asking is if the POTUS cannot have a Blackberry or use his own email account, what -- in the name of God's green earth is he doing on Twitter?!?
It is obvious that most of these social networking sites such as myspace, twitter and LinkedIn seldom force to use strong password policies or change them at least every 90 days. I have a vast network on LinkedIn yet I take appropriate precautions to safeguard my account.
To readers who happen to have accounts on these sites I suggest:
1.) Place strong passwords on your social networking accounts. Don’t use passwords that can be easily figured out, such as birth dates, or the last four digits of your social security number.
2.) Many people post their credentials leaving on their desks, stuck on monitors, in their wallets, etc. Avoid doing this.
3.) Don't give personal information over the phone, in the mail, or on the Internet to someone who contacts you, unless you are absolutely sure you know and trust. When in doubt, take a number and call them back. Use common sense.
4.) Don’t give out your social security number to anyone that wants it, be careful with job sites that redirect you to a malicious one. Be sure that your number is absolutely necessary and will be protected before you give it out to anyone.
5.) Shred any personal papers that you are throwing away, including charge receipts, credit applications or offers, insurance forms, physicians’ statements, expired charge cards and cancelled checks.
6.) Keep your PC virus protection, malware and spyware applications up to date. You want to block not just the viruses that damage your files, but also those that can hijack information.
7.) Don’t load financial information or other sensitive personal data on your laptop, unless you use a strong passwords and disk encryption.
8.) Don’t respond to any email that asks for “account information.” These are often scammers that are fishing for information. Even if one seems legitimate, call the financial institution directly to see if that information is truly being requested by them before giving it out.
9.) If you are disposing a computer, make sure to use a special utility program to erase the entire hard drive. Low level formats or degaussing and for the scrupulous it would be wise to just take a hammer and destroy the drive.
The article did not quite make its case. If you wander the internet without a clue then you have a problem. Using the same password on Twitter that you use somewhere else is clueless. Running a web browser without anti-phishing features enabled (which would have stopped the earlier twitter hacks cold) is clueless. Running a network connected system without malware and anti-virus features enabled is clueless. So this article could have been written for any web-site or service that requires authentication.
@DigitalBeat on Twitter DigitalBeat.com
I have a feeling that the article is skirting around the main two issues here: 1. There is no inherent privacy on the internet (especially on social networking sites) and 2. security breaches (like car accidents) happen, it's how you deal with them that matters. I would have expected a bit more of an in-depth analysis from Mr.Cluley, just saying that the perpetrators could induce people to 'bad sites' by using a fake 'new Obama speech' does not really add anything new to how phishing generally works. Things that could have been addressed in this article could be: what should the average internet user learn from this, how should they protect themselves better, what duty of care do companies like Twitter have towards their clients, etc..
The paradign shift expected in data security will make incidents such as these elementary, no matter how much they appear to be serious today.
Pascal
1. This was not a hack, a brute force password cracker was used to guess a password and it happened to be an employees account. No whiz bang technical magic there
2. The fault is on the user. One site one password and the issue threat is diminished.
We need to focus more on inforamtino security at a grass roots level and stop trying to leave everything up to a technical solution.
Ms. Goodman's points are echoed on ifiwereabadguy.com The compromise is over, now what happens and are we even looking at it?
To the question of Obama having a twitter account, it was used during the campaign and is obviously not used by him but by his people.
The interesting challenge for individuals with twitter, et al, is that you are 1) providing data about yourself, your job, your communities of interest, and 2) Twitter (et al) encourages creating trust relationships based on what are now "shared secrets" -- and you have little control on who you are sharing those secrets with. Social networking tools that ignores the problem of internet anonymity makes it that much harder for users to recognize and defend against targeted social engineering attacks. This creates an attack space that is not a technology / toolset challenge, and is much harder for an organization to defend against.
Dirty Tricks: Social Engineers' Favorite Pickup Lines
Tabletop Exercises: 3 Sample Scenarios
19 Ways to Build Physical Security Into Your Data Center
Get instant notifications when whitepapers, webcasts and case studies are added to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
» More blogs
CSO Perspectives
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
Trend Micro ranked #1 against real-world malware. Read more.
64-page prescriptive guide to security, compliance, and IT operations.
Removing Barriers To Better Server Virtualization Efficiency
Mining for Gold: Cybercrime Prevention and the Role of Log Management
The Executive Guide to Data Loss Prevention
Organizations can spend up to 50% more on compliance efforts than necessary.
White Paper: A Security Blueprint Delivered From within the Network
Read the RSA report: Security for Business Innovation
Upgrading to VMware vSphere with vWire
Explore the increasing importance of log management as cybercrime threats grow.
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Implementing Best Practices for Web 2.0 Security
Five Ways to Reduce Your IT Audit Burden
THE IDG NETWORK