Many of us have lots of accounts on various networking sites, but how much attention do we pay to password security?
If you haven’t heard, someone managed to compromise the Associated Press’ twitter account today. Not only was the account compromised, but they put out a fake tweet claiming that there were explosions at the White House and President Obama was injured.
A funny prank? Maybe. But tweets like this have a real world effect. For instance, the stock market plunged 140 points after the initial reports, rebounding when people realized it wasn’t true.
It’s not clear how the AP twitter password was compromised. There are many possibilities including classic social engineering through to compromised machines inside AP with password sniffers on them.
The lesson here is that we’re all targets, even ‘soft’ seeming targets like social media accounts. Practice safe computing.
- Use strong passwords.
- Don’t reuse passwords across accounts.
- Don’t share accounts or passwords with other people
- Keep anti-virus software updated.
- Don’t click on links in emails.
- Disable Java on web browsers unless it’s explicitly needed.
Twitter isn’t the only social networking site under attack. Recently information has come out about a ongoing attacks against WordPress blogs to create a powerful botnet. Given most WordPress blogs are hosted on machines with large pipes, a botnet could create serious problems if used for malicious attacks against individuals, businesses, government or infrastructure.
Secure those passwords, folks.
I’d add: 7. DON’T use your Facebook account to authenticate you to other sites.
Once your Facebook account is compromised, every account on every site you allow to authenticate you via Facebook is also compromised. The same for any other social networking site who’s API allows other sites to authenticate you against them.
Check to see if your twitter password is secure here: http://www.ismytwitterpasswordsecure.com/
AP are reporting this as spear phishing, in which case anti virus software has roughly 0% chance of catching the specially designed and targeted attack vector.
I tend to put “spear phishing” in the category of classic social engineering attacks. But, honestly, if you’re going to give out a password to someone there isn’t much that anyone can do to help you protect yourself.