TechWeb

HootSuite Fights Social Media Account Takeovers

May 30, 2013 (05:05 AM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=240155692


The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Social media management system provider HootSuite announced on Thursday a range of services meant to bolster security for businesses that use Twitter, Facebook, LinkedIn and other social media outlets.

HootSuite Security Services is billed as a way to proactively address unauthorized social media activity by malicious insiders or external attackers. The service includes alerts for suspicious Twitter account activity, an audit of social media accounts used by the business, as well as training -- and simulations -- for responding to social media account takeovers.

The Twitter security alert feature, for example, will monitor for any attempt to post to the social network that doesn't come from either the HootSuite dashboard or an approved HootSuite iPhone app, then send warnings -- including the contents, sender and publishing source of the post -- to a preset list of users. The company said it can also implement a customized, emergency escalation plan, which may involve locking down all social media accounts if suspicious activity continues.

HootSuite's services also include a "social asset audit" that studies how the business is currently using social media, then helps businesses secure access to those accounts by moving them, as required, onto HootSuite, which functions as an intermediary security tool between social networks and business users.

[ Want to be a more effective social media user? Learn LinkedIn Tips: 10 Ways To Do More. ]

According to a research report -- cited by HootSuite -- from analyst Jeremiah Owyang at Altimeter Group, "76% of social media crises could have been diminished, or altogether prevented, had companies been prepared internally with the right training, processes, roles and software."

Today, many businesses rely on social media channels for disseminating information. But as the ongoing Twitter account takeover campaign conducted by the Syrian Electronic Army against news and media outlets has demonstrated, social networks may have a security model that's not equal to the task.

In particular, it's difficult for a large group of users to securely share access to multiple Twitter accounts without making those accounts easy for attackers to compromise. One exploit vector is to launch a phishing attack against employees, trick them into installing malware and then recover a list of social media passwords from their hard drives. Because Twitter -- unlike Facebook -- doesn't monitor for unusual access patterns, such as a user attempting to log into their Twitter account from Syria for the first time, attackers then have carte blanche access to the account.

That's been one attack technique practiced by the Syrian Electronic Army, which successfully exploited more than a dozen Associated Press Twitter feeds in one go, using them to broadcast a hoax tweet that shaved 145 points off of the Dow Jones index. The AP was just one in a long list of news and media outlets successfully targeted by the group, which has included everyone from the BBC and Reuters to National Public Radio and satire site the Onion.

What might those sites have done differently to avoid account takeovers? For starters, none seemed to have a social media account takeover response plan at the ready.

After the Syrian Electronic Army seized control of multiple Onion Twitter feeds, the satire site published a postmortem recommending -- among other controls -- that businesses adopt an intermediary social media monitoring tool to make it more difficult for attackers to compromise large numbers of a business's Twitter accounts at once.

Arguably, securing Twitter for business use requires add-ons. While Twitter recently rolled out two-step verification for accounts, it's designed for one-to-one -- one person to one account -- access, rather than the one-to-many model required by businesses that maintain multiple accounts, and must otherwise share passwords between employees.