Companies that use social networks have to take every available precaution to secure their Twitter accounts. There’s nothing like a pirated site to deliver a hefty blow to a company’s image.
In fact, as soon as an attacker tweets under a company’s Twitter handle, the company’s followers will take the information they receive at face value. In July 2011, Fox News announced the death of Barack Obama.
In September 2011, it was NBC News that announced an attack on New York.
The two events are allegedly linked to the cyberactivist groups LulzSec and/or Anonymous. I think it’s very hard to say: we never really know who is responsible because it’s so fashionable to claim membership in these groups.
Let’s be honest: when I look at some of the security practices in the world of corporate social media, the events at Fox News and NBC News are hardly surprising.
In general, social media team members often make mistakes like:
- overly simple passwords (like "company name + year")
- rarely changing passwords (or once a year, see the rule below)
- too many people know the passwords
- passwords left unchanged when someone leaves the team
- low level of awareness regarding social engineering attacks
- belief that “those things only happen to other people” and that “they’re unlucky, we’re lucky”
- Twitter accounts that are not set up for Secure Sockets Layer (SSL) by default
- connecting to Twitter accounts from unsecured hotspots, which can be attacked with Firesheep
In short, the classics. Some people will recognize their own habits on this list: it’s up to them to wake up and do what’s necessary. Needless to say, “I didn’t know” is not an acceptable response :-).
Just imagine for a second the kind of mess that would be caused by a fake message from the official Orange Twitter announcing: “For the next two hours, Orange stores are giving away free €5 and €10 prepaid recharge cards. Come and get ‘em!”
Within Orange Group security management, I am in charge of security and ensures the inclusion of security in the life cycle of products and services. I am passionate about IT security and enjoy sharing this passion through videos, presentations and articles. Directness, optimism and cheerfulness are my daily-engines. If you have questions, ideas, proposals: you know where to find me! :-)