Twitter has some solid, expensive advice to keep your account secure: Have a computer for tweeting and nothing else.
Granted, that advice was primarily aimed at news organizations. But following that advice would make it a more expensive social network to use than even App.net.
Twitter sent a memo to a number of newsrooms and journalists Monday regarding best practices for keeping accounts secure. It comes in the wake of recent account hacks with the likes of the Associated Press (and the subsequent stock market dip), The Guardian, CBS News, and the BBC all falling victim to the Syrian Electronic Army (SEA).
Twitter doesn’t want any more of these hacks going down, but believes “that these attacks will continue, and that news and media organizations will continue to be high value targets to hackers.” So, it wants news outlets to stuff their social media managers into bomb shelters.
In the memo, posted in full on BuzzFeed, Twitter warns reporters to be aware of the kinds of attacks the SEA has successfully used in recent months. The “spear phishing” attacks target journalists within an organization by appearing to be from colleagues. Hackers target individuals by personalizing the spoof emails in an effort to make them seem more legitimate.
In lieu of a more robust login system, though Twitter is reportedly working on one, the company offered some advice on how to lock down accounts. Until it releases that two-factor authentication, it seems the company is sending its comms team to panic stations, urging likely targets to batten down the hatches. Here’s a breakdown of Twitter’s advice.
Designate one computer to use for Twitter. This helps keep your Twitter password from being spread around. Don’t use this computer to read email or surf the web, to reduce the chances of malware infection.
In other words, Twitter suggests the person running Twitter accounts for a news organization be shut away from the rest of the Internet. Don’t click links on Twitter (useful advice for those who retweet a lot and want to verify information). Don’t move away from your corner. Don’t give your readers links to your news stories. Actually, there might be an ulterior motive there: By stopping news organizations from posting links, there’s nothing to click through to, and so people will keep their attention on their timelines. We know your game, Twitter.
Talk with your security team about ensuring that your corporate email system is as safe as possible. A third-party provider that allows for two-factor authentication might be a safer solution.
Keep your email accounts secure. Twitter uses email for password resets and official communication. If your email provider supports two-factor authentication, enable it. Change your e-mail passwords, and use a password different from your Twitter account password.
Change your Twitter account passwords. Never send passwords via e-mail, even internally. Ensure that passwords are strong- at least 20 characters long. Use either randomly generated passwords (like “LauH6maicaza1Neez3zi”) or a random string of words (like “hewn clothstitles yachts refine”).
Or, in plain English: “Guys, it’s not us, it’s you.”
Minimize the number of people that have access. Even if you use a third-party platform to avoid sharing the actual Twitter account password, each of these people is a possible avenue for phishing or other compromise.
This isn’t Netflix. Sharing accounts is totally wrong, and you should have one insane robot that operates your organization’s Twitter feed 24-7.
Build a plan. Create a formal incident response plan. If you suspect your organization is being targeted by a phishing campaign or has been compromised by a phishing attack, enact the plan.
In other words: “We’re not going to tell you exactly what to do. Just be ready to do it.”
There’s a lot of useful information in the memo to go along with the slightly over-the-top method of one computer to rule all a company’s Twitter accounts. Let Twitter know about all the accounts linked to an organization to help it keep a watchful eye. Keep your mogwai away from water. Get in touch with Twitter as soon as there’s a suspected hack. Use a password manager.
All right, one of those may not be from Twitter’s memo, but all are important pieces of advice.
Heaven forbid you use your Twitter machine for anything other than posting tweets, however. That tactic is about as helpful as tying your home down with a piece of string when a tornado’s coming.
Illustration by Fernando Alfonso III