The SEA said it seized control of several FT Twitter accounts and blog posts under the descriptive headline, “Hacked by Syrian Electronic Army.”
According to the New York Times, faux postings included the Kilroy-esque “Syrian Electronic Army Was Here,” and a link for a disturbing YouTube video of an execution.
The hacked messages have been removed and the feed restored to FT’s control, but in the wake of an offensive that has successfully hit, among others, the New York Times, al-Jazeera, the Guardian, the Washington Post, the AP and even the Onion, media companies may have to ask themselves how to prevent becoming the next victim.
Twitter put out some security tips in the midst of the SEA activity, but others are making recommendations too. One of the challenges for companies and their social media accounts is that they don't support a standard like SAML, which uses digital certificates to sign the user into the application. But, most of the Twitter hacks on high-profile media could have been avoided with an inexpensive password vaulting or cloud-based identity and access management (IAM) solution, according to Thomas Pederson, CEO of OneLogin.
"Attacks on Twitter accounts are growing, partly because there is no standard two-factor authentication in place within Twitter and partly because of the way that Twitter accounts work: everything is linked to the single email address, even when the account is shared across multiple people,” he said, in an email to Infosecurity.
He added, “This gets more complex when you have social media accounts being managed by third parties as well. In effect, you have multiple individuals, all with the right to enter that account, but it only takes one person being fooled in order to gain access.”
A cloud-based single sign-on system is less vulnerable to phishing because end users never log directly into their company's Twitter, Facebook or LinkedIn account. Rather, they go through the IAM system first, which can include a second factor of authentication.
“Password vaulting is often combined with an IAM system and is a way of adding an additional layer of protection for apps like Twitter that use form-based authentication,” Pederson said. “Password vaulting stores the passwords securely server-side and injects them into an application’s login page during sign-on. The bottom line is that there's no reason why a social media manager should ever know his password to Twitter or be able to share it with his colleagues."