As you may have heard by now, The Onion recently became the latest in a string of large news organizations to be attacked and have their Twitter hacked by the Syrian Electronic Army. They were able to regain control fairly quickly, but in a surprising twist, they also decided to publish a blog post detailing how their security was breached. In revealing the specifics of the attack and showing the techniques that the attackers used, The Onion is actually helping the rest of us out, alerting us on how to protect our social media accounts from falling into the hands of hackers.
What is really surprising, however, is just how low-tech the SEA techniques were. As technology has advanced and changed, so have the strategies that hackers use to take advantage of people, but the attack on the Onion just goes to show you that the old ways can still be effective, if company employees aren’t careful. All the SEA did was send out a simple phishing email, and all it took was one or two employees entering their passwords and information to allow the hackers to take control of their Twitter.
In the wake of this event, it seems wise to review (if you’re of the ‘internet generation’) or really learn (if you didn’t grow up with computers) the basics of online security, especially since through social media, your company can reach thousands of people. Getting hacked will lower the trust that customers place in you, and that, or course, is bad for business. The Onion posted its own steps for protecting yourself from being hacked. Here they are, with some commentary from me:
“Make sure that your users are educated, and that they are suspicious of all links that ask them to log in, regardless of the sender.”
The internet, and thus internet business, moves at lightning speed, so it’s easy to get overwhelmed by all the things you need to do and all the websites you need to get to in order to do them. It’s important to remain vigilant, and not give away log-in information to whatever link asks for it. A rule we follow is: if a link asks you to log in, open the site in a different tab, log in there, and refresh the linked page. If it doesn’t work, it’s probably a hacking attempt.
“The email addresses for your social media should be on a system that is isolated from your organization’s normal email. This will make your social media accounts virtually invulnerable to phishing (providing that you’re using unique, strong passwords for every account).”
Get really serious about using unique passwords. Personal information is always going to be easy to remember, but using your birthday or your pet’s name is generally not a good idea. Instead, “code” your favorite quote or song lyric by replacing letters with numbers, or by using the first letter of each word. The famous Shakespeare quote “To be, or not to be, that is the question” becomes something like “2b0rn0t2btisq”. (You should probably choose something a little less well known, though.) If you want your password to be extra secure, use a random password generator and create a mnemonic device to help you remember it. You can also use password managers like LastPass and OnePassword.
“All social media activity should go through an app of some kind, such as HootSuite. Restricting password-based access to your accounts prevents a hacker from taking total ownership, which takes much longer to rectify.”
Using a social media management system simply puts up another wall between you and the hackers. The more passwords you have to enter, the harder it’ll be for you to get hacked.
“If possible, have a way to reach out to all of your users outside of their organizational email. In the case of the Guardian hack, the SEA posted screenshots of multiple internal security emails, probably from a compromised email address that was overlooked.”