Networking

01:41 PM
Connect Directly
RSS
E-Mail
50%
50%

HootSuite Fights Social Media Account Takeovers

HootSuite Security Services audits social assets, monitors for unusual Twitter account activity and offers crisis plans in the event of account takeovers.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Social media management system provider HootSuite announced on Thursday a range of services meant to bolster security for businesses that use Twitter, Facebook, LinkedIn and other social media outlets.

HootSuite Security Services is billed as a way to proactively address unauthorized social media activity by malicious insiders or external attackers. The service includes alerts for suspicious Twitter account activity, an audit of social media accounts used by the business, as well as training -- and simulations -- for responding to social media account takeovers.

The Twitter security alert feature, for example, will monitor for any attempt to post to the social network that doesn't come from either the HootSuite dashboard or an approved HootSuite iPhone app, then send warnings -- including the contents, sender and publishing source of the post -- to a preset list of users. The company said it can also implement a customized, emergency escalation plan, which may involve locking down all social media accounts if suspicious activity continues.

HootSuite's services also include a "social asset audit" that studies how the business is currently using social media, then helps businesses secure access to those accounts by moving them, as required, onto HootSuite, which functions as an intermediary security tool between social networks and business users.

[ Want to be a more effective social media user? Learn LinkedIn Tips: 10 Ways To Do More. ]

According to a research report -- cited by HootSuite -- from analyst Jeremiah Owyang at Altimeter Group, "76% of social media crises could have been diminished, or altogether prevented, had companies been prepared internally with the right training, processes, roles and software."

Today, many businesses rely on social media channels for disseminating information. But as the ongoing Twitter account takeover campaign conducted by the Syrian Electronic Army against news and media outlets has demonstrated, social networks may have a security model that's not equal to the task.

In particular, it's difficult for a large group of users to securely share access to multiple Twitter accounts without making those accounts easy for attackers to compromise. One exploit vector is to launch a phishing attack against employees, trick them into installing malware and then recover a list of social media passwords from their hard drives. Because Twitter -- unlike Facebook -- doesn't monitor for unusual access patterns, such as a user attempting to log into their Twitter account from Syria for the first time, attackers then have carte blanche access to the account.

That's been one attack technique practiced by the Syrian Electronic Army, which successfully exploited more than a dozen Associated Press Twitter feeds in one go, using them to broadcast a hoax tweet that shaved 145 points off of the Dow Jones index. The AP was just one in a long list of news and media outlets successfully targeted by the group, which has included everyone from the BBC and Reuters to National Public Radio and satire site the Onion.

What might those sites have done differently to avoid account takeovers? For starters, none seemed to have a social media account takeover response plan at the ready.

After the Syrian Electronic Army seized control of multiple Onion Twitter feeds, the satire site published a postmortem recommending -- among other controls -- that businesses adopt an intermediary social media monitoring tool to make it more difficult for attackers to compromise large numbers of a business's Twitter accounts at once.

Arguably, securing Twitter for business use requires add-ons. While Twitter recently rolled out two-step verification for accounts, it's designed for one-to-one -- one person to one account -- access, rather than the one-to-many model required by businesses that maintain multiple accounts, and must otherwise share passwords between employees.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
5/31/2013 | 12:46:16 PM
re: HootSuite Fights Social Media Account Takeovers
This is a good step for HootSuite, which already provides a useful set of training tools to help businesses effectively manage multiple social accounts for their brands. That HootSuite is taking additional steps to protect its clients' accounts, monitor for suspicious activity, and the best part -- provide training for responding to account takeovers -- makes it an extremely valuable tool to businesses today.
Cartoon
Hot Topics
6
VMware NSX Banks On Security
Marcia Savage, Managing Editor, Network Computing,  8/28/2014
4
Real-World SDN, Lesson 2: Conquer The Enemy Within
Symon Perriman, Senior Technical Evangelist, Microsoft,  8/25/2014
3
How To Survive In Networking
Susan Fogarty, Editor in Chief,  8/28/2014
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Slideshows
Twitter Feed