Burger King sold to McDonald's! Jeep sold to Cadillac! With a few swift strokes of the hacker's keyboard, jaw-dropping messages can be broadcast on Twitter, setting off a chain of rumors and reaction than can leave a company sifting through the ashes of its reputation.
After the two high-profile companies were hacked earlier this week -- and two others, MTV and BET, fake-hacked themselves as a publicity stunt -- there's a renewed focus on social media security. And it's not just major brands that need to be concerned.
For most people, the real danger isn't that a hacker will post something embarrassing, but that he will use your social media feed to dupe others.
"Most of the reason people want to take over Twitter accounts is spam advertising, for things like online pharmacies," said Seth Schoen, senior staff technologist at the Electronic Frontier Foundation. "For a run-of-the-mill Twitter account compromise, someone might hope to tweet a few spam links to one of these online pharmacies that's paying a commission to the spammer for the number of people who visit the site."
But other hackers go after Twitter feeds with much more malice, Schoen warned. Once a hacker has access to one of your accounts, he can send a message to your friends suggesting they install software. The software, Schoen said, can be malicious, such as a key logger that records everything you type.
"And one thing you can do with that is get someone's password for Gmail or Twitter or Facebook, because they type it in and the key logger records that," Schoen said
And once a hacker has your Twitter password, there's a good chance they've got your password to a number of sites, notes Schoen, who says password reuse is a subtle but very real security issue.
"Someone breaks into a more obscure site, not necessarily Facebook or Google or Microsoft, but maybe an e-commerce site, or a doctor's office or a web forum," Schoen said. "And maybe they're using out-of-date software or it wasn't configured properly, there's some kind of vulnerability, and someone was able to compromise that site. The problem is the attacker then gets a database of usernames and passwords… then goes to Twitter and Gmail and Facebook, and tries those same names and passwords there."
Schoen has protected himself from such attacks for more than 6 years by using a password manager, a piece of software that remembers more than 100 passwords for him. In fact, it even generated the passwords and enters them when he wants to log onto a website--Schoen himself doesn’t know his passwords, except for the one to his password manager.
"It's quite likely that some of those sites may have been compromised during that time. So it's a nice thought for me that none of those passwords are going to work on any of those other sites."
Schoen's password manager is installed locally on his computer, which means he can only access certain sites from that single machine, though there are password managers that are web-based. While he confesses to being "paranoid," he's amazed by people who use computers other than their own.
"The thing that makes me especially anxious, since I know about key loggers, is thinking about machines that I don’t really control," Schoen said. "If I were visiting a relative's home, I would actually not want to log into my email from a relative's PC."
Even more vulnerable than a friend's computer is one you might encounter at an Internet café, where the security is only as strong as the least tech savvy customer who came before you.
"That situation is one of the reasons that Google created that two-step authentication, which is that your password alone is not sufficient to get into your account on a new machine," notes Schoen.
Google lets users opt for two-step authentication, which requires you to enter both your password and then a six-digit passcode that's been sent to your mobile device any time you try to access your account from a new machine or browser. Schoen suspects the folks at Twitter are contemplating a two-step log-in process.
"I think in Google's case it's been very helpful, it's a major security advantage relative to other web mail providers that don’t offer that," Schoen said
Computer users should also try to keep their own devices safe, and probably the most significant thing there is to be cautious about software you install. In general, whether you're confronted with questionable tweets, dubious pop-ups or strange computers, Schoen says one of the best tools for protecting yourself "is a lot of skepticism."
Four keys to cyber-security
- Use strong passwords -- a mix of letters, numbers, symbols and upper- and lower-case characters -- and don't reuse passwords for multiple sites. You can use a password manager to make this more manageable.
- Use two-step authentication whenever possible. Many password-protected services now support this, including Google and Facebook.
- Check the approved applications in your social accounts on a regular basis. Remove anything you don't use on a regular basis.
- Be skeptical of any links you receive -- if it looks suspicious, don't click on it.