Onion's Twitter Gets Hacked; Still No Two-Factor Authentication
The greatest faux-news site on the Internet has just gone where many real news sites have gone before: Syria.
The Syrian Electronic Army (SEA) are a group of pro-Syria hackers who, according to Slate, have cracked the Twitter accounts of some of the biggest names in journalism, including the BBC, NPR, CBS, "60 Minutes", Reuters News, and the Associated Press. The AP hack, of course, resulted in a fake tweet about an explosion at the White House that triggered a brief stock market panic.
Today’s Twitter hack of the Onion’s account likely won’t have such severe consequences. After all, no one takes The Onion seriously. Well, no one except the Chinese. However, many of the Twitter followers in this cased likely didn’t notice the hack, as the fake Tweets were all sarcastic anti-Israel or pro-Syria tweets (though after the first couple, it got a bit obvious).
Still, this begs the question: how does this continue to happen?
Spear-Phishing
You’re probably familiar with the concept of phishing. A site sends you a fake email, usually in the form of a security warning, and asks you to enter your username and password. As awareness of phishing email scams spread, hackers had to take it one step further.
According to Slate, the AP hack originated from an email that appeared to be from an actual AP staffer, had the subject line “News”, and had a link that appeared to go to the Washington Post’s WordViews blog. Apparently, it didn’t. That email was sent out to many, many AP employees. Someone clicked the link. Chaos ensued.
We don’t know if that’s exactly what happed with The Onion, but it’s a fair guess. These new forms of phishing, that utilize personalized information and fake senders with familiar names, are a lot easier to fall for when one is rushing through a busy news (or faux-news) day.
Two-Factor Authentication
We’re still waiting on the obvious solution. We recently discussed two-factor authentication and how it can help you keep your email and cloud storage accounts secure. Google, Microsoft, DropBox, and many other popular services all offer it.
Twitter doesn’t. That’s why, in our humble opinion, Twitter is so frequently hacked. Whether the hackers use phishing or brute force tactics to obtain your password, the problem is that there is no second layer of security.
With Google’s two-factor authentication, after you enter your password on an unfamiliar computer or device, it either texts you a numeric code or you can use a smartphone app to get one. This requires access to your phone — something nearly all hackers lack. Plus, if you are logging in from the same computer repeatedly, such as the office PC, you can choose to “remember” that computer so that two-factor only annoys those on unfamiliar devices.
It’s been long-rumored that Twitter has this feature in the pipeline. It can’t come soon enough.
Related Resources:
- WordPress Sites Targeted by Hackers; Strong Password Myths (FindLaw’s Technologist)
- Samsung’s ‘Knox’ Smartphone Security Delayed; Worth the Wait? (FindLaw’s Technologist)
- King and Spalding Does Right IT Thing, Blocks Personal Email (FindLaw’s Technologist)