CERT-In Advisory
CIAD-2016-0075
Securing Twitter Accounts
Original Issue Date: December 12, 2016
Description
Twitter is one of the most popular social media networks used nowadays. It's used not only by private users, but also by journalists,
musicians and actors who want to promote their work, or companies and brands who want to grow and nurture their community. It is widely
used as a news spreading tool also.
Threats and Best practices to Twitter Users
1. Disclosure of sensitive information
Attackers disclose account information of twitter users as part of hacktivist campaigns and for other reasons. It is observed that
attackers upload email contents, Database dumps and other sensitive information through twitter handles.
To enhance Twitter account security, the following steps must be taken:
i. Strong, Account-Specific Passwords
Create a strong password that includes symbols, capital Letters, and lower-case letters. Use a mix of different types of
characters to make the password harder to crack.You should also create an equally strong and unique password for the email address
associated with your Twitter account.Keep your password in a safe place. Consider using password management software to store all of your
login information securely.
ii. Use login verification
Login verification is an extra layer of security for your account. Instead of relying on a password only, login verification
introduces a second check to help make sure that you, and only you, can access your Twitter account. Only people who have access to both
your password and your mobile phone will be able to log in to your account.Two-factor authentication could compensate shortcomings like
poor passwords and usage of same password for multiple accounts.
To set up Login verification from your browser, follow these steps:
- Log in to your Twitter account.
- Click on your user photo from the top right corner of the screen.
- Go to Settings from the drop down menu.
- Click on Security and Privacy from the left menu.
- Activate and set up Login verification.
iii. Donot post private information and do not disclose your location
By default, Twitter is a public network and anyone will be able to follow you and see what you tweet. Keep in mind that the main
keyword here is "public" - every little thing that you tweet will be available online, for anyone who wants to see it.
If you want to have some degree of control over who's following you, you can make your account private by activating the option "Protect
my tweets".Also keep your tweets' location disabled - this kind of data can also be used by cyber criminals.
To protect your tweets, follow these steps:
- Log in to your Twitter account.
- Click on your user photo from the top right corner of the screen.
- Go to Settings from the drop down menu.
- Click on Security and Privacy from the left menu.
- Go to Tweet privacy and check "Protect my Tweets" option.
To disable the tweet location, follow these (almost identical) steps:
- Log in to your Twitter account.
- Click on your user photo from the top right corner of the screen.
- Go to Settings from the drop down menu.
- Click on Security and Privacy from the left menu.
- Go to Tweet location and disable the "Add a location to my Tweets" option.
- From here you can also delete the previously stored Tweets location information.
iv. New login Email alerts
When you log in to your Twitter account from a new device for the first time, Twitter will send you a notification via email as an
extra layer of security for your account. Login email alerts are only sent following new logins through Twitter for iOS and Android,
twitter.com, and mobile web.
Through these emails, you can verify that it was you who logged in from the device. If you did not log in from the device, you
should follow the steps in the notification email to secure your account, starting by changing your Twitter password immediately. Please
note that the location listed in the notification email is an approximate location derived from the IP address you used to access Twitter,
and it may be different from your physical location.
v. Email address update alerts
Any time the email address associated with your Twitter account is changed,Twitter will send an email notification to the
previously-used email address on your account. In the event your account is compromised, these alerts will help you take steps to regain
control of your account.
vi. Select third-party applications with care
There are many third-party applications built on the Twitter platform by external developers that you can use with your Twitter
account(s). However, you should be cautious before giving third-party applications access to your account. If you wish to grant a third-
party application access to your account, Twitter recommend that you only do so using Twitter's OAuth method. OAuth is a secure connection
method and doesn't require you to give your Twitter username and password to the third party. You should be particularly cautious when
you're asked to give your username and password to an application or website, as third-party applications don't need your username and
password to be granted access to your account via Oauth.
2. Man-in-the-middle attack and Phishing
Sophisticated threats like Man-in-the-Browser or Man-in-the-Middle attacks intercept online transactions by reading account
related information from the Internet browser while the user is typing his credentials.
Email phishing attempts are still extremely efficient. Cyber criminals specialized in creating email forms and websites and other
elements that look exactly like the ones used by Twitter.But phishing attacks can also be carried via private messages or replies, from
persons who want to obtain your Twitter credentials or any other personal information.Twitter will never ask you to provide your password
via email, Direct Message, or reply. Twitter will never ask you to download something or sign-in to a non-Twitter website.
Never open an attachment or install any software from an email that claims to be from Twitter.If you suspect your account has been phished
or hacked, you may reset your password to prevent the hacker from misusing your account.
For prevention against phishing attacks: The URL of the web-page should be verified, by establishing the
authenticity of the
website by validating its digital certificate. To do so, go to File > Properties > Certificates or double click on the Padlock symbol at
the upper right or bottom corner of the browser window. Emails or text messages asking the user to confirm or provide personal information
should be ignored.
Consider using a Virtual Private Network(VPN): Using a Virtual Private Network means that you hide your IP
address, encrypt your
connection and access various web locations in a private environment. This method keeps your sensitive data protected from identity theft
or phishing attempts.
3. Malware Attacks
Malware attacks through Twitter or smart deviceshave threatened the safety of users. Attacker can inject a malware and collect
details to misuse it.Many Twitter users post links using URL shorteners, like bit.ly or TinyURL, to create unique, shortened links that
are easier to share in Tweets. However, URL shorteners can obscure the end domain, making it difficult to tell where the link goes to.
Make sure you keep all your software, including core Operating Systems and Antivirus up to date. Use caution when clicking on links.Be
sure to also scan your computer regularly for viruses, spyware, and adware. Be careful what you download or link on Twitter or other
social networking sites.
Clicking on shortened URL's such as those from Bit.ly or Tinyurl are risky practices. Shortened URL services put you at risk of
being redirected to a malicious site that can infect your system with malware. Some shortened URL services such as Tinyurl and Bit.ly
allow you to preview the link before it is clicked on. This is an excellent feature to take advantage of to prevent visiting an unwanted
website. Just as with spam email messages, links within Twitter messages, shortened or not, can easily prompt the download of a malicious
file or redirect you to a dangerous website.To prevent the spread of malware via malicious Twitter messages it is necessary that you avoid
retweeting (RT) them.If you're using a public computer, make sure you sign out of Twitter when you're done.
References
Twitter
https://support.twitter.com/articles/76036
Heimdalsecurity
https://heimdalsecurity.com/blog/twitter-security-privacy-essential-guide/
EnigmaSoftware
http://www.enigmasoftware.com/top-6-crucial-tips-to-avoid-malware-via-twitter/
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|