{"id":6405,"date":"2017-01-27T04:30:53","date_gmt":"2017-01-27T12:30:53","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/27\/news-242\/"},"modified":"2017-01-27T04:30:53","modified_gmt":"2017-01-27T12:30:53","slug":"news-242","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/27\/news-242\/","title":{"rendered":"Trump administration is giving us a good lesson on Twitter security"},"content":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt0.staticworld.net\/images\/article\/2017\/01\/img_20170126_110036_01-100706004-large.3x2.jpg\"\/><\/p>\n<p> Several recent incidents involving U.S. President Donald Trump&#8217;s administration can teach users something about IT security &#8212; particularly about Twitter and what not to do with it. <\/p>\n<p> It turns out that several White House-related Twitter accounts &#8212; including the president&#8217;s official account, @POTUS &#8212; until recently were revealing sensitive information that hackers might be able to exploit. <\/p>\n<p> The problem revolves around the service\u2019s password reset function. If the account holder doesn&#8217;t take certain steps to secure it, Twitter exposes information that anyone with the right skills can use to uncover what email address &#8212; in redacted form &#8212; was used to secure a Twitter account. <\/p>\n<p> A hacker who goes by the name WauchulaGhost <a href=\"http:\/\/money.cnn.com\/2017\/01\/24\/technology\/trump-white-house-twitter-security\/\" target=\"_blank\">noticed<\/a> the problem and began tweeting about it. He found that the @POTUS account was secured to a Gmail address that, although partially redacted, could be guessed as belonging to a Trump aide in charge of social media. <\/p>\n<p> The hacker found the same issue with the Twitter accounts for the vice president, the first lady and Trump\u2019s press secretary, all of which were also secured with Gmail addresses. <\/p>\n<p> \u201cIt\u2019s not hard to figure the emails out from there,\u201d WauchulaGhost <a href=\"https:\/\/twitter.com\/WauchulaGhost\/status\/823742959581560832\" target=\"_blank\">tweeted<\/a>. \u201cOnce the email is exposed, there is a chance it can be compromised.\u201d <\/p>\n<p> Exposing your email address to the public may seem harmless. But for government officials or business executives, it can be asking for trouble. \u00a0\u00a0 <\/p>\n<p> That\u2019s what happened in last year\u2019s election. An aide to presidential candidate Hillary Clinton was <a href=\"https:\/\/www.nytimes.com\/2016\/12\/20\/insider\/how-we-identified-the-dnc-hacks-patient-zero.html\" target=\"_blank\">hacked<\/a> by suspected Russian cyberspies through a phishing attack sent to his Gmail address. His emails were eventually stolen and leaked to the public. <\/p>\n<p> A hack can be even more devastating if it affects a high-profile Twitter account. But anyone can be a target of such attacks, said Felix Odigie, CEO of Inspired eLearning, a company that specializes in security awareness training.\u00a0 <\/p>\n<p> \u201cPeople don\u2019t really believe these threat actors are real, or they don\u2019t believe it\u2019s going to happen to them,\u201d he said. \u201cBut it\u2019s probably only a matter of time, before you get hit at some point.\u201d <\/p>\n<p> To prevent exposing your email address over Twitter, you can go into your account\u2019s security settings and click \u201cRequire personal information to reset my password.\u201d That\u2019ll force anyone trying to reset your password to enter the correct email address or phone number to continue. <\/p>\n<p> Securing a presidential Twitter account with a Gmail address highlights another problem: Why are White House officials using third-party email providers? <\/p>\n<p> In last year\u2019s election, government IT security became a hot-button issue over Clinton\u2019s use of a <a href=\"http:\/\/www.computerworld.com\/article\/3091771\/technology-law-regulation\/fbi-faults-clintons-personal-email-system-but-doesnt-recommend-prosecution.html\" target=\"_blank\">private email server<\/a>. Critics feared it left her digital correspondence vulnerable to hacks. <\/p>\n<p> Now the Trump administration has received some flak for securing presidential Twitter accounts to Gmail addresses. \u201cIt seems like bad form,\u201d said Jake Williams, founder of security provider Rendition InfoSec. \u201cIt should really be a .gov address.\u201d <\/p>\n<p> \u201cIn that way, if there\u2019s ever an attempt to enter the account, It\u2019ll be monitored by their own information security people, as opposed to possibly nobody with Gmail,\u201d he said. <\/p>\n<p> That same advice can apply to any business. It&#8217;s better to rely on corporate IT infrastructure, which can be more tightly controlled, than on common third-party email providers, Williams said.\u00a0\u00a0 <\/p>\n<p> He also suggests that people secure their Twitter accounts with two-factor authentication. This requires the user to enter both a password and a one-time special code sent to their mobile phone or generated over an authenticator app. <\/p>\n<p> \u201cIf the attacker ever gets a hold of your password, they still won\u2019t be able to access your account,\u201d Williams said. <\/p>\n<p> Twitter users can access this option by going to security settings and checking \u201cverify login requests.\u201d <\/p>\n<p> Earlier this week, the Trump administration found itself involved in another Twitter-related incident. The account for Badlands National Park in South Dakota tweeted a series of facts that seemed to <a href=\"http:\/\/www.computerworld.com\/article\/3161719\/internet\/controversial-park-service-tweets-arose-from-old-twitter-passwords.html\" target=\"_blank\">challenge<\/a> Trump\u2019s assertion that climate change is a hoax. \u00a0 <\/p>\n<p> The White House said an \u201cunauthorized user\u201d had used an old password from the National Park Service\u2019s San Francisco office to access the account. <\/p>\n<p> Williams suspects the Trump administration had changed the password to the park\u2019s Twitter account but failed to revoke the OAuth token, which can also grant access. <\/p>\n<p> Third-party applications can use OAuth tokens to connect to a Twitter account without the risk of handling sensitive password information. \u201cSomeone probably realized they were still hooked into the account, and decided to take it for a run,\u201d Williams said. <\/p>\n<p> The controversial tweets from the park\u2019s account were quickly deleted, but the mishaps with the Trump administration Twitter haven\u2019t stopped. <\/p>\n<p> On Thursday, White House Press Secretary Sean Spicer was found tweeting and then deleting what appeared to be a password, although it\u2019s still unclear what really happened. <\/p>\n<p> Williams advises that White House officials use an <a href=\"https:\/\/twitter.com\/tweetdeck\/status\/597826666153398272\" target=\"_blank\">option<\/a> on TweetDeck, a Twitter dashboard, that asks the user to confirm the contents of a tweet before posting it. <\/p>\n<p> \u201cIt&#8217;s saved me from sending something erroneously more than once,\u201d he said. <\/p>\n<p><a href=\"http:\/\/www.computerworld.com\/article\/3161763\/security\/trump-administration-is-giving-us-a-good-lesson-on-twitter-security.html#tk.rss_security\" target=\"bwo\" >http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt0.staticworld.net\/images\/article\/2017\/01\/img_20170126_110036_01-100706004-large.3x2.jpg\"\/><\/p>\n<article>\n<section class=\"page\">\n<p> Several recent incidents involving U.S. President Donald Trump&#8217;s administration can teach users something about IT security &#8212; particularly about Twitter and what not to do with it.<\/p>\n<p> It turns out that several White House-related Twitter accounts &#8212; including the president&#8217;s official account, @POTUS &#8212; until recently were revealing sensitive information that hackers might be able to exploit.<\/p>\n<p> The problem revolves around the service\u2019s password reset function. If the account holder doesn&#8217;t take certain steps to secure it, Twitter exposes information that anyone with the right skills can use to uncover what email address &#8212; in redacted form &#8212; was used to secure a Twitter account.<\/p>\n<p class=\"jumpTag\"><a href=\"\/article\/3161763\/security\/trump-administration-is-giving-us-a-good-lesson-on-twitter-security.html#jump\">To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11067,714,1932],"class_list":["post-6405","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-government-it","tag-security","tag-social-media"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6405","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6405"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6405\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6405"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}