May 01, 2013

Social Media Security Best Practices

In today’s Whiteboard Wednesday, John Schimelpfenig talks about social media security best practices. With the recent AP and Livingsocial hacks in April we thought that this would be a timely topic.

Watch this video to learn why these high profile attacks took place and what you can do to prevent your social accounts from being compromised.

Read Video Transcript

Hi. My name is John Schimelpfenig. I'm the Federal Account Manager here at Rapid7. Today I'm here to talk to you about some social media security best practices. With the events that occurred last week, both with the Associated Press and with Living Social, we figured this was a good time to jump on and talk about some best practices regarding your social media experience.

First and foremost, last week there was the AP Twitter hack. As many of you may have noticed, this had a couple of different ramifications, both causing some panic around the general public as well as in the financial markets. Some simple things about the tweet that we noticed right off the bat as being inauthentic were simple formatting issues. It was never written in the AP style.

If you also look up here, we highlighted a couple of things. "Breaking," which is part of their style, would always be capitalized. Only the first letter was. If you look at the next two words, two explosions with the "E" being capitalized is not proper grammar. Lastly Barack Obama, who should be categorized as President Barack Obama, was not listed correctly, thus giving the tweet some feeling that it wasn't right.

Those of you who kind of understand the AP style would have picked up on this right away. Many of you out there, much like myself, I would have looked at the tweet and kind of felt a little threat of panic in there, as we saw in the stock market. The stock market fell about 143 points in a matter of minutes of the tweet going live. Now, the Associated Press was able to delete the tweet and highlight that it was actually hacked, but that didn't quell the ramifications that were already taking place within the market.

Then towards the end of the week we had the Living Social hack in which 50 million customer accounts were compromised. You may have noticed, if you're a Living Social customer, that when logging onto the site this week, you're automatically prompted to re-enter a new password. This is simply because everything was compromised all at once.

We have a couple of steps to go through here. One is noticing that some sites out there are now starting to use two factor authentication. This is something that we highly advocate here at Rapid7 and encourage more sites to get into. Sites such as Google or are already using this. What two factor authentication is, it's more in-depth than just your user ID and your password. At this point, we're using your user ID and the password, but we're also going to use a token which is unique to you and certifies that you are who you say you are.

Okay. I want to go over some additional tips for you in order to secure your social media presence online, whether or not two factor authentication is in place. One simple one is to create tough passwords for hackers to crack. Basically, don't reuse your passwords across multiple sites. That's easy access to basically your entire life at that point that's present online.

Secondly use long passwords, 12 characters or more, when allowed to. This makes it very hard by either combining common phrases or elongated words in order to make this harder for hackers to get into.

Thirdly, avoid words associated with the site or directly with yourself. If somebody's actually already on your Facebook and going after everything, they know a lot about you and could associate your characteristics with a potential password that you may use online.

Lastly, avoid common words, such as password or 12345, etc. These are very easy, and these are the first things that these guys, these folks go to before anything else.

A second tip for you guys out there is to look for social engineering attacks. Basically, to start off, check the address that this came from. Does it make sense? Is this an authentic address to you? Have you never seen it before? You know, if there are a couple of scenarios there that you're not sure whether this is right or not, you can simply, instead of clicking on the link, never click on that link. If you do click on that link, you could be in trouble without knowing where you're going.

First and foremost, open up a browser. Type in what you think that address would be. If it doesn't work at that point or directs you to a different site, you know something's wrong. Another point is to simply drag your cursor over that hyperlink. Watch the bottom left-hand corner of the screen. If that address that pops up is consistent with the address in the email, then you can verify that as being authentic or being something that you don't want to go to in the first place.

Lastly, when in doubt, forward this off to your IT or info tech manager for further verification. They're the ones who, at the end of the day, will be able to come back and give you the thumbs up or tell you to delete it and get rid of it immediately.

We here at Rapid7 are committed to making sure that everybody from corporations through personal space are secure. We're here every day, going out there and fighting the good fight for you guys. I appreciate the time that you've given us today. We look forward to meeting you on another Whiteboard Wednesday.

On-Demand Webcast

Lessons Learned From High Profile Data Breaches

Watch Now