CBS affiliates see Twitter accounts hijacked; Password security in focus

The episodes add to a long list of media outlets and big companies that have been compromised in recent months.

Two-factor authentication is in the spotlight again after the Twitter accounts for three CBS brands -- 60 Minutes, 48 Hours and a Denver news affiliate -- were hijacked and later suspended this weekend.

The episodes add to a long list of media outlets and big companies that have been compromised in recent months.

So why don't more people use two-factor authentication, a more demanding method of accessing an account than a password-only process? The answer: Laziness or friction, depending on how you want to think of it.

In enterprises, two-factor relies on hardware tokens that generate passcodes that are valid for just moments and must be entered along with the usual password. Consumer Web services such as Google or Facebook will send a one-time unique passcode to a user's mobile device, either as a text message or in Apple's case, to an iPhone or iPad via the Find My iPhone app's notification feature. Without that code, you can't login.

The hackers in the CBS case appear to have political motivations, tweeting things like "The American people must stop their government, before the whole world is destroyed," as well as claims that "the Syrian army fights for all humanity" and a suggestion that the Boston bombers are professionals under U.S. government protection.

The latest incidents aren't isolated.

In recent months hackers also took over the Twitter accounts of Burger King, Jeep and MTV. Yet a simple thing could make a hacker's job much more difficult --two-factor authentication.

Even though Twitter itself has been rumored to be working on offering its users two-factor authentication, you're still going to see incidents like the ones currently plaguing CBS. That's because even the tiniest bit of friction is enough to deter people from using extra security.

Think of it this way -- everybody knows (or should know) that you should never use the same password for more than one account. In addition, all these unique passwords need to be long, include special characters and completely random so that a bad guy can't guess them.

Something like 472vY!5@0ndw33k3nd might be a good example. Of course, that can be hard for the user to remember, and it isn't a good idea to write down passwords because you could lose them and they could end up in the wrong hands.

You can use a password manager such as LastPass to store all the dozens of impossible-to-memorize passwords it takes to keep all your accounts safe, but even then, it takes work. Every time you want to login to Mint, or your email, or your bank or Twitter or anywhere, it involves taking the extra five seconds to retrieve your password -- which you'd think would be time well spent, but when you multiply that five seconds with all of the many accounts you need to access in a day, it can feel like a lot of extra steps for what may seem like a phantom threat that may never materialize.

Two-factor authentication is the same kind of thing.

Want to log-in to Dropbox? Ideally, you'll dig up that unique password from your password manager, then you'll pick up your phone and wait to receive a code via text or an app. It's a really smart thing to do if you want to keep your stuff safe.

Yet for too many people, it's just too much work and for that reason you're going to keep seeing accounts like the ones involving CBS get hacked.

At the very least, anyone who's too lazy to use two-factor authentication needs to get a handle on how to create a strong password.

And remember to never ever do something such as log in to a website using a password you use on another site. That's one way employees of companies such as CBS give up the keys to the kingdom.

Check out How to create a strong password in wake of Twitter hack episode .

For even more password creation tips, check out Password Management: Idiot-Proof Tips.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersAppleGooglesecuritypasswordsCBStwitterFacebook

More about AppleBurger KingCBS CorporationDropboxFacebookGoogleMint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Christina DesMarais

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts