Twitter warns news organisations over hacking amid Syrian attacks By Dave Lee

Technology reporter, BBC News Published duration 30 April 2013

image caption The Syrian Electronic Army regularly links to material supporting the Syrian president

News organisations including the BBC have been warned by Twitter to tighten security in the wake of several high-profile hacks.

The Guardian became the latest publication to be hit by a group calling itself the Syrian Electronic Army.

A previous attack on the Associated Press caused stocks to dip.

Security experts have said Twitter itself needs to take more action to ensure its users are protected.

An email sent by Twitter to news organisations on Monday urged them to take a close look at their internal measures for dealing with social media.

Advice included making sure passwords were more than 20 characters long and made up of random strings of letters and numbers.

The social network also advised having just "one computer to use for Twitter".

"This helps keep your Twitter password from being spread around," the site added.

"Don't use this computer to read email or surf the web, to reduce the chances of malware infection."

Security researcher Rik Ferguson, from TrendMicro, told the BBC this particular piece of advice was somewhat unworkable.

"The point of Twitter is that it's instant, and you can react instantly.

"If you have to run back to the office to get to a particular computer to use Twitter, that's obviously going to impact upon its use."

Souped-up security

Twitter also encouraged organisations to have a closer relationship with the site to ensure account details are kept up to date.

"Help us protect you," the company said. "We're working to make sure we have the most updated information on our partners' accounts.

media caption Dr Herb Lin, a cyber security expert, says media agencies are likely to make security changes to their Twitter account

"Please send us a complete list of all accounts affiliated with your organisation, so that we can help keep them protected."

Beyond advice to external organisations, there is increasing pressure on Twitter to bolster its own security.

Specifically, there have been calls from security professionals for two-factor authentication.

This would require two steps, the entry of a password as well as another action.

On Facebook, for example, two-factor authentication is triggered when users try to log in in an unexpected way, such as from a computer in a different country.

report in technology magazine Wired last week suggested Twitter had begun trialling two-factor technology - but this is yet to be confirmed by the company.

Mr Ferguson noted that as Twitter remained a free service supported by advertising, two-factor authentication could prove costly.

He suggested one way to raise funds for enhanced security would be to charge major users to become "verified" - a status currently given to accounts which Twitter has checked are genuine.

"One thing Twitter should be looking at now is for any account which is verified to have a two factor log-in process," he told the BBC.

"If you make a nominal fee for verifying accounts - they can make sure that the accounts are protected from not only malware-based attacks, but also that staff are more protected from phishing."

White House blast

The Syrian Electronic Army's typical tactics to date have included sending "phishing" emails to glean log-in information from unsuspecting victims.

Once access to an account had been gained, the SEA would then begin to post tweets - in some cases mimicking the style of the victim.

image caption The BBC's Weather account was among those successfully hacked

This technique was most damaging in the case of the Associated Press. When the news agency's main account - @AP - was breached, the SEA posted that US president Barack Obama had been injured in a blast at the White House.

It was of course false, and swiftly corrected by other organisations - and later by AP itself - but not before $136bn (£88bn) was temporarily wiped off the New York Stock Exchange.

US financial authorities are to investigate the incident to "make sure that nothing nefarious in markets took place", according to the New York Post.

Meanwhile, the SEA - which appears to support the Assad regime - has vowed to continue its attacks on media organisations.

An anonymous user believed to be working for the group told Vice magazine : "They already started suspending us from the internet by closing our accounts, our pages and suspending our domain names, but they failed and they will keep failing.

"We will not stop or despair. If they close a Twitter account, we will open a new one; if they close a Facebook page, we will create another one; if they suspend our domain names, we will buy new ones."