Well, as we approach the end of the week, on possibly the first warm Friday here in Chi town that I can remember, I was thinking of what to write to about in today’s blog. I kept thinking and thinking, and I finally decided to write something about social media. Yes, this is all a tool that we all use for the most part to communicate with others, make new friends, find jobs, share videos and pictures, and can even make voice calls from without having to use Skype.
As a small business owner, I primarily use Facebook and Twitter as my main vehicles to get my stuff out there, especially my blog postings. But, rather than blasting out content to each individual site, I use a separate social media management tool called Sprout Social. Through one interface, I am able to send out links and other forms of content to these two sites.
I do also used Linked In, but as we all know, that is more of a professional networking site, so I sort have to be careful as to how much I blast out there. Believe it or not, with Linked In, there are certain character limitations to it and even how many posts you can blast there. If you exceed this limit too many times, they can even actually block your account.
And of course, these social media sites are not without their own scandals as well. The most recent one we know of course, is Facebook, and how its third party vendor stole end user information and data. Of course as well, there was the drama surrounding Zuckerberg’s appearance in Congress, his stock purchase, net worth, blah, blah, blah.
But I do have to admit that one social media site that has escaped a fair amount of drama in the headlines is Twitter. Even with hosting Trump’s account on it, it still remains relatively unscathed. This in my view, is truly commendable. But, this is not to say that they are not immune to some bad headlines in the news here and there.
Such is the chain of events this morning. Apparently, the third party vendor from whom which Twitter outsources its password management and storage system to (they are known as “Global Password Day”) found a bug in its data base system. Once they discovered this, they immediately advised all Twitter users to change their passwords immediately, and perhaps even make them longer and more complex (thus making it harder to remember).
According to Twitter CTO Parag Agrawal: “We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone . . . out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password.” (SOURCE: https://www.scmagazine.com/twitter-urges-users-to-change-passwords-after-finding-bug-in-password-storage-system/article/763431/).
So at least the good news is that there was no immediate security threat, and it has been contained. Global Password Day jumped on this incident quickly, and immediately patched up the bug. But, this incident only underscores two major problems: 1) The threat of an Insider job; 2) Storing passwords in just one place.
I have written about the first one in two previous blogs. But just imagine if you will, if this security issue at Global Password Day went unresolved, and a rogue employee or even a contractor can simply login into this database which contains all of these usernames and passwords and steal them to launch ID Theft attacks. For example, “The breach of data from the Office of Personnel Management (OPM), for example, started with the cyberattackers using stolen credentials to pose as a legitimate employee of an OPM contractor performing background investigations, Keypoint Government Solution . . .” (SOURCE: https://www.scmagazine.com/twitter-urges-users-to-change-passwords-after-finding-bug-in-password-storage-system/article/763431/).
With regards to the second issue, it just makes as clear as day not to store all of the passwords in one database; rather, they should be spread out across multiple ones, so in case if one database gets breached, not all passwords will be affected. But quite surprisingly, many businesses and corporations still do this (such as the vendor that Twitter outsourced their password management to), either because of their ignorance or because of cost issues.
Finally, Twitter recommended that you use what is known as “Two Factor Authentication”, or “2FA” for short. With this, you not only use your password to login, but also another layer of protection, such as a Challenge/Answer thing (I utterly hate those). Of course, one could also use Biometrics, but these social media sites have to adopt this technology.
Even more surprising, although Twitter recommends the 2FA approach, they don’t require it (which seems kind of stupid to me, in my professional opinion). So in the meantime, of course, we just don’t use Twitter as our main social media site, so every couple of months, keep changing that password. Don’t use the same one for all of your social media accounts.
I know this all sounds like a huge pain in the a$$, but consider the use of a Password Manager. They will create all of these crazy passwords for you, and will even allow for you to login instantly to your social media sites from it.