Twitter is tightening security after 250,000 of its 250 million members were hacked last week.

The social network has plans to launch two-factor authentication in a bid to strengthen log-on security, according to a Feb. 4 report by The Guardian.

Twitter reset passwords for all affected users last week and encouraged its members to ensure they are “following good password hygiene, on Twitter and elsewhere on the Internet.”

Twitter director of information security Bob Lord, in a blog post, said an investigation is underway.

“We detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data,” Lord said in a Feb. 1 blog post. “We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information — usernames, e-mail addresses, session tokens and encrypted/salted versions of passwords — for approximately 250,000 users.”

Lord said all affected users have received an e-mail from Twitter to inform them the social network has reset passwords and revoked session tokens for all breached accounts.  Users were told to create a new password to access their accounts.

Lord also recommended users follow Department of Homeland Security advice about use of Java software. The U.S. Computer Emergency Readiness Team, which falls under the umbrella of Homeland Security, says all versions of the Java browser plug-in should be avoided.

“All versions of Java 7 before Update 13 are affected,” reads the US-CERT website. “Web browsers using the Java 7 plug-in are at high risk. Multiple vulnerabilities in Java 7 could allow an attacker to execute arbitrary code on a vulnerable system. Reports indicate that at least one of these vulnerabilities is being actively exploited.”

Although Lord did not say the hacking incident was tied to Java security issues, he stressed the attack “was not the work of amateurs.”

“We do not believe it was an isolated incident,” Lord said. “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.”

Due to the sophisticated nature of the attack, Twitter is now advertising for a full-time software engineer to focus on product security.

The job requires the candidate to “design and develop user-facing security features, such as multi-factor authentication and fraudulent login detection.”

Although Twitter has not responded to requests for comment on the job posting or its obvious plans for two-factor authentication, one security official has called the idea “splendid.”

“I’m looking forward to it. It’s something that we’ve wanted for some time,” Graham Cluley, senior technology consultant at Sophos, told The Guardian. “We’ve often said we would be prepared to pay for it — Twitter could monetize it by offering it to corporations and branded accounts. It would be pretty attractive.”

Twitter added Secure Sockets Layer (SSL) connectivity to its site and third-party apps in August of 2011 to guarantee its members’ information could not be acquired by means of open Wi-Fi networks. That move, however, still does not protect Twitter users who unintentionally give their passwords to hackers.

Post from: SiteProNews: Webmaster News & Resources

Twitter to Launch Two-Factor Authentication After Hacking Incident

View post:

Tags: , , , , , , , , , , , , , , , , , , ,