Renewed calls for social media security amid fear of false alarms
Back in January, the Hawaii state government mistakenly issued a false alert to residents that a ballistic missile was on its way. Days later, Japan did the same.
Both messages were automatically sent out to smartphone users via social media as well as by other means.
While the alerts were quickly corrected, they caused widespread panic in the meantime – and it's not hard to imagine just how much disruption could have been caused had the mistake not been rectified.
The Hawaii incident was caused by an employee failing to realise that the alert was simply a drill and using the real-world alert code instead of the test missile alert. Similarly, according to the Japanese government, the alert system had been ‘incorrectly operated’.
But what if it had been accessed by hackers?
In a recent report, IBM warns that many emergency alert systems can easily be hacked or manipulated – with potentially severe consequences.
In particular, the researchers say, it's comparatively easy to hack smart sensors to report incorrect water level or wind speed data, for example, which could possibly trigger an evacuation.
Meanwhile, earlier this year, security firm Bastille uncovered a vulnerability in warning sirens made by ATI Systems, which are used widely across the US.
Astonishingly, the radio protocol used to issue alarms lacked any kind of encryption, meaning that attackers simply had to send out their own activation message.
And with many governments using social media to disseminate alerts, this is conceivably another attack vector.
“Government and corporate social media accounts are an attractive target for cybercriminals and hackers looking to make a splash,” Mark Nunnikhoven, vice president of Cloud Research at security firm Trend Micro, told The Daily Swig.
“It’s a high-profile hack that usually doesn’t take much effort.”
Preventing panic
The issues of protecting government social media accounts are exactly the same as those for corporates, Nunnikhoven said.
First, organizations should make sure that multi-factor authentication – available on all major social media networks – is enabled.
“Enabling this will require a username, password, and one-time code to access your social media account,” he said. “It’s a minor inconvenience when logging in, but a huge boost to your account security.”
Organizations should also pay attention to the account recovery process, making sure that the recovery email is accessible by two people and controlled by the organisation, rather than an individual.
Finally, it's a good idea to regularly review the third-party applications that have access to social media accounts.
At the same time, according to Sven Dummer, director at customer identity and access management company Janrain, it makes sense to make sure that there's more than one channel of communication, particularly in the case of vital emergency messages.
“If a social media network is compromised — like just happened to both Facebook and Google, which own 94% of the social login market — there is potential risk that attackers get access to other sites that use social login,” he told The Daily Swig.
“Governments must never rely on one platform only, and they need to be able to immediately shut down their channels and social login features for networks that have been compromised.”
He added: “The awareness for threats and vulnerabilities that stem from social media is probably still low among companies and governments, but the recent incidents at Facebook and Google hopefully will change that.”