In last year’s election, government IT security became a hot-button issue over Clinton’s use of a private email server. Critics feared it left her digital correspondence vulnerable to hacks.
Now the Trump administration has received some flak for securing presidential Twitter accounts to Gmail addresses. “It seems like bad form,” said Jake Williams, founder of security provider Rendition InfoSec. “It should really be a .gov address.”
“In that way, if there’s ever an attempt to enter the account, It’ll be monitored by their own information security people, as opposed to possibly nobody with Gmail,” he said.
That same advice can apply to any business. It's better to rely on corporate IT infrastructure, which can be more tightly controlled, than on common third-party email providers, Williams said.
He also suggests that people secure their Twitter accounts with two-factor authentication. This requires the user to enter both a password and a one-time special code sent to their mobile phone or generated over an authenticator app.
“If the attacker ever gets a hold of your password, they still won’t be able to access your account,” Williams said.
Twitter users can access this option by going to security settings and checking “verify login requests.”
Be careful with OAuth tokens
Earlier this week, the Trump administration found itself involved in another Twitter-related incident. The account for Badlands National Park in South Dakota tweeted a series of facts that seemed to challenge Trump’s assertion that climate change is a hoax.
The White House said an “unauthorized user” had used an old password from the National Park Service’s San Francisco office to access the account.
Williams suspects the Trump administration had changed the password to the park’s Twitter account but failed to revoke the OAuth token, which can also grant access.
Third-party applications can use OAuth tokens to connect to a Twitter account without the risk of handling sensitive password information. “Someone probably realized they were still hooked into the account, and decided to take it for a run,” Williams said.
The controversial tweets from the park’s account were quickly deleted, but the mishaps with the Trump administration Twitter haven’t stopped.
On Thursday, White House Press Secretary Sean Spicer was found tweeting and then deleting what appeared to be a password, although it’s still unclear what really happened.
Williams advises that White House officials use an option on TweetDeck, a Twitter dashboard, that asks the user to confirm the contents of a tweet before posting it.
“It's saved me from sending something erroneously more than once,” he said.
Sign up for CIO Asia eNewsletters.