Posted: 5 Min ReadElection Security

Why Good Campaign Security Must Start with Secure Social Media

Candidates have discovered social media as a great way to reach voters. It’s also a great way for malicious hackers to wreak havoc

Social media now plays an increasingly large role in the election cycle as it enables candidates to engage more directly with more voters. It started with Barack Obama’s 2008 campaign, which used Twitter and Facebook to mobilize supporters and helped raise around $500 million digitally in 2008. His 2012 campaign did even better when about $690 million came in thanks to electronic fundraising. More recently, Donald Trump’s election made effective use of social media to build support for his nomination and then promote his candidacy in the 2016 presidential race against Hillary Clinton.

All the more reason why campaigns - local, state and national - need to keep a close eye to prevent malicious attackers from taking control through various hijack and impersonation attacks. Hijacking and/or the theft of your personal information to log into your social media account is easier than you might think.

Case in point. I recently took a flight where the bag carried by the man standing in line in front of me had his business card as an ID tag. In plain sight, I was able to gather enough passive information to launch a highly targeted campaign against him.  From a quick glance at his luggage tag, I learned he worked for a government contractor and the tag revealed his name, phone and email, and told me he was the director of supply chain management.  By looking at the patches and trinkets on his backpack, I was able to make an educated guess about which branch of the military he supported. I could have copied down his details and he wouldn’t have had the first clue.  With that information in hand, I could have started a campaign to gain access to his email, social media or other accounts.

It's little things like an ID tag that can lead to the total exploitation of the unsuspecting person’s email and other social media platforms. All the more reason why candidates for office need to take the time to put effective controls in place to protect their online presence against people and groups trying to steal access to their accounts. As the midterm elections approach, here are some basic security measures one can take to lower their exploitation potential and minimize their risks.

Use Unique Email Addresses for Social Media Accounts

When you’re setting up your social media accounts, use an email address that you only use for administering the social media account.  For example, I could use for my Twitter account and only for that account.  This is a way for you to double-check that any email related to your social media account that comes to your normal email address is either spam or some sort of phishing attack.  The man whose business card was in plain view at the airport, for example, should never use that email address for his social media accounts.  It’s known to anyone who sees him in an airport. By utilizing the above technique, one can assume that any email coming to their main email account with regards to a social media site is not valid or should be treated as suspicious.

2FA or Bust

If you don't have two-factor authentication (2FA), you’re taking an unnecessary gamble. Without this secondary line of defense, a malicious attacker can hijack your account and send out messages in your name or on behalf of the campaign. Further, now that they have the keys to the kingdom, they can also modify your account information, including your username.  If at any time you do find it necessary to perform a password reset, 2FA will protect against phony reset requests. When using 2FA, it is best to use an application that has numbers that are always changing instead of text messages.  Many of these applications use push to alert you via phone to allow the login. Text message 2FA should be used as a last resort due to the fact that they can be intercepted.

Use a Social Media Management Platform

The benefit of a social media management platform is that allows you to choose a password, and then adds other accounts so you're not sharing passwords from each account. A social media platform, like Hootsuite, supports 2FA and your staff will never have direct access to the campaign’s Twitter or Facebook or LinkedIn feeds. It allows you to add or pull account permissions and it never exposes the candidate’s password to the social media team. What’s more, it gives you the digital equivalent of a paper trail. Let’s say that a disgruntled employee or volunteer uses your account to tweet out something nasty or otherwise objectionable. You can nip any looming controversy in the bud simply by looking into Hootsuite to identify the culprit who issued the offending tweet. And did I mention that it’s easy to use and free to install? Now, you have no excuses left to say no.

Brian Varner Speaks to Election Security

Name a Trusted Delegate for Social Accounts

A trusted delegate can recover the account if it’s ever hijacked. And for social media platforms that don’t support trusted delegates – just create a DL for your social email account so any reset emails go to a list and not just one person or account. Going this route also alleviates the hassle of having to get either Facebook or Twitter involved in resolving the problem. Your social network isn’t going to know immediately what’s happening. All it sees is Hootsuite logging in. Otherwise, if for some reason, someone gets your Twitter account and they change your password, you’ll spend an inordinate amount of time on the phone reaching someone at Twitter, or Facebook to intercede on your behalf.

Be Careful Where You Click

Email notifications can be a great way to stay informed of what is going on in your social media platforms.  However, they are also a prime choice of attackers to launch phishing attacks. If an email pops up, saying something like, “Brian Varner hasn’t posted in a while, click here to see what’s new!”, do yourself a big favor and please ignore it. Do not I repeat, do not click on any link in an email like that.  The sender maybe on a phishing expedition so leave them empty-handed. If you want to see if I’ve posted or anyone else, go directly to the social media platform and look at the account. 

And if you want to update any of your social platforms, it’s best you go directly to the sites and use the app to administer social media content.  Spear phishing through email is common and is a simple and effective way to gain access to your accounts.  But it’s also become increasingly prevalent through social media. If a voter reaches out to you on social, don't click on any links they send in the popular messaging applications. Instead, reach back out to them and get some kind of conversation going to get them to prove that they're not trying to hack you.

Security's not easy.  But sweating the small stuff now can help your campaign avoid having to deal with some big - and potentially nasty - stuff down the road.

Learn More About Election Security

You might also enjoy
Election Security4 Min Read

Election Security: A Discussion With Hugh Thompson, Symantec CTO

Symantec launches a new blog for the biggest stories on Election Security

About the Author

Brian Varner

Special Projects Researcher, Cyber Security Services

Brian Varner is a researcher on the Cyber Security Services team, leading the CyberWar Games and emerging technologies development team. Prior to Symantec, he worked at the National Security Agency as a tactical analyst.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.