Attacks/Breaches
2/21/2013
08:52 AM
50%
50%

BK Hack Triggers Twitter Password Smackdown

"Operation Whopper" takeover of Burger King and Jeep Twitter accounts, and spoof hacks by MTV and BET, trigger Twitter's "friendly reminder" to use strong passwords.

Whopper alert: The king had sold out to the clown.

"We just got sold to McDonalds! Look for McDonalds in a hood near you," read a tweet -- since deleted -- that was posted to the official Burger King Twitter page, which was also changed to sport a McDonald's logo.

In fact, the merger between "BK" and McDonald's turned out to be nothing more than a bit of online lulz, as part of what an unidentified group of hackers provocatively dubbed "OpMadCow" and "OpWhopper." The same group hacked into the official Twitter account for Chrysler division Jeep, issuing this tweet: "The official Twitter handle for Jeep -- Just Empty Every Pocket, Sold To Cadillac."

The hacking of the Burger King and Jeep accounts led Twitter's director of information security, Bob Lord, to issue "a friendly reminder about password security" in a blog post Tuesday, thus suggesting that the Twitter accounts were hijacked thanks to users' poor password hygiene practices.

Lord said to beware suspicious links, not share usernames and passwords with others, keep operating systems and antivirus patched and up to date, and pick strong passwords. "Your password should be at least 10 characters that include upper and lower case characters, numbers and symbols. You should always use a unique password for each website you use; that way, if one account gets compromised, the rest are safe," he said.

[ Attend Interop Las Vegas, May 6-10, and get the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500. ]

But the account hijackings, and Lord's anodyne security response, raise the question of whether Twitter's own information security model is strong enough to secure corporate accounts. Chrysler, for its part, regained control of the Jeep account roughly 80 minutes later. "Hacking: Definitely not a #Jeep thing. We're back in the driver's seat!" read a Jeep tweet.

Meanwhile, in a metaphysical pop culture turn, the Burger King and Jeep account hacks led MTV and BET -- both owned by Viacom -- to swap the corporate logos on their respective Twitter account pages and claim that they too had been hacked. "We totally Catfish-ed you guys. Thanks for playing!" read a tweet from MTV, referring to its own Catfish TV show, in which participants learn whether people they've met online are telling the truth about their identity.

When asked whether the fake hijacking might have violated Twitter's terms of service, a spokeswoman replied via email, "We don't comment on individual accounts." But she also pointed to Twitter's terms of service and rules, which on the subject of impersonation state: "You may not impersonate others through the Twitter service in a manner that does or is intended to mislead, confuse or deceive others."

Publicity stunts aside, who was behind the real hacks? That remains unclear, although whoever was responsible referenced Chicago rap while giving shout-outs to the Defonic Team Screen Name Club (DFNCTSC), who hacked Paris Hilton's T-Mobile Sidekick in 2005. But when asked if that group was behind the BK account takeover, the gang controlling the Twitter feed replied, "nope #lulzsec foo[l]," referring to the Anonymous spin-off known as LulzSec.

Suspicion also fell on YourAnonNews, which reported the Jeep breach, but it's denied any responsibility for the account takeover. "Dear media, re: @Jeep. #BlameAnonymous," read a tweet from YourAnonNews.

These are far from the first-ever Twitter account takeovers, which have previously affected everyone from Fox News and Israeli government officials to journalist Mat Honan, who was "life hacked" as part of one hacker's successful quest to seize control of Honan's Twitter feed.

The Burger King account takeover hardly counts as a national security matter, especially in a week when new evidence has further suggested that China is fielding APT groups; Apple, Facebook and Twitter appeared to have been compromised by the same group of attackers; and the White House issued a new strategy against online criminals who target trade secrets.

But Twitter's password advice begs the question of when the social network might improve the security options it offers users. Why not start by moving beyond mere passwords to catch up with Google and Dropbox and finally offer two-factor authentication? The company's moves in that direction were recently suggested when a Twitter job listing for a software engineer listed multi-factor authentication skills as a requirement.

When asked about Twitter's two-factor authentication plans, however, a Twitter spokeswoman said via email Thursday: "We don't have anything specific to share on this."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
2/22/2013 | 9:15:36 PM
re: BK Hack Triggers Twitter Password Smackdown
I do have to say upon reading this article and the others pertaining to the BK Twitter breach is quite amusing. The irony is they fully brought this upon themselves by lack security and simple practices as changing defaults. I think hat the recent breaches answer the question if Twitter Gs security is capable of handling corporate accounts. The proof as they say is in the pudding.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6123
Published: 2014-12-28
IBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0.1 and Security AppScan Source 8.6 through 8.6.0.2, 8.7 through 8.7.0.1, 8.8, 9.0 through 9.0.0.1, and 9.0.1 allow local users to obtain sensitive credential information by reading installation logs.

CVE-2014-6160
Published: 2014-12-28
IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.