Attacks/Breaches
2/21/2013
08:52 AM
Connect Directly
RSS
E-Mail
50%
50%

BK Hack Triggers Twitter Password Smackdown

"Operation Whopper" takeover of Burger King and Jeep Twitter accounts, and spoof hacks by MTV and BET, trigger Twitter's "friendly reminder" to use strong passwords.

Whopper alert: The king had sold out to the clown.

"We just got sold to McDonalds! Look for McDonalds in a hood near you," read a tweet -- since deleted -- that was posted to the official Burger King Twitter page, which was also changed to sport a McDonald's logo.

In fact, the merger between "BK" and McDonald's turned out to be nothing more than a bit of online lulz, as part of what an unidentified group of hackers provocatively dubbed "OpMadCow" and "OpWhopper." The same group hacked into the official Twitter account for Chrysler division Jeep, issuing this tweet: "The official Twitter handle for Jeep -- Just Empty Every Pocket, Sold To Cadillac."

The hacking of the Burger King and Jeep accounts led Twitter's director of information security, Bob Lord, to issue "a friendly reminder about password security" in a blog post Tuesday, thus suggesting that the Twitter accounts were hijacked thanks to users' poor password hygiene practices.

Lord said to beware suspicious links, not share usernames and passwords with others, keep operating systems and antivirus patched and up to date, and pick strong passwords. "Your password should be at least 10 characters that include upper and lower case characters, numbers and symbols. You should always use a unique password for each website you use; that way, if one account gets compromised, the rest are safe," he said.

[ Attend Interop Las Vegas, May 6-10, and get the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500. ]

But the account hijackings, and Lord's anodyne security response, raise the question of whether Twitter's own information security model is strong enough to secure corporate accounts. Chrysler, for its part, regained control of the Jeep account roughly 80 minutes later. "Hacking: Definitely not a #Jeep thing. We're back in the driver's seat!" read a Jeep tweet.

Meanwhile, in a metaphysical pop culture turn, the Burger King and Jeep account hacks led MTV and BET -- both owned by Viacom -- to swap the corporate logos on their respective Twitter account pages and claim that they too had been hacked. "We totally Catfish-ed you guys. Thanks for playing!" read a tweet from MTV, referring to its own Catfish TV show, in which participants learn whether people they've met online are telling the truth about their identity.

When asked whether the fake hijacking might have violated Twitter's terms of service, a spokeswoman replied via email, "We don't comment on individual accounts." But she also pointed to Twitter's terms of service and rules, which on the subject of impersonation state: "You may not impersonate others through the Twitter service in a manner that does or is intended to mislead, confuse or deceive others."

Publicity stunts aside, who was behind the real hacks? That remains unclear, although whoever was responsible referenced Chicago rap while giving shout-outs to the Defonic Team Screen Name Club (DFNCTSC), who hacked Paris Hilton's T-Mobile Sidekick in 2005. But when asked if that group was behind the BK account takeover, the gang controlling the Twitter feed replied, "nope #lulzsec foo[l]," referring to the Anonymous spin-off known as LulzSec.

Suspicion also fell on YourAnonNews, which reported the Jeep breach, but it's denied any responsibility for the account takeover. "Dear media, re: @Jeep. #BlameAnonymous," read a tweet from YourAnonNews.

These are far from the first-ever Twitter account takeovers, which have previously affected everyone from Fox News and Israeli government officials to journalist Mat Honan, who was "life hacked" as part of one hacker's successful quest to seize control of Honan's Twitter feed.

The Burger King account takeover hardly counts as a national security matter, especially in a week when new evidence has further suggested that China is fielding APT groups; Apple, Facebook and Twitter appeared to have been compromised by the same group of attackers; and the White House issued a new strategy against online criminals who target trade secrets.

But Twitter's password advice begs the question of when the social network might improve the security options it offers users. Why not start by moving beyond mere passwords to catch up with Google and Dropbox and finally offer two-factor authentication? The company's moves in that direction were recently suggested when a Twitter job listing for a software engineer listed multi-factor authentication skills as a requirement.

When asked about Twitter's two-factor authentication plans, however, a Twitter spokeswoman said via email Thursday: "We don't have anything specific to share on this."

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
2/22/2013 | 9:15:36 PM
re: BK Hack Triggers Twitter Password Smackdown
I do have to say upon reading this article and the others pertaining to the BK Twitter breach is quite amusing. The irony is they fully brought this upon themselves by lack security and simple practices as changing defaults. I think hat the recent breaches answer the question if Twitter GÇ˙s security is capable of handling corporate accounts. The proof as they say is in the pudding.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.