Attacks/Breaches
2/21/2013
08:52 AM
50%
50%

BK Hack Triggers Twitter Password Smackdown

"Operation Whopper" takeover of Burger King and Jeep Twitter accounts, and spoof hacks by MTV and BET, trigger Twitter's "friendly reminder" to use strong passwords.

Whopper alert: The king had sold out to the clown.

"We just got sold to McDonalds! Look for McDonalds in a hood near you," read a tweet -- since deleted -- that was posted to the official Burger King Twitter page, which was also changed to sport a McDonald's logo.

In fact, the merger between "BK" and McDonald's turned out to be nothing more than a bit of online lulz, as part of what an unidentified group of hackers provocatively dubbed "OpMadCow" and "OpWhopper." The same group hacked into the official Twitter account for Chrysler division Jeep, issuing this tweet: "The official Twitter handle for Jeep -- Just Empty Every Pocket, Sold To Cadillac."

The hacking of the Burger King and Jeep accounts led Twitter's director of information security, Bob Lord, to issue "a friendly reminder about password security" in a blog post Tuesday, thus suggesting that the Twitter accounts were hijacked thanks to users' poor password hygiene practices.

Lord said to beware suspicious links, not share usernames and passwords with others, keep operating systems and antivirus patched and up to date, and pick strong passwords. "Your password should be at least 10 characters that include upper and lower case characters, numbers and symbols. You should always use a unique password for each website you use; that way, if one account gets compromised, the rest are safe," he said.

[ Attend Interop Las Vegas, May 6-10, and get the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500. ]

But the account hijackings, and Lord's anodyne security response, raise the question of whether Twitter's own information security model is strong enough to secure corporate accounts. Chrysler, for its part, regained control of the Jeep account roughly 80 minutes later. "Hacking: Definitely not a #Jeep thing. We're back in the driver's seat!" read a Jeep tweet.

Meanwhile, in a metaphysical pop culture turn, the Burger King and Jeep account hacks led MTV and BET -- both owned by Viacom -- to swap the corporate logos on their respective Twitter account pages and claim that they too had been hacked. "We totally Catfish-ed you guys. Thanks for playing!" read a tweet from MTV, referring to its own Catfish TV show, in which participants learn whether people they've met online are telling the truth about their identity.

When asked whether the fake hijacking might have violated Twitter's terms of service, a spokeswoman replied via email, "We don't comment on individual accounts." But she also pointed to Twitter's terms of service and rules, which on the subject of impersonation state: "You may not impersonate others through the Twitter service in a manner that does or is intended to mislead, confuse or deceive others."

Publicity stunts aside, who was behind the real hacks? That remains unclear, although whoever was responsible referenced Chicago rap while giving shout-outs to the Defonic Team Screen Name Club (DFNCTSC), who hacked Paris Hilton's T-Mobile Sidekick in 2005. But when asked if that group was behind the BK account takeover, the gang controlling the Twitter feed replied, "nope #lulzsec foo[l]," referring to the Anonymous spin-off known as LulzSec.

Suspicion also fell on YourAnonNews, which reported the Jeep breach, but it's denied any responsibility for the account takeover. "Dear media, re: @Jeep. #BlameAnonymous," read a tweet from YourAnonNews.

These are far from the first-ever Twitter account takeovers, which have previously affected everyone from Fox News and Israeli government officials to journalist Mat Honan, who was "life hacked" as part of one hacker's successful quest to seize control of Honan's Twitter feed.

The Burger King account takeover hardly counts as a national security matter, especially in a week when new evidence has further suggested that China is fielding APT groups; Apple, Facebook and Twitter appeared to have been compromised by the same group of attackers; and the White House issued a new strategy against online criminals who target trade secrets.

But Twitter's password advice begs the question of when the social network might improve the security options it offers users. Why not start by moving beyond mere passwords to catch up with Google and Dropbox and finally offer two-factor authentication? The company's moves in that direction were recently suggested when a Twitter job listing for a software engineer listed multi-factor authentication skills as a requirement.

When asked about Twitter's two-factor authentication plans, however, a Twitter spokeswoman said via email Thursday: "We don't have anything specific to share on this."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
2/22/2013 | 9:15:36 PM
re: BK Hack Triggers Twitter Password Smackdown
I do have to say upon reading this article and the others pertaining to the BK Twitter breach is quite amusing. The irony is they fully brought this upon themselves by lack security and simple practices as changing defaults. I think hat the recent breaches answer the question if Twitter Gs security is capable of handling corporate accounts. The proof as they say is in the pudding.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?