Attacks/Breaches
2/21/2013
08:52 AM
50%
50%

BK Hack Triggers Twitter Password Smackdown

"Operation Whopper" takeover of Burger King and Jeep Twitter accounts, and spoof hacks by MTV and BET, trigger Twitter's "friendly reminder" to use strong passwords.

Whopper alert: The king had sold out to the clown.

"We just got sold to McDonalds! Look for McDonalds in a hood near you," read a tweet -- since deleted -- that was posted to the official Burger King Twitter page, which was also changed to sport a McDonald's logo.

In fact, the merger between "BK" and McDonald's turned out to be nothing more than a bit of online lulz, as part of what an unidentified group of hackers provocatively dubbed "OpMadCow" and "OpWhopper." The same group hacked into the official Twitter account for Chrysler division Jeep, issuing this tweet: "The official Twitter handle for Jeep -- Just Empty Every Pocket, Sold To Cadillac."

The hacking of the Burger King and Jeep accounts led Twitter's director of information security, Bob Lord, to issue "a friendly reminder about password security" in a blog post Tuesday, thus suggesting that the Twitter accounts were hijacked thanks to users' poor password hygiene practices.

Lord said to beware suspicious links, not share usernames and passwords with others, keep operating systems and antivirus patched and up to date, and pick strong passwords. "Your password should be at least 10 characters that include upper and lower case characters, numbers and symbols. You should always use a unique password for each website you use; that way, if one account gets compromised, the rest are safe," he said.

[ Attend Interop Las Vegas, May 6-10, and get the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500. ]

But the account hijackings, and Lord's anodyne security response, raise the question of whether Twitter's own information security model is strong enough to secure corporate accounts. Chrysler, for its part, regained control of the Jeep account roughly 80 minutes later. "Hacking: Definitely not a #Jeep thing. We're back in the driver's seat!" read a Jeep tweet.

Meanwhile, in a metaphysical pop culture turn, the Burger King and Jeep account hacks led MTV and BET -- both owned by Viacom -- to swap the corporate logos on their respective Twitter account pages and claim that they too had been hacked. "We totally Catfish-ed you guys. Thanks for playing!" read a tweet from MTV, referring to its own Catfish TV show, in which participants learn whether people they've met online are telling the truth about their identity.

When asked whether the fake hijacking might have violated Twitter's terms of service, a spokeswoman replied via email, "We don't comment on individual accounts." But she also pointed to Twitter's terms of service and rules, which on the subject of impersonation state: "You may not impersonate others through the Twitter service in a manner that does or is intended to mislead, confuse or deceive others."

Publicity stunts aside, who was behind the real hacks? That remains unclear, although whoever was responsible referenced Chicago rap while giving shout-outs to the Defonic Team Screen Name Club (DFNCTSC), who hacked Paris Hilton's T-Mobile Sidekick in 2005. But when asked if that group was behind the BK account takeover, the gang controlling the Twitter feed replied, "nope #lulzsec foo[l]," referring to the Anonymous spin-off known as LulzSec.

Suspicion also fell on YourAnonNews, which reported the Jeep breach, but it's denied any responsibility for the account takeover. "Dear media, re: @Jeep. #BlameAnonymous," read a tweet from YourAnonNews.

These are far from the first-ever Twitter account takeovers, which have previously affected everyone from Fox News and Israeli government officials to journalist Mat Honan, who was "life hacked" as part of one hacker's successful quest to seize control of Honan's Twitter feed.

The Burger King account takeover hardly counts as a national security matter, especially in a week when new evidence has further suggested that China is fielding APT groups; Apple, Facebook and Twitter appeared to have been compromised by the same group of attackers; and the White House issued a new strategy against online criminals who target trade secrets.

But Twitter's password advice begs the question of when the social network might improve the security options it offers users. Why not start by moving beyond mere passwords to catch up with Google and Dropbox and finally offer two-factor authentication? The company's moves in that direction were recently suggested when a Twitter job listing for a software engineer listed multi-factor authentication skills as a requirement.

When asked about Twitter's two-factor authentication plans, however, a Twitter spokeswoman said via email Thursday: "We don't have anything specific to share on this."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
2/22/2013 | 9:15:36 PM
re: BK Hack Triggers Twitter Password Smackdown
I do have to say upon reading this article and the others pertaining to the BK Twitter breach is quite amusing. The irony is they fully brought this upon themselves by lack security and simple practices as changing defaults. I think hat the recent breaches answer the question if Twitter Gs security is capable of handling corporate accounts. The proof as they say is in the pudding.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I've seen worse.  Last week Tim had a dragon."
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.