Attacks/Breaches

2/21/2013
08:52 AM
50%
50%

BK Hack Triggers Twitter Password Smackdown

"Operation Whopper" takeover of Burger King and Jeep Twitter accounts, and spoof hacks by MTV and BET, trigger Twitter's "friendly reminder" to use strong passwords.

Whopper alert: The king had sold out to the clown.

"We just got sold to McDonalds! Look for McDonalds in a hood near you," read a tweet -- since deleted -- that was posted to the official Burger King Twitter page, which was also changed to sport a McDonald's logo.

In fact, the merger between "BK" and McDonald's turned out to be nothing more than a bit of online lulz, as part of what an unidentified group of hackers provocatively dubbed "OpMadCow" and "OpWhopper." The same group hacked into the official Twitter account for Chrysler division Jeep, issuing this tweet: "The official Twitter handle for Jeep -- Just Empty Every Pocket, Sold To Cadillac."

The hacking of the Burger King and Jeep accounts led Twitter's director of information security, Bob Lord, to issue "a friendly reminder about password security" in a blog post Tuesday, thus suggesting that the Twitter accounts were hijacked thanks to users' poor password hygiene practices.

Lord said to beware suspicious links, not share usernames and passwords with others, keep operating systems and antivirus patched and up to date, and pick strong passwords. "Your password should be at least 10 characters that include upper and lower case characters, numbers and symbols. You should always use a unique password for each website you use; that way, if one account gets compromised, the rest are safe," he said.

[ Attend Interop Las Vegas, May 6-10, and get the most thorough training on Apple Deployment at the NEW Mac & iOS IT Conference. Use Priority Code DIPR02 by March 2 to save up to $500. ]

But the account hijackings, and Lord's anodyne security response, raise the question of whether Twitter's own information security model is strong enough to secure corporate accounts. Chrysler, for its part, regained control of the Jeep account roughly 80 minutes later. "Hacking: Definitely not a #Jeep thing. We're back in the driver's seat!" read a Jeep tweet.

Meanwhile, in a metaphysical pop culture turn, the Burger King and Jeep account hacks led MTV and BET -- both owned by Viacom -- to swap the corporate logos on their respective Twitter account pages and claim that they too had been hacked. "We totally Catfish-ed you guys. Thanks for playing!" read a tweet from MTV, referring to its own Catfish TV show, in which participants learn whether people they've met online are telling the truth about their identity.

When asked whether the fake hijacking might have violated Twitter's terms of service, a spokeswoman replied via email, "We don't comment on individual accounts." But she also pointed to Twitter's terms of service and rules, which on the subject of impersonation state: "You may not impersonate others through the Twitter service in a manner that does or is intended to mislead, confuse or deceive others."

Publicity stunts aside, who was behind the real hacks? That remains unclear, although whoever was responsible referenced Chicago rap while giving shout-outs to the Defonic Team Screen Name Club (DFNCTSC), who hacked Paris Hilton's T-Mobile Sidekick in 2005. But when asked if that group was behind the BK account takeover, the gang controlling the Twitter feed replied, "nope #lulzsec foo[l]," referring to the Anonymous spin-off known as LulzSec.

Suspicion also fell on YourAnonNews, which reported the Jeep breach, but it's denied any responsibility for the account takeover. "Dear media, re: @Jeep. #BlameAnonymous," read a tweet from YourAnonNews.

These are far from the first-ever Twitter account takeovers, which have previously affected everyone from Fox News and Israeli government officials to journalist Mat Honan, who was "life hacked" as part of one hacker's successful quest to seize control of Honan's Twitter feed.

The Burger King account takeover hardly counts as a national security matter, especially in a week when new evidence has further suggested that China is fielding APT groups; Apple, Facebook and Twitter appeared to have been compromised by the same group of attackers; and the White House issued a new strategy against online criminals who target trade secrets.

But Twitter's password advice begs the question of when the social network might improve the security options it offers users. Why not start by moving beyond mere passwords to catch up with Google and Dropbox and finally offer two-factor authentication? The company's moves in that direction were recently suggested when a Twitter job listing for a software engineer listed multi-factor authentication skills as a requirement.

When asked about Twitter's two-factor authentication plans, however, a Twitter spokeswoman said via email Thursday: "We don't have anything specific to share on this."

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
PJS880
50%
50%
PJS880,
User Rank: Ninja
2/22/2013 | 9:15:36 PM
re: BK Hack Triggers Twitter Password Smackdown
I do have to say upon reading this article and the others pertaining to the BK Twitter breach is quite amusing. The irony is they fully brought this upon themselves by lack security and simple practices as changing defaults. I think hat the recent breaches answer the question if Twitter Gs security is capable of handling corporate accounts. The proof as they say is in the pudding.

Paul Sprague
InformationWeek Contributor
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7268
PUBLISHED: 2018-05-21
MagniComp SysInfo before 10-H81, as shipped with BMC BladeLogic Automation and other products, contains an information exposure vulnerability in which a local unprivileged user is able to read any root (uid 0) owned file on the system, regardless of the file permissions. Confidential information suc...
CVE-2018-11092
PUBLISHED: 2018-05-21
An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF allows an attacker to remotely delete all admin notes via an admin/index.php?empty=table (aka Clear Table) action.
CVE-2018-11096
PUBLISHED: 2018-05-21
Horse Market Sell & Rent Portal Script 1.5.7 has a CSRF vulnerability through which an attacker can change all of the target's account information remotely.
CVE-2018-11320
PUBLISHED: 2018-05-21
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.
CVE-2018-8142
PUBLISHED: 2018-05-21
A security feature bypass exists when Windows incorrectly validates kernel driver signatures, aka "Windows Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-1035.