Attacks/Breaches
4/24/2013
09:27 AM
Connect Directly
RSS
E-Mail
50%
50%

Twitter Preps Two Factor Authentication After AP Hoax

Security move follows a rash of high-profile account takeovers, including a hoax tweet from the Associated Press' account about White House explosions.

"Breaking: Two Explosions in the White House and Barack Obama is injured."

So claimed a tweet from The Associated Press account, which counts 1.9 million followers, posted at 1:07:50 p.m. Eastern time Tuesday. Just minutes later, however, new tweets issued from other AP accounts began to deny that report.

But the news still seemed to trigger a downturn in the Dow Jones Industrial Average, and the hoax tweet "briefly erased $200 billion of value" from U.S. stock markets on Tuesday, reported The Wall Street Journal. It said the downturn had been triggered, at least in part, by automated trading systems that use "so-called algorithms that automatically buy and sell shares after scanning news feeds." Those algorithms reportedly reacted to the fake news by waiting to buy new stocks.

In a Tuesday press briefing, White House spokesman Jay Carney confirmed that there had been no explosions, and that the president was safe. "I was just with him," he said. The FBI is reportedly investigating the hoax tweet and related Twitter account takeovers.

[ Is "cyberwarfare" as bad as it sounds? Read Cyber Strikes Like Nuclear Bombs, Says Chinese General. ]

Following the hoax tweet, the AP Tuesday self-reported that "The AP has disabled its other Twitter accounts following the attack."

Tuesday evening, a hacktivist group known as the Syrian Electronic Army claimed credit for the AP account takeovers. "Ops! @AP get owned by Syrian Electronic Army! #SEA #Syria #ByeByeObama" read a tweet posted to the group's @Official_SEA6 Twitter account. The group also claimed credit via its syrianelectronicarmy.com website for takeovers of the @AP and @AP_Mobile accounts.

Interestingly, numerous AP accounts remained suspended as of early Wednesday morning. "It's a bit surprising that 12 hours after the hack, the Twitter account @AP is still suspended," said Mikko Hypponen, chief research officer at F-Secure, via Twitter. But later Wednesday morning, the @AP account was again live.

Other still-suspended accounts included @AP_Mobile, @AP_Fashion, @AP_Images, @AP_NFL, @AP_Country, @AP_Travel and @APStylebook. The delay in AP resuming control of those accounts suggests the news agency is still attempting to identify how attackers seized the accounts, or else remediate all machines that may have been compromised by attackers

The AP has yet to disclose how the attackers compromised its Twitter accounts, but released a statement saying that "the attack on AP's Twitter account and the AP Mobile Twitter account was preceded by phishing attempts on AP's corporate network." It didn't specify if those phishing attacks used malware attached to emails, emails with links to websites that could launch drive-by attacks that attempted to exploit browser vulnerabilities, or both.

But AP spokesman Paul Colford told The New York Times that all of these phishing attacks had been blocked.

In the wake of the White House bomb hoax, Wired reported Tuesday that Twitter is now testing a two-factor authentication system internally and plans to roll it out incrementally to users. The publication cited no source for that information, and said it had learned of no timeline for when such a rollout might begin.

"Until Twitter implements that, you can continue to expect to see high-profile accounts be hijacked with some regularity," said Christopher Budd, threat communications manager at Trend Micro, in a blog post.

A Twitter spokeswoman didn't immediately respond to a request for comment, emailed outside normal business hours, about either the AP account takeovers or reports that the company is beta-testing a two-factor authentication system.

Twitter in February advertised a job for an engineer with expertise in "multifactor authentication and fraudulent login detection," following a watering hole attack that compromised up to 250,000 users' accounts.

Why did the Syrian Electronic Army issue the fake tweet? According to the group's website, its mission includes redressing "the campaigns led by the Arab media and Western on our Republic by broadcasting fabricated news about what is happening in Syria." The group is widely seen as being sympathetic to the regime of Syrian president Bashar al-Assad.

The White House bomb tweet hoax follows the group's takeover in recent days of multiple CBS Twitter accounts, including 60 Minutes, and posting tweets with links to websites that launched drive-by attacks. The group this week also seized multiple accounts relating to worldwide soccer governing body FIFA. Those takeovers followed the group recently taking control of the National Public Radio Twitter feed as well as multiple BBC Twitter accounts.

As of Wednesday morning, the Syrian Electronic Army account @Official_SEA6 had been suspended by Twitter, but the group appeared to have registered @Official_SEA7, which remained active, although had no posts.

What lessons can be learned from the latest Twitter corporate account takeovers? "If you manage a Twitter handle, this underscores the importance of using a strong password, running up-to-date security software, not clicking on links, and being very, very cautious when working with Twitter credentials," said Trend Micro's Budd.

Also beware reusing passwords, which is a widespread practice. According to a study released Tuesday by British communications regulator Ofcom, a survey of 1,805 people over the age of 15 found that 55% "use the same password for most, if not all, websites."

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
4/24/2013 | 11:35:31 PM
re: Twitter Preps Two Factor Authentication After AP Hoax
The attack is a testament to Twitter's influence, but it's also interesting to see how correctly the social sphere course-corrected.

Drew Conry-Murray
Editor, Network Computing
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.