Endpoint //

Authentication

1/13/2015
04:10 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

US CENTCOM Twitter Hijack 'Purely' Vandalism

Though not a real data breach, nor attributable to ISIS, the incident serves as a reminder to security professionals about the risks of sharing account credentials.

The Twitter account of US Central Command (US CENTCOM) was briefly hijacked Monday afternoon, by a group claiming to be aligned with the terrorist organization ISIS, and apparently disclosing confidential US military documents. Since then, the Twitter account was suspended, the "leaked" documents have proven to be publicly available information, and the perpetrators do not appear to represent ISIS.

Not a terribly serious incident then, but it does serve as a reminder to security professionals about the risks of sharing account credentials.

Monday, the CENTCOM account's profile image was changed to read "Cyber Califate" and "i love you isis," and the account began issuing threatening messages to the US military, such as "AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK. ISIS," and a link to a Pastebin account that purported to be full of confidential documents.

The perpetrators of the US CENTCOM attack appear to be the same ones that compromised the website and Twitter account of WBOC TV and the Twitter account of the Albuquerque Journal last week.

US CENTCOM released a statement stating, "CENTCOM's operational military networks were not compromised and there was no operational impact to US Central Command. CENTCOM will restore service to its Twitter and YouTube accounts as quickly as possible. We are viewing this purely as a case of cybervandalism."

An official also told The Wall Street Journal that the Twitter account was registered under a staff member's personal email address.

"Much of this appears to be simply scare tactics," says Ian Amit, vice-president of ZeroFox. "All of the 'leaked' documents are in fact public domain, repackaged to look like a real data breach. These actors are trying to make themselves look more legitimate by threatening soldiers' wives and claiming to have mobile access. In truth, they likely only stole a password, either through a phishing scam or a brute-force attack."

Amit says the perpetrators probably aren't representatives of ISIS, but rather ISIS sympathizers. He says they might be using these low-difficulty, high-profile attacks to gather support for the cause and recruit followers over the Internet -- vandalizing media outlets and government agencies to grab the most attention.

"It does seem like cyber mischief more than cyber warfare," says Amit. "We're not facing a really sophisticated adversary."

Social networks are still vulnerable, easy places for hackers to lift credentials. The solution for single-user accounts is to employ two-factor authentication. However second factors like biometrics or physical tokens don't work for things that need to be shared by multiple individuals -- like an organization's official social networking account.

In those cases, Amit suggests using a social network publishing platform. For instance, every user could have his or her own HootSuite account, and each of them could access the shared Twitter account from there. Monitoring of the social network activity could then detect when someone was using a different platform to issue or edit tweets.

Other security experts agree that social networks and shared accounts are common vulnerabilities.

"Twitter, YouTube, and other social media are low-hanging fruit in terms of credential theft and phishing," says Jon Oberheide, co-founder and chief technology officer at Duo Security, "as we've seen over the years with the Syrian Electronic Army, LulzSec, and other high-profile hacking groups. Social media accounts are often jointly managed with multiple people sharing a single username and password. And they often fail to opt into two-factor authentication mechanisms for the same reason. Two-factor is meant to uniquely identify users, and it's inherently designed to avoid credential sharing, so jointly managed accounts often disable it."

“The reality is that the Twitter account password has been shared among multiple people if not dozens," says Tom Kemp, CEO of Centrify, "and in all likelihood, the password associated with the account is weak and memorable. The toxic combination of multiple people sharing the password, and the password itself being both easily guessed and easily stolen makes it highly likely that incidents like this will occur in the future. "

Kemp further suggests that organizations use a role-based access control mechanism that enables provisioning and de-provisioning.   

In this particular incident there was no actual data breach or network compromise, yet the risk remains if a password for an insecure social network is reused on more critical services. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Some Guy
50%
50%
Some Guy,
User Rank: Strategist
1/14/2015 | 12:11:35 PM
Nobody thinks Facebook or YouTube are Locked Down
Nobody thinks that Facebook or YouTube are locked down tight. The fact that mainstream media UNQUESTIONINGLY accepted and then reported the DoD had been hacked is only compounded by security professionals repeating the lie. There was no more sophistication in this vandalism than a fourth grader could do. Ooooh, the wannabes spray painted CENTCOM's public billboard.
mtanenbaum801
50%
50%
mtanenbaum801,
User Rank: Apprentice
1/14/2015 | 9:51:19 AM
Centcom Twitter attack
The underlying problem is weak authentication on the social media platforms.  Yes, Hootsuite or a product like that can eliminate password sharing, but if the social media account, as reported, was tied to someone's personal email, you still have an attack vector.

The message here is that while Twitter is not used to launch missles or send troops into harm's way, the P.R. value of the attack is still high, so social media will continue to be a target.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/14/2015 | 9:15:26 AM
Re: Weak security practices
I agree. @gonzSTL The lapse may not elevate to the level of "attack" but it sure is an embarassment. 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
1/14/2015 | 8:51:30 AM
Weak security practices
"We are viewing this purely as a case of cybervandalism." Maybe so, but the most disturbing aspect of this fiasco is that people in critical organizations are likely guilty of weak security practices. To extend that idea even further, do these same people have access to sensitive information? It isn't a stretch to believe that they are just as lax when it comes to actual work practices. One would think that with all the publicity of high profile breaches and the growing attack landscape, critical organizations would be more likely to enforce rigid security to protect themselves. It is particularly disheartening to see even minor breaches in organizations that we would like to think are locked down tightly. It is easy enough to simply classify this as "cybervandalism" and not an actual breach, but in reality, security protocol was breached, and this is a big embarrassment to the organization. Let's get real – this is the military we are talking about – US Central Command!
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.