Endpoint //

Authentication

1/13/2015
04:10 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

US CENTCOM Twitter Hijack 'Purely' Vandalism

Though not a real data breach, nor attributable to ISIS, the incident serves as a reminder to security professionals about the risks of sharing account credentials.

The Twitter account of US Central Command (US CENTCOM) was briefly hijacked Monday afternoon, by a group claiming to be aligned with the terrorist organization ISIS, and apparently disclosing confidential US military documents. Since then, the Twitter account was suspended, the "leaked" documents have proven to be publicly available information, and the perpetrators do not appear to represent ISIS.

Not a terribly serious incident then, but it does serve as a reminder to security professionals about the risks of sharing account credentials.

Monday, the CENTCOM account's profile image was changed to read "Cyber Califate" and "i love you isis," and the account began issuing threatening messages to the US military, such as "AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK. ISIS," and a link to a Pastebin account that purported to be full of confidential documents.

The perpetrators of the US CENTCOM attack appear to be the same ones that compromised the website and Twitter account of WBOC TV and the Twitter account of the Albuquerque Journal last week.

US CENTCOM released a statement stating, "CENTCOM's operational military networks were not compromised and there was no operational impact to US Central Command. CENTCOM will restore service to its Twitter and YouTube accounts as quickly as possible. We are viewing this purely as a case of cybervandalism."

An official also told The Wall Street Journal that the Twitter account was registered under a staff member's personal email address.

"Much of this appears to be simply scare tactics," says Ian Amit, vice-president of ZeroFox. "All of the 'leaked' documents are in fact public domain, repackaged to look like a real data breach. These actors are trying to make themselves look more legitimate by threatening soldiers' wives and claiming to have mobile access. In truth, they likely only stole a password, either through a phishing scam or a brute-force attack."

Amit says the perpetrators probably aren't representatives of ISIS, but rather ISIS sympathizers. He says they might be using these low-difficulty, high-profile attacks to gather support for the cause and recruit followers over the Internet -- vandalizing media outlets and government agencies to grab the most attention.

"It does seem like cyber mischief more than cyber warfare," says Amit. "We're not facing a really sophisticated adversary."

Social networks are still vulnerable, easy places for hackers to lift credentials. The solution for single-user accounts is to employ two-factor authentication. However second factors like biometrics or physical tokens don't work for things that need to be shared by multiple individuals -- like an organization's official social networking account.

In those cases, Amit suggests using a social network publishing platform. For instance, every user could have his or her own HootSuite account, and each of them could access the shared Twitter account from there. Monitoring of the social network activity could then detect when someone was using a different platform to issue or edit tweets.

Other security experts agree that social networks and shared accounts are common vulnerabilities.

"Twitter, YouTube, and other social media are low-hanging fruit in terms of credential theft and phishing," says Jon Oberheide, co-founder and chief technology officer at Duo Security, "as we've seen over the years with the Syrian Electronic Army, LulzSec, and other high-profile hacking groups. Social media accounts are often jointly managed with multiple people sharing a single username and password. And they often fail to opt into two-factor authentication mechanisms for the same reason. Two-factor is meant to uniquely identify users, and it's inherently designed to avoid credential sharing, so jointly managed accounts often disable it."

“The reality is that the Twitter account password has been shared among multiple people if not dozens," says Tom Kemp, CEO of Centrify, "and in all likelihood, the password associated with the account is weak and memorable. The toxic combination of multiple people sharing the password, and the password itself being both easily guessed and easily stolen makes it highly likely that incidents like this will occur in the future. "

Kemp further suggests that organizations use a role-based access control mechanism that enables provisioning and de-provisioning.   

In this particular incident there was no actual data breach or network compromise, yet the risk remains if a password for an insecure social network is reused on more critical services. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Some Guy
50%
50%
Some Guy,
User Rank: Strategist
1/14/2015 | 12:11:35 PM
Nobody thinks Facebook or YouTube are Locked Down
Nobody thinks that Facebook or YouTube are locked down tight. The fact that mainstream media UNQUESTIONINGLY accepted and then reported the DoD had been hacked is only compounded by security professionals repeating the lie. There was no more sophistication in this vandalism than a fourth grader could do. Ooooh, the wannabes spray painted CENTCOM's public billboard.
mtanenbaum801
50%
50%
mtanenbaum801,
User Rank: Apprentice
1/14/2015 | 9:51:19 AM
Centcom Twitter attack
The underlying problem is weak authentication on the social media platforms.  Yes, Hootsuite or a product like that can eliminate password sharing, but if the social media account, as reported, was tied to someone's personal email, you still have an attack vector.

The message here is that while Twitter is not used to launch missles or send troops into harm's way, the P.R. value of the attack is still high, so social media will continue to be a target.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/14/2015 | 9:15:26 AM
Re: Weak security practices
I agree. @gonzSTL The lapse may not elevate to the level of "attack" but it sure is an embarassment. 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
1/14/2015 | 8:51:30 AM
Weak security practices
"We are viewing this purely as a case of cybervandalism." Maybe so, but the most disturbing aspect of this fiasco is that people in critical organizations are likely guilty of weak security practices. To extend that idea even further, do these same people have access to sensitive information? It isn't a stretch to believe that they are just as lax when it comes to actual work practices. One would think that with all the publicity of high profile breaches and the growing attack landscape, critical organizations would be more likely to enforce rigid security to protect themselves. It is particularly disheartening to see even minor breaches in organizations that we would like to think are locked down tightly. It is easy enough to simply classify this as "cybervandalism" and not an actual breach, but in reality, security protocol was breached, and this is a big embarrassment to the organization. Let's get real – this is the military we are talking about – US Central Command!
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19007
PUBLISHED: 2018-12-14
In Geutebrueck GmbH E2 Camera Series versions prior to 1.12.0.25 the DDNS configuration (in the Network Configuration panel) is vulnerable to an OS system command injection as root.
CVE-2018-20147
PUBLISHED: 2018-12-14
In WordPress versions before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files.
CVE-2018-20148
PUBLISHED: 2018-12-14
In WordPress versions before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata.
CVE-2018-20149
PUBLISHED: 2018-12-14
In WordPress versions before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS.
CVE-2018-20150
PUBLISHED: 2018-12-14
In WordPress versions before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.