Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


AP Twitter Hack: Lessons Learned

The bad news: beefing up password info won't save businesses from Twitter account takeover attacks.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Would you trust an email that says: "Please read the following article, it's very important: www.washinqtonpost.com/blogs/worldviews/wp/2013/04/23/"?

So went a phishing email reportedly sent to multiple employees at the Associated Press, less than an hour before the company's Twitter feed was taken over and used to issue multiple tweets, including a hoax report that President Obama had been injured by explosions at the White House. Cue a temporary stock market tumble.

Sharp-eyed email recipients who weren't distracted might have noticed that Washington was misspelled in the link. But every other indicator suggested it was from a fellow AP staffer, down to the sender's email address, and the name and mobile phone number listed at the bottom of the email.

[ How is Twitter protecting itself against attacks? Twitter Preps Two Factor Authentication After AP Hoax. ]

Reporter Mike Baker at AP said via Twitter that the phishing email had been "impressively disguised." That gets to the heart of why it's so difficult to block spear-phishing attacks, which have taken down the likes of security firm RSA and media giant The New York Times: They're incredibly cheap and easy to develop and launch, and attackers only need one recipient to click a link and follow through to potentially compromise first one PC, and then an entire network.

The follow-through in this case was to a phishing website -- most likely built to resemble an actual Washington Post blog page -- that asked the user to enter his username and password. It might have even purported to allow them to use their Twitter credentials to log in. If the user shared her credentials, that data would be passed onto attackers, who would then be able to log in as that person to any website for which the target had reused the same password.

How can businesses prevent an AP-style Twitter account hijacking? The short answer is that it's very difficult for users to spot every phishing attempt, and also difficult to adequately protect Twitter accounts against hijackings, whether you're an individual or a business. For starters, that's because only a username and password are required to log into a Twitter account, and the username is already publicly known, because it's a user's Twitter handle.

"The username is an issue," said Sean Sullivan, security advisor at F-Secure Labs, speaking by phone. "Consider your online banking. My bank issued me a unique customer number and I don't share that with anybody. So both the username and the password are secret. But with social media/networking sites, half of the secrecy is gone."

Another issue is a lack of administrator accounts. Currently, a single Twitter account such as @AP has only a single password. Accordingly, whoever needs to have access to the account must be told the password, and the more copies of the password that proliferate, the greater the likelihood that the password will be recorded in multiple places, which makes it a target for data-exfiltration malware.

Twitter is reportedly testing a two-factor authentication system for users, but this will be no security panacea, especially for business users. "Two-factor systems are great for me as an individual, but for accounts that have 10 users, maybe because they're working on shifts around the clock, like AP, it just doesn't scale," Sullivan said.

Furthermore, two-factor systems can be defeated via password-reset systems, at least some of the time. That's because if a user loses the smartphone to which a one-time code gets sent via SMS, or that contains their authentication app, they need to have another way to get into their account. Accordingly, many users add a backup email account in Twitter, to which a one-time password can be sent via Twitter's password-reset screen.

If so, then an attacker who first compromises that email account can then simply request to reset a password for the linked account, and he will receive a working one-time password to the email account he's compromised. In addition, Twitter allows people to search for people's Twitter usernames based on their email address, thus giving would-be attackers a tool for sniffing out which email is likely tied to a target's account.

"So they enable you to search for accounts with an email address, but then they consider it to be personal information for a password challenge. That's just circular," said Sullivan. "That may have been fine when this was personal accounts for fun, five years ago. But it really doesn't scale for AP feeds that Wall Street algorithms are tuned to monitor."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ramon S
Ramon S,
User Rank: Apprentice
4/27/2013 | 12:40:17 PM
re: AP Twitter Hack: Lessons Learned
Best advice is to close Twitter accounts.
User Rank: Apprentice
4/26/2013 | 7:05:43 PM
re: AP Twitter Hack: Lessons Learned
I think this comes back to a risk analysis of phishing and identifying that it may be pertinent to purchase the range of mispelled sites to block this sort of attack from that perspective
User Rank: Apprentice
4/26/2013 | 4:40:25 PM
re: AP Twitter Hack: Lessons Learned
Correct, but there are other controls that can be put in place. Tools like password vaults (CyberArk or Dell/Quest TPAM) can be put in place to automatically create longer and more complex passwords, which will be automatically managed in a one time use fashion. Users can access the vault, check out the password to access their social media of choice, and when the user checks the password back into the vault, the tool will automatically go out and change the password.
Additional tools such as Nexgate can be put in place as another control. It will allow for a single portal to access all the important social media sites, detect rogue/fake corporte accounts (which can be just as dangerous as having your corporate account taken over), establish roles for users such as authors and reviewers, and even prevent account takeovers. Eliminating the ability for people to actually know the credentials for the social media sites is one of the biggest controls, coupled with segregating user access into a portal as the sole means of access allows you to decouple the authentication processes. Users have seperate credentials to the portal, which can implement and support SAML or even multi-factor auth. This helps reduce the concerns about users utilizing coroporate and personal devices, some of which may have the credential cached or compromised via malware or other methods.
User Rank: Apprentice
4/26/2013 | 11:03:11 AM
re: AP Twitter Hack: Lessons Learned
Hi Jay. As the importance of Twitter grows, it's incumbent on the company -- irrespective of any add-on, paid services -- to make it more difficult for attackers to take over accounts.

Hootsuite or not, all Twitter accounts have a single username (which is the publicly known Twitter handle) and a single password. That password may get handed off to a social media monitoring system which then functions as a single sign-on service. But this bolt-on security won't magically block a log-in from a bad actor, if they steal or guess the right password.

Takeovers of AP, BBC, Burger King, Jeep and Reuters accounts further suggest that current approaches aren't sufficiently secure.

What Twitter lacks, compared to a service like Facebook or Gmail, isn't just its own, built-in two-factor authentication, or admin controls, but also defenses that detect unusual access: For example, is the Twitter account log-in request coming from Syria, when all other requests have only come from the United States?

It's time for Twitter to step up its security game.
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-27
A double-free vulnerability in vrend_renderer.c in virglrenderer through 0.8.1 allows attackers to cause a denial of service by triggering texture allocation failure, because vrend_renderer_resource_allocated_texture is not an appropriate place for a free.
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the ptlrpc module has a buffer overflow and panic, and possibly remote code execution, due to the lack of validation for specific fields of packets sent by a client. Interaction between req_capsule_get_size and tgt_brw_write leads to a tgt_shortio2pages integ...
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds read and panic due to the lack of validation for specific fields of packets sent by a client. The ldl_request_cancel function mishandles a large lock_count parameter.
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds read and panic (via a modified lm_bufcount field) due to the lack of validation for specific fields of packets sent by a client. This is caused by interaction between sptlrpc_svc_unwrap_request and lustre_msg_hdr_size_v2...
PUBLISHED: 2020-01-27
In the Lustre file system before 2.12.3, the mdt module has an LBUG panic (via a large MDT Body eadatasize field) due to the lack of validation for specific fields of packets sent by a client.