The Twitter account of US Central Command (US CENTCOM) was briefly hijacked Monday afternoon, by a group claiming to be aligned with the terrorist organization ISIS, and apparently disclosing confidential US military documents. Since then, the Twitter account was suspended, the "leaked" documents have proven to be publicly available information, and the perpetrators do not appear to represent ISIS.
Not a terribly serious incident then, but it does serve as a reminder to security professionals about the risks of sharing account credentials.
Monday, the CENTCOM account's profile image was changed to read "Cyber Califate" and "i love you isis," and the account began issuing threatening messages to the US military, such as "AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK. ISIS," and a link to a Pastebin account that purported to be full of confidential documents.
The perpetrators of the US CENTCOM attack appear to be the same ones that compromised the website and Twitter account of WBOC TV and the Twitter account of the Albuquerque Journal last week.
US CENTCOM released a statement stating, "CENTCOM's operational military networks were not compromised and there was no operational impact to US Central Command. CENTCOM will restore service to its Twitter and YouTube accounts as quickly as possible. We are viewing this purely as a case of cybervandalism."
An official also told The Wall Street Journal that the Twitter account was registered under a staff member's personal email address.
"Much of this appears to be simply scare tactics," says Ian Amit, vice-president of ZeroFox. "All of the 'leaked' documents are in fact public domain, repackaged to look like a real data breach. These actors are trying to make themselves look more legitimate by threatening soldiers' wives and claiming to have mobile access. In truth, they likely only stole a password, either through a phishing scam or a brute-force attack."
Amit says the perpetrators probably aren't representatives of ISIS, but rather ISIS sympathizers. He says they might be using these low-difficulty, high-profile attacks to gather support for the cause and recruit followers over the Internet -- vandalizing media outlets and government agencies to grab the most attention.
"It does seem like cyber mischief more than cyber warfare," says Amit. "We're not facing a really sophisticated adversary."
Social networks are still vulnerable, easy places for hackers to lift credentials. The solution for single-user accounts is to employ two-factor authentication. However second factors like biometrics or physical tokens don't work for things that need to be shared by multiple individuals -- like an organization's official social networking account.
In those cases, Amit suggests using a social network publishing platform. For instance, every user could have his or her own HootSuite account, and each of them could access the shared Twitter account from there. Monitoring of the social network activity could then detect when someone was using a different platform to issue or edit tweets.
Other security experts agree that social networks and shared accounts are common vulnerabilities.
"Twitter, YouTube, and other social media are low-hanging fruit in terms of credential theft and phishing," says Jon Oberheide, co-founder and chief technology officer at Duo Security, "as we've seen over the years with the Syrian Electronic Army, LulzSec, and other high-profile hacking groups. Social media accounts are often jointly managed with multiple people sharing a single username and password. And they often fail to opt into two-factor authentication mechanisms for the same reason. Two-factor is meant to uniquely identify users, and it's inherently designed to avoid credential sharing, so jointly managed accounts often disable it."
“The reality is that the Twitter account password has been shared among multiple people if not dozens," says Tom Kemp, CEO of Centrify, "and in all likelihood, the password associated with the account is weak and memorable. The toxic combination of multiple people sharing the password, and the password itself being both easily guessed and easily stolen makes it highly likely that incidents like this will occur in the future. "
Kemp further suggests that organizations use a role-based access control mechanism that enables provisioning and de-provisioning.
In this particular incident there was no actual data breach or network compromise, yet the risk remains if a password for an insecure social network is reused on more critical services.