Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

1/13/2015
04:10 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

US CENTCOM Twitter Hijack 'Purely' Vandalism

Though not a real data breach, nor attributable to ISIS, the incident serves as a reminder to security professionals about the risks of sharing account credentials.

The Twitter account of US Central Command (US CENTCOM) was briefly hijacked Monday afternoon, by a group claiming to be aligned with the terrorist organization ISIS, and apparently disclosing confidential US military documents. Since then, the Twitter account was suspended, the "leaked" documents have proven to be publicly available information, and the perpetrators do not appear to represent ISIS.

Not a terribly serious incident then, but it does serve as a reminder to security professionals about the risks of sharing account credentials.

Monday, the CENTCOM account's profile image was changed to read "Cyber Califate" and "i love you isis," and the account began issuing threatening messages to the US military, such as "AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK. ISIS," and a link to a Pastebin account that purported to be full of confidential documents.

The perpetrators of the US CENTCOM attack appear to be the same ones that compromised the website and Twitter account of WBOC TV and the Twitter account of the Albuquerque Journal last week.

US CENTCOM released a statement stating, "CENTCOM's operational military networks were not compromised and there was no operational impact to US Central Command. CENTCOM will restore service to its Twitter and YouTube accounts as quickly as possible. We are viewing this purely as a case of cybervandalism."

An official also told The Wall Street Journal that the Twitter account was registered under a staff member's personal email address.

"Much of this appears to be simply scare tactics," says Ian Amit, vice-president of ZeroFox. "All of the 'leaked' documents are in fact public domain, repackaged to look like a real data breach. These actors are trying to make themselves look more legitimate by threatening soldiers' wives and claiming to have mobile access. In truth, they likely only stole a password, either through a phishing scam or a brute-force attack."

Amit says the perpetrators probably aren't representatives of ISIS, but rather ISIS sympathizers. He says they might be using these low-difficulty, high-profile attacks to gather support for the cause and recruit followers over the Internet -- vandalizing media outlets and government agencies to grab the most attention.

"It does seem like cyber mischief more than cyber warfare," says Amit. "We're not facing a really sophisticated adversary."

Social networks are still vulnerable, easy places for hackers to lift credentials. The solution for single-user accounts is to employ two-factor authentication. However second factors like biometrics or physical tokens don't work for things that need to be shared by multiple individuals -- like an organization's official social networking account.

In those cases, Amit suggests using a social network publishing platform. For instance, every user could have his or her own HootSuite account, and each of them could access the shared Twitter account from there. Monitoring of the social network activity could then detect when someone was using a different platform to issue or edit tweets.

Other security experts agree that social networks and shared accounts are common vulnerabilities.

"Twitter, YouTube, and other social media are low-hanging fruit in terms of credential theft and phishing," says Jon Oberheide, co-founder and chief technology officer at Duo Security, "as we've seen over the years with the Syrian Electronic Army, LulzSec, and other high-profile hacking groups. Social media accounts are often jointly managed with multiple people sharing a single username and password. And they often fail to opt into two-factor authentication mechanisms for the same reason. Two-factor is meant to uniquely identify users, and it's inherently designed to avoid credential sharing, so jointly managed accounts often disable it."

“The reality is that the Twitter account password has been shared among multiple people if not dozens," says Tom Kemp, CEO of Centrify, "and in all likelihood, the password associated with the account is weak and memorable. The toxic combination of multiple people sharing the password, and the password itself being both easily guessed and easily stolen makes it highly likely that incidents like this will occur in the future. "

Kemp further suggests that organizations use a role-based access control mechanism that enables provisioning and de-provisioning.   

In this particular incident there was no actual data breach or network compromise, yet the risk remains if a password for an insecure social network is reused on more critical services. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Some Guy
50%
50%
Some Guy,
User Rank: Moderator
1/14/2015 | 12:11:35 PM
Nobody thinks Facebook or YouTube are Locked Down
Nobody thinks that Facebook or YouTube are locked down tight. The fact that mainstream media UNQUESTIONINGLY accepted and then reported the DoD had been hacked is only compounded by security professionals repeating the lie. There was no more sophistication in this vandalism than a fourth grader could do. Ooooh, the wannabes spray painted CENTCOM's public billboard.
mtanenbaum801
50%
50%
mtanenbaum801,
User Rank: Apprentice
1/14/2015 | 9:51:19 AM
Centcom Twitter attack
The underlying problem is weak authentication on the social media platforms.  Yes, Hootsuite or a product like that can eliminate password sharing, but if the social media account, as reported, was tied to someone's personal email, you still have an attack vector.

The message here is that while Twitter is not used to launch missles or send troops into harm's way, the P.R. value of the attack is still high, so social media will continue to be a target.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/14/2015 | 9:15:26 AM
Re: Weak security practices
I agree. @gonzSTL The lapse may not elevate to the level of "attack" but it sure is an embarassment. 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
1/14/2015 | 8:51:30 AM
Weak security practices
"We are viewing this purely as a case of cybervandalism." Maybe so, but the most disturbing aspect of this fiasco is that people in critical organizations are likely guilty of weak security practices. To extend that idea even further, do these same people have access to sensitive information? It isn't a stretch to believe that they are just as lax when it comes to actual work practices. One would think that with all the publicity of high profile breaches and the growing attack landscape, critical organizations would be more likely to enforce rigid security to protect themselves. It is particularly disheartening to see even minor breaches in organizations that we would like to think are locked down tightly. It is easy enough to simply classify this as "cybervandalism" and not an actual breach, but in reality, security protocol was breached, and this is a big embarrassment to the organization. Let's get real – this is the military we are talking about – US Central Command!
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.