Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

1/13/2015
04:10 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

US CENTCOM Twitter Hijack 'Purely' Vandalism

Though not a real data breach, nor attributable to ISIS, the incident serves as a reminder to security professionals about the risks of sharing account credentials.

The Twitter account of US Central Command (US CENTCOM) was briefly hijacked Monday afternoon, by a group claiming to be aligned with the terrorist organization ISIS, and apparently disclosing confidential US military documents. Since then, the Twitter account was suspended, the "leaked" documents have proven to be publicly available information, and the perpetrators do not appear to represent ISIS.

Not a terribly serious incident then, but it does serve as a reminder to security professionals about the risks of sharing account credentials.

Monday, the CENTCOM account's profile image was changed to read "Cyber Califate" and "i love you isis," and the account began issuing threatening messages to the US military, such as "AMERICAN SOLDIERS, WE ARE COMING, WATCH YOUR BACK. ISIS," and a link to a Pastebin account that purported to be full of confidential documents.

The perpetrators of the US CENTCOM attack appear to be the same ones that compromised the website and Twitter account of WBOC TV and the Twitter account of the Albuquerque Journal last week.

US CENTCOM released a statement stating, "CENTCOM's operational military networks were not compromised and there was no operational impact to US Central Command. CENTCOM will restore service to its Twitter and YouTube accounts as quickly as possible. We are viewing this purely as a case of cybervandalism."

An official also told The Wall Street Journal that the Twitter account was registered under a staff member's personal email address.

"Much of this appears to be simply scare tactics," says Ian Amit, vice-president of ZeroFox. "All of the 'leaked' documents are in fact public domain, repackaged to look like a real data breach. These actors are trying to make themselves look more legitimate by threatening soldiers' wives and claiming to have mobile access. In truth, they likely only stole a password, either through a phishing scam or a brute-force attack."

Amit says the perpetrators probably aren't representatives of ISIS, but rather ISIS sympathizers. He says they might be using these low-difficulty, high-profile attacks to gather support for the cause and recruit followers over the Internet -- vandalizing media outlets and government agencies to grab the most attention.

"It does seem like cyber mischief more than cyber warfare," says Amit. "We're not facing a really sophisticated adversary."

Social networks are still vulnerable, easy places for hackers to lift credentials. The solution for single-user accounts is to employ two-factor authentication. However second factors like biometrics or physical tokens don't work for things that need to be shared by multiple individuals -- like an organization's official social networking account.

In those cases, Amit suggests using a social network publishing platform. For instance, every user could have his or her own HootSuite account, and each of them could access the shared Twitter account from there. Monitoring of the social network activity could then detect when someone was using a different platform to issue or edit tweets.

Other security experts agree that social networks and shared accounts are common vulnerabilities.

"Twitter, YouTube, and other social media are low-hanging fruit in terms of credential theft and phishing," says Jon Oberheide, co-founder and chief technology officer at Duo Security, "as we've seen over the years with the Syrian Electronic Army, LulzSec, and other high-profile hacking groups. Social media accounts are often jointly managed with multiple people sharing a single username and password. And they often fail to opt into two-factor authentication mechanisms for the same reason. Two-factor is meant to uniquely identify users, and it's inherently designed to avoid credential sharing, so jointly managed accounts often disable it."

“The reality is that the Twitter account password has been shared among multiple people if not dozens," says Tom Kemp, CEO of Centrify, "and in all likelihood, the password associated with the account is weak and memorable. The toxic combination of multiple people sharing the password, and the password itself being both easily guessed and easily stolen makes it highly likely that incidents like this will occur in the future. "

Kemp further suggests that organizations use a role-based access control mechanism that enables provisioning and de-provisioning.   

In this particular incident there was no actual data breach or network compromise, yet the risk remains if a password for an insecure social network is reused on more critical services. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Some Guy
50%
50%
Some Guy,
User Rank: Moderator
1/14/2015 | 12:11:35 PM
Nobody thinks Facebook or YouTube are Locked Down
Nobody thinks that Facebook or YouTube are locked down tight. The fact that mainstream media UNQUESTIONINGLY accepted and then reported the DoD had been hacked is only compounded by security professionals repeating the lie. There was no more sophistication in this vandalism than a fourth grader could do. Ooooh, the wannabes spray painted CENTCOM's public billboard.
mtanenbaum801
50%
50%
mtanenbaum801,
User Rank: Apprentice
1/14/2015 | 9:51:19 AM
Centcom Twitter attack
The underlying problem is weak authentication on the social media platforms.  Yes, Hootsuite or a product like that can eliminate password sharing, but if the social media account, as reported, was tied to someone's personal email, you still have an attack vector.

The message here is that while Twitter is not used to launch missles or send troops into harm's way, the P.R. value of the attack is still high, so social media will continue to be a target.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/14/2015 | 9:15:26 AM
Re: Weak security practices
I agree. @gonzSTL The lapse may not elevate to the level of "attack" but it sure is an embarassment. 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
1/14/2015 | 8:51:30 AM
Weak security practices
"We are viewing this purely as a case of cybervandalism." Maybe so, but the most disturbing aspect of this fiasco is that people in critical organizations are likely guilty of weak security practices. To extend that idea even further, do these same people have access to sensitive information? It isn't a stretch to believe that they are just as lax when it comes to actual work practices. One would think that with all the publicity of high profile breaches and the growing attack landscape, critical organizations would be more likely to enforce rigid security to protect themselves. It is particularly disheartening to see even minor breaches in organizations that we would like to think are locked down tightly. It is easy enough to simply classify this as "cybervandalism" and not an actual breach, but in reality, security protocol was breached, and this is a big embarrassment to the organization. Let's get real – this is the military we are talking about – US Central Command!
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...