AP Twitter Hack: Lessons Learned

  /     /     /  
Publicated : 22/11/2024   Category : security

AP Twitter Hack: Lessons Learned


The bad news: beefing up password info wont save businesses from Twitter account takeover attacks.


Anonymous: 10 Things We Have Learned In 2013 (click image for larger view and for slideshow)
Would you trust an email that says: Please read the following article, its very important: www.washinqtonpost.com/blogs/worldviews/wp/2013/04/23/?
So went a
phishing email reportedly sent
to multiple employees at the Associated Press, less than an hour before the companys Twitter feed was taken over and used to issue multiple tweets, including a hoax report that President Obama had been injured by explosions at the White House. Cue a temporary
stock market tumble
.
Sharp-eyed email recipients who werent distracted might have noticed that
Washington was misspelled in the link
. But every other indicator suggested it was from a fellow AP staffer, down to the senders email address, and the name and mobile phone number listed at the bottom of the email.
[ How is Twitter protecting itself against attacks?
Twitter Preps Two Factor Authentication After AP Hoax
. ]
Reporter Mike Baker at AP said via Twitter that the phishing email had been
impressively disguised.
That gets to the heart of why its so difficult to
block spear-phishing attacks
, which have taken down the likes of security firm RSA and media giant
The New York Times
: Theyre incredibly cheap and easy to develop and launch, and attackers only need one recipient to click a link and follow through to potentially compromise first one PC, and then an entire network.
The follow-through in this case was to a phishing website -- most likely built to resemble an actual
Washington Post
blog page -- that asked the user to enter his username and password. It might have even purported to allow them to use their Twitter credentials to log in. If the user shared her credentials, that data would be passed onto attackers, who would then be able to log in as that person to any website for which the target had
reused the same password
.
How can businesses prevent an AP-style Twitter account hijacking? The short answer is that its very difficult for users to spot every phishing attempt, and also difficult to adequately protect Twitter accounts against hijackings, whether youre an individual or a business. For starters, thats because only a username and password are required to log into a Twitter account, and the username is already publicly known, because its a users Twitter handle.
The username is an issue, said Sean Sullivan, security advisor at F-Secure Labs, speaking by phone. Consider your online banking. My bank issued me a unique customer number and I dont share that with anybody. So both the username and the password are secret. But with social media/networking sites, half of the secrecy is gone.
Another issue is a lack of administrator accounts. Currently, a single Twitter account such as @AP has only a single password. Accordingly, whoever needs to have access to the account must be told the password, and the more copies of the password that proliferate, the greater the likelihood that the password will be recorded in multiple places, which makes it a target for data-exfiltration malware.
Twitter is reportedly testing a two-factor authentication system for users, but this will be no security panacea, especially for business users. Two-factor systems are great for me as an individual, but for accounts that have 10 users, maybe because theyre working on shifts around the clock, like AP, it just doesnt scale, Sullivan said.
Furthermore, two-factor systems can be defeated via password-reset systems, at least some of the time. Thats because if a user loses the smartphone to which a one-time code gets sent via SMS, or that contains their authentication app, they need to have another way to get into their account. Accordingly, many users add a backup email account in Twitter, to which a one-time password can be sent via Twitters password-reset screen.
If so, then an attacker who first compromises that email account can then simply request to reset a password for the linked account, and he will receive a working one-time password to the email account hes compromised. In addition, Twitter allows people to search for peoples Twitter usernames based on their email address, thus giving would-be attackers a tool for sniffing out which email is likely tied to a targets account.
So they enable you to search for accounts with an email address, but then they consider it to be personal information for a password challenge. Thats just circular, said Sullivan. That may have been fine when this was personal accounts for fun, five years ago. But it really doesnt scale for AP feeds that Wall Street algorithms are tuned to monitor.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
AP Twitter Hack: Lessons Learned