AP Twitter hack prompts fresh look at cybersecurity needs

Two-step identity verification and analysis of user trends could prevent future attacks, experts say

Getting hacked on Twitter is fast becoming a rite of passage for big corporations, but Tuesday's attack on the Associated Press could be a tipping point and shows that social networks must do more to keep their users safe, security experts said.

Wider use of two-factor authentication, which can involve an access code being sent to a user on a second device such as a smartphone, is one possible solution. Such a mechanism could be introduced selectively, some experts said, for high profile accounts such as celebrities and large corporations.

"Twitter needs to get on board and make two-factor authentication available ... as fast as possible," said Andrew Storms, director of security operations at nCircle Security.

The AP's Twitter account was hacked Tuesday morning, resulting in a bogus tweet reporting that there were "two explosions in the White House and Barack Obama is injured." A group calling itself the Syrian Electronic Army claimed responsibility, via their own Twitter account.

The tweet was only visible for a matter of minutes, but the Dow Jones industrial average took a nose dive immediately after it was posted before recovering several minutes later. Unlike some previous hacking incidents, "this one had a real-world impact on the markets," noted Steve Brunetto , director of product management at EdgeWave, a social media and email security company.

The AP joins a list of companies that have recently been hacked on Twitter. Three CBS brands -- 60 Minutes, 48 Hours and a Denver news affiliate -- were hijacked this past weekend. The New York Times, The Wall Street Journal and The Washington Post have also been hacked in recent months. In February, Twitter announced the site itself had been breached.

The Twitter accounts of Burger King and the Jeep car company have also been compromised. After those incidents, Twitter urged users to be smarter with their passwords and in how they use the site.

Twitter has remained largely quiet following Tuesday's AP attack. "We don't comment on individual accounts for privacy and security reasons," a spokesman said. But now may be the perfect time for the social network to employ stronger safeguards to prevent future account breaches, some experts said.

"Twitter needs to move faster in stepping up its cybersecurity efforts," EdgeWave's Brunetto said.

Mark Risher, CEO at Impermium, an Internet security firm based in Redwood City, California, said he thinks Twitter already takes security seriously, but Tuesday's attack does "elevate" concerns, he said.

One strategy would be for Twitter to implement a two-step authentication system. In one common implementation, when users log into the site from their laptop, Twitter would send them a passcode to a second device, such as their mobile phone. They would then need to enter that code as well as their login and password to access the site.

Calls for Twitter to adopt such a system resurfaces whenever the site is hacked, but the AP attack could become a tipping point, said nCircle's Storms.

If Twitter doesn't want to mandate two-factor authentication for all accounts, the company could require it only for accounts that pass a certain number of followers, he suggested.

Two-step verification could be offered to big brands and other prominent accounts, agreed Jon Oberheide, cofounder and chief technology officer at Duo Security, which develops authentication software.

But accounts that employ two-step authentication may still be susceptible if those who use the accounts are subjected to an email phishing attack, said Impermium's Risher. "The hacker could fake a log-in page asking you for the code you just received," he said.

Alternatively, a phishing attack could be used to install a keystroke logger on a user's computer, recording their login and password the next time they enter it.

As an alternative, Twitter and other social networks should look more closely at how users interact with their services and watch for signals that might indicate unauthorized activity, said Risher, whose company develops algorithms to identify such activity. It might look at how users engage with content and how often they tweet and are retweeted, for example.

Twitter could also employ a risk-based authentication method, by asking users personal identification questions when they log in from an unfamiliar computer, for example.

Users could do more to safeguard their own social media accounts, however. Using stronger passwords, changing them frequently and protecting Wi-Fi networks with passwords are all recommended practices. Having a weak password may have played a role in the AP's account breach. The Syrian Electronic Army tweeted the alleged password "APm@rketing" later this afternoon.

But the onus should be on the social media sites to ensure the security of their users' accounts, Risher said. "It should be like an 80/20 split," he said, adding, "the lion's share of the work should be done by the sites."

Apple, Facebook and Google are among the companies that already offer two-step authentication as an option for users.

Twitter is a big target for breaches because of its immediacy, Obenhaim said. One of Twitter's primary purposes is to disseminate information in near real time, for example, while company pages on Facebook are often less active.

Other ideas that have been floated to keep accounts and identifies safe online include the use of "physical" passwords, which could take the form of a piece of jewelry. In a research paper released in January, Google said the current strategies, including the two-step verification system, are insufficient.

The stakes are high when it comes to cybersecurity, as Tuesday's stock market tumble showed. "Brand or character defamation is no longer the only outcome," said nCircle's Storms.

Posting fictitious tweets about outrageous behavior by employees at Burger King is one thing, but tweeting that the president has been injured following an explosion at the White House "can have a serious impact" more broadly, Duo's Oberheide noted.

Such hacks are also more significant since the U.S. Securities and Exchange Commission said it would allow public companies to disclose material corporate information on social media sites.

The SEC declined to comment Tuesday on the AP's and other recent Twitter hacks.

Zach Miners covers social networking, search and general technology news for IDG News Service. Follow Zach on Twitter at @zachminers. Zach's e-mail address is zach_miners@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesdata breachAccess control and authenticationsocial networkingtwitterdata protectionsocial mediainternetFacebookAppleGooglesecurity

More about Andrew Corporation (Australia)AppleBurger KingCBS CorporationDow JonesEdgeWaveFacebookGoogleIDGnCircleSECSecurities and Exchange CommissionWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Zach Miners

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place