It Can Happen to Anybody

Recent reporting from the Associated Press is that a @AP Twitter account was ‘hacked’, and the perpetrator released (‘tweeted’) an untrue and scandalous news bulletin claiming that US President Obama had been injured in an explosion at the White House.

The known effects of the tweet included a massive (but temporary) negative financial impact on the Stock Exchange, plus possible reputational impact for the Associated Press, and certainly Twitter. The reputational impact will have some form of financial consequence on both the Associated Press and Twitter as investigations are being carried out and re-evaluation of security architectures and procedures have followed. Had the White House not responded in refute of the claims so swiftly, the whole mess could have turned political.

The hacking deed was reportedly carried out by members of the “Syrian Electronic Army”, but we wanted to provide some background on why this incident actually happened and give some best practice ideas of how the Associated Press, and you, could prevent it from happening in the future. It’s worth noting that the same perpetrators are targeting other similar organisations in order to promote their cause – the latest victim was Sky News last week.

It’s unlikely that the Associated Press had not carried out its own information risk assessment at some point prior to this incident, but the fact that such a damaging incident has been allowed to happen suggests that the risk assessment may need to focus more on its use of social media.

If the Associated Press’ Chief Information Security Officer (CISO) were to conduct another risk assessment, he/she should ensure some of the following are considered:

Assets

The thing of most value to the Associated Press’ Chief Editor is probably the organisation’s reputation for providing factual news stories of the most strategic nature to the citizens of the US and its wider global audience.

It would probably be difficult for even the Chief Editor to put a monetary value on his/her organisation’s reputation, but it is likely that it is the Associated Press’ “crown jewels”.

Threats

The Associated Press is likely to have a number of threats (individuals or groups on hand and ready, or which may be easily primed, to assist a politically extreme influencing authority) to carry out malicious harm in order to soil the organisation’s brand.

In this particular case it was reported that members of the “Syrian Electronic Army” committed the breach by hacking into one of the Associated Press’ authorised Twitter accounts. It is unlikely that this attack was aimed specifically at the Associated Press, but rather the Associated Press was used as a vehicle to undermine US politics, or possibly more importantly for the perpetrators, as their own PR stunt. This rhetoric suggests that press organisations such as the Associated Press need not only take precautions against malicious attacks against their organisation – as an organisation, but must protect themselves against any individual or group that has a hatred or even just a disagreement with the stories being released by them. Or even just a mischievous but capable attacker with a penchant for writing, changing, or making the headlines.

Vulnerabilities

A Need for Speed

One vulnerability the Associated Press are forced to live with, in the competitive market in which they thrive, is the fast pace of work to get information into the public domain and in front of as large an audience as possible; and in turn meet the needs and expectations of their customers. The key requirement to be amongst the first to publicise their bulletins in order to maintain their readership, and the medium which they choose to deliver them (Twitter) was in this case their stumbling block.

Inappropriate Ease of Access

The use of Twitter and other social media platforms has grown organically from a tool of convenience for individual users, to a communications platform that is of key importance to individuals and organisations; from you, me, the Associated Press and even Barack Obama. As the use of this technology has scaled, people continue to demand easy access from consumer devices or simple web interfaces so that they can reach the greatest audience quickly as events happen.

Unfortunately, this ease of access, often via only single-factor authentication (a single password), is also its greatest weakness as ‘hacking’ or phishing tools are all too easy to buy today, bringing the compromise of sometimes the most vital of corporate and personal communications belonging to you, me, the Associated Press, or Barack Obama himself within easy reach of those with only a moderate level of motivation. For example, a simple password hack application which is easy to find and buy could be an easy avenue of attack. Although it is more likely that this particular incident stemmed from a more sophisticated, premeditated social engineering and phishing attack.

Distinguished User-base

Of course the sheer fact that Twitter has such a distinguished user base, some of which have been the target of attack before, encourages ‘Followers’, allowing releases from those most followed to circulate at a rapid pace, providing the best effect for the perpetrator.

Inadequate Service Level Agreement

The service level agreement between Twitter and any account holder (no matter how important) does not give any assurance that the account is impervious to the threat of hacking. It’s still a commoditised platform that anyone can use, for free, to communicate almost anything to a wider audience.

Risk

If we needed reminding of the risk: There is a risk that hacktivists, influenced by a foreign political/extremist group, could pose as an authorised user of an Associated Press Twitter account in order to publish a news bulletin of political and market influence, resulting in an impact to the Associated Press’ reputation of potentially catastrophic proportion.

Remember, it wasn’t the confidentiality (or secrecy) of information which was affected in this incident. In fact, unless the Associated Press were running investigations for eventual release of an epic story, it is presumed that the requirement to keep the majority of their information (news) secret would usually span less than a 24 hour period.

A positive move by Twitter…?

Since this particular attack took place Twitter were initially quick to respond to say that it was looking into ways of improving its security. More recently, and as a result of the @AP hack, Twitter announced the implementation of an optional two-step authentication technique, which requires the account holder to be in possession of a time-sensitive verification code to log in to an account. This is very good news for the likes of Barack Obama and David Cameron (if they do actually publish their own tweets).

The reparation Twitter has adopted will not, however, be met by some organisations as a positive move. The fact that a single mobile phone number may be registered for a single account, such as @AP, is likely to restrict use by multiple users of the same account. It is likely that some organisations, although adopting the new two-step authentication method, will implement workarounds where received verification codes will end up being auto-forwarded to multiple users (by text or email), meaning that, over time and the first unreported loss of a mobile phone for example, codes will be susceptible to compromise.

Best Practice

This move by Twitter has been a long time coming, but unless their strategy is accepted by users with reputations to uphold the change will be of no value to them.

The measures Twitter have implemented should be used as they have prescribed and, by way of clearly written information security policies and user instructions, the use of group accounts should, wherever possible, be ruled out. Where there is no other option than to employ group accounts, there must be tight policy-led controls, including monitoring, in place to administer their use. Innovative methods of verification code communication with only those who need it at each particular instance in time should be introduced. The receipt of a verification code should be acknowledged immediately and deleted from disk memory using the securest methods possible. Where IT equipment is employed to share verification codes, their loss/theft should be reported immediately through an appropriate and formal incident reporting chain.

Where weak passwords have previously been used, these should be changed immediately and replaced with robust passwords that can be committed to the account-holder’s memory. Again, where group accounts are unavoidable, the password should be passed under control, deleted once committed to memory and not written down.

Organisations should investigate carefully the operational requirement for their employees to perform social media activities as a whole using company IT. Perhaps, as in the case of the Associated Press, social media (Twitter) is a business enabler and must be used to satisfy a customer base. This may be so, but there must be a social media strategy and policies in place to regulate how social media may be used in an acceptable manner; and what the aims and goals of its use are.

An information governance structure must be in place in any organisation with data or a reputation to protect. Policies and instructions may not be taken seriously, or possibly even ignored, if they are not supported by those with authority within the organisation.

Where these best practices go unheeded the news of continued Twitter account hacking will no doubt become public knowledge in the near- to medium-term future, although at that point Twitter will not be so forthcoming in shouldering any of the blame.

If you have concerns about the financial, reputational or political impacts a security breach could have on your organisation, why not give us a call to see how we can help you to make your processes as secure as you need them to be.