Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Twitter Security in Crosshairs After AP Account Hijack

SAN FRANCISCO – A hijacked Associated Press Twitter account that rattled markets with false word of an attack on the White House put the security of social media in the crosshairs Wednesday.

SAN FRANCISCO – A hijacked Associated Press Twitter account that rattled markets with false word of an attack on the White House put the security of social media in the crosshairs Wednesday.

The stock market rebounded from the nosedive triggered Tuesday by the bogus tweet and the AP posted a message on Twitter that its account “which was suspended after being hacked, has been secured and is back up.”

The AP Twitter page indicated more than 1.8 million followers as of early evening in San Francisco, where the one-to-many messaging service has its headquarters.

What remained were questions as to whether security was tight enough on Twitter and other popular social networks in an age when people increasingly turn to posts from friends or strangers for reliable news and information.

Twitter was firm that evaluating and improving defenses at the service remains an ongoing priority and that the hijacking of the AP account didn’t prompt any immediate moves to toughen security.

AP’s Twitter account appeared to have been breached after hackers tricked someone into revealing a password with a deceptive email message in what is referred to as a “phishing” attack.

Some online reports contended that Twitter was considering “two-factor authentication” that would require users to either know something or do something aside from just type in passwords to access accounts.

“When you look at the problem in mass, the most critical thing we see is people just have horrendous passwords and use them all over the web,” said Mark Risher, chief and founder of Impermium, an Internet security firm.

Advertisement. Scroll to continue reading.

While incorporating a second step such as sending a confirmation code in a message to an email account or mobile phone associated with a user’s account is a big improvement, even that defense is flawed, he said.

Risher was ‘spam czar’ at Yahoo! Mail before leaving the Internet pioneer and launching Impermium in 2010. His team includes Sameer Bhalotra, a former senior director of cybersecurity for the White House.

Phishing attacks are becoming increasingly sophisticated and convincing, sometimes with information harvested from social networks used to make pitches more personal and believable to specific targets, according to Risher.

A person conned into giving hackers a password could just as easily be asked for a second bit of information needed to get into an account, he reasoned.

“You really can’t just expect users to never get duped, because they always will,” Risher said. “Service providers should never be satisfied with a password.”

Adding multiple layers of security to get into accounts treads on the ease of using online services, forcing social networks to risk aggravating members.

“There is a trade-off between convenience and safety,” he said. “It is like putting five deadlock bolts on the door. It would make you more secure but it really would be a hassle if you wanted to pop out to the corner store.”

Impermium and other companies specialize in ways to spot “bad guys” who use stolen passwords to get into accounts.

Signs watched for include whether an account is being accessed from a smartphone other than one typically used or if the visitor appeared to be trying to cover their tracks.

Last month, Twitter arranged with major web email service providers Google, Yahoo! and AOL to reject emails claiming to be from Twitter if they didn’t have a special protocol that acts as a “handshake” of authenticity.

The intent was to block phishing email messages from even reaching targets. Twitter maintained that it has a variety of ideas about hardening security but would not disclose details.

“The answer is the service providers,” Risher said. “Just like in the real world where a bank doesn’t say that once you make it past the door you can do whatever you want.”

Written By

AFP 2023

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.