Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Passwords, Malware and the AP-Twitter Hack

Two weeks ago, hackers were able to compromise the password of the Associated Press Twitter account, allowing the hackers to send out fictitious tweets to all of the @AP followers.

Two weeks ago, hackers were able to compromise the password of the Associated Press Twitter account, allowing the hackers to send out fictitious tweets to all of the @AP followers. These tweets falsely reported that a bomb had exploded at the White House and that the President was injured, which sent financial markets into a brief but startling tailspin. Once the market recovered, I was left marveling at the power of a single compromised social media password. If nothing else, the AP Twitter hack re-exposes one of the persistent challenges to security – the large-scale overdependence on passwords as the sole method of identifying a user and granting permissions.

Passwords are the ultimate goal for many hacking operations regardless of their sophistication. The latest Verizon Data Breach Investigation Report (DBIR) showed just how broad the problem is, reporting that 76% of all breaches were tied to weak or stolen credentials. Weak passwords were also the targeted of a large-scale attack against WordPress accounts, where remote attackers recruited more than 90,000 servers to brute-force the passwords of WordPress admin accounts.

Password Security and CredentialsHowever, it’s important that we address the reality that strong passwords can’t be the only answer. While Twitter scrambles to add support for two-factor authentication, they reached out to journalists to provide some advice to keep them secure in the interim. Some of that advice was good, but some of it struck me as actively wrong. In particular, Twitter recommended journalists use strong, randomly generated passwords and to store those passwords in the web-browser’s password manager.

To me, this is rather troubling advice. Malware is highly skilled at finding, decrypting and stealing passwords stored on a victim’s machine, particularly the browser. In our latest analysis (PDF) of undetected malware, we observed that stealing passwords from the web-browser was the #1 most common hacking and data theft behavior observed in malware. This is precisely why banking and financial sites prevent customers from automatically filling passwords into their sites. Furthermore, banking trojans like Zeus and Andromeda will hide in browsers for the purpose of capturing users’ logins.

The thing to remember here is that if the browser can see the password and put it into a form, then malware can see it (and steal it) as well. In short, Twitter is telling people to move to a password that is difficult for you to remember and then store it in the place that malware is the most adept at stealing it.

Secondly, it shouldn’t require extremely strong passwords to prevent a brute-force attack on a password in the first place – it should simply require not using an obvious password such as ‘password123’. And, any running web-based application should be able to recognize a string of failed login attempts and lockout the user or account. Strong passwords are most valuable for protecting hashed passwords in the event that the database of user passwords ever gets stolen. The more complex the password, the more guesses are required to determine the real password from the hashed value. But the big difference here is that this hacking happens on data that is already stolen. The attacker has the database and can try millions of combinations indefinitely until he finds the right one. Conversely, an attacker should never be able to try millions of password combinations on a running application. The application should see several failures and lock down.

And this is a problem that in no way is limited simply to journalists using Twitter. State, local and federal government are adopting social media and Twitter to communicate with the public. Universities have adopted Twitter as one of the methods for communicating with students in an emergency. And even if the focus remains purely financial, most public companies use Twitter as well. It’s easy to conceive that a well-timed hack could have a market moving effect that criminals could take advantage of.

All of which simply underscores the importance of social media applications adding capabilities to make themselves more secure. By all accounts, Twitter is rapidly developing support for two-factor authentication, and once its available it will be a welcome enhancement that enterprises should take advantage of. However, in the interim, it’s probably not the best idea to simply put more of our eggs in the browser if we are concerned about the security of a web application.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.