The Critics’ View – CentCom Social Media Hack

Hacker, cyber crime © Stokkete, Shutterstock 2014

What do the experts have to say about how the US can better protect itself online?

This week saw a worrying cyberattack on social media accounts linked to the US military, which apparently came under fire from hackers claiming to support the terrorist Islamic State militant group.

The @CENTCOM Twitter account, representing the command that oversees operations in the Middle East, was reportedly hacked and defaced with messages (see below) praising Islamic State for around 30 minutes.

centcomtwitterhackMessages included the apparent posting of names and addresses of US military figures and their families, with Central Command’s YouTube account also targeted.

The attack gained worldwide attention, particularly as it occurred hours before President Obama was due to announce new proposals aimed at bolstering American cybersecurity after high-profile hacking incidents including those against Sony Pictures Entertainment.

But what do security experts around the world think of the attack, and President Obama’s new proposals?

Trey Ford, global security strategist, Rapid7

“Attackers appear to have seized control of the @CENTCOM Twitter account – and while strong ‘multi-factor’ login controls exist, it is normal for shared PR accounts like this to lack that additional layer of security, making them an easier target. The account has now been suspended, indicating this compromise was real and US Centcom is now taking back control.

The account compromised was timed with the release of a couple of sensitive documents on Pastebin, which appears to have been designed to intimidate US soldiers. One thing to note: the Sony document dumps were laced with malware, and I expect these files may also be part of a targeted malware campaign targeting military analysts and their families.”

Barry Scott, CTO, EMEA at Centrify

“The reality is that Twitter account passwords are typically shared among many people, and in all likelihood will be weak, memorable, easy to guess and written down somewhere making them easy to steal. This toxic combination of multiple people sharing the password, and the password itself being easily guessed or easily stolen makes it highly likely that incidents like this will occur.

Organisations using social media platforms must use solutions that ensure social media passwords are never distributed, and include role-based access control to ensure quick provisioning and de-provisioning of who is allowed or denied access.   Identity-as-a-service solutions allow users to post from an account without knowing the password of the account and in addition, multi-factor authentication can also verify the user before allowing them to post on behalf of the organisation.”

Graham Cluley, We Live Security

None of this would have allowed the hackers to gain access to the Twitter and YouTube accounts though if two factor authentication (2FA) had been enabled.

Twitter’s 2FA (known as login verification) requires users to not only give a username and password to connect to the site, but also requires users to enter a one-time-password which is either sent to them an SMS message to their mobile phone, or via a smartphone app like Google Authenticator.

The principle is that even if a hacker comes to learn your password, chances are that they don’t have access to your mobile phone and so will still not able to access your account.

YouTube, like other Google services, also has two-factor authentication (although they call it two-step verification) which works in a similar way.

Frankly, you’re playing a dangerous game if you run social media accounts and aren’t using some form of 2FA to protect them – especially if the accounts represent an organisation or brand where reputational damage is possible.”

TK Keanini, CTO, Lancope:

“This is a good step in the right direction but a baby step nonetheless.  The EU data breach proposal is much more complete as they have not only more timely reporting, but also meaningful penalties that are painful enough to change the behaviour of organisations.   The US desperately needed a national policy as the state by state made no sense.  As this proposal evolves we also need to call out details on encryption like they do in the EU proposal because data protection is best done via cryptography and we need to drive better habits in that realm.”

David Howorth, VP EMEA, Alert Logic:

“The EU should take stock of the US and their breach notification laws, and learn from them.   Bringing in breach notification laws into Europe is a welcome move, but as 24/72 hours is such a short timeframe, it has the ability to scaremonger consumers and provide inaccurate information.

A breach ‘doesn’t just happen’ – there is a reconnaissance period where hackers try to infiltrate the network and check for weak links in the infrastructure to get a back-door in.  This can happen months before the attack is launched.  Then there is an attack phase, and post compromise phase.

Most companies who use threat detection and continuous monitoring tools, such as network intrusion detection, web application firewalls, log management or SIEM (either as standalone for their IT teams to support or as a managed service) have, via rich security content and security rules, events collected from failed logins, changes to admin permissions etc that can help them stay on top of vulnerabilities before they are exploited.  However, many companies don’t have the skills or teams in place to be able to analyse and understand what caused a breach AND fix it within 24 hours.

Some technologies will also take a breach out of scope – e.g. encryption – and so whilst consumer have the right to know their data has been compromised, they need solid facts around what happened, how it happened, what has been done to rectify it / stop it happening in the future and general consumer guidance on next steps (changing logins, passwords, credit cards etc).

This is just not possible in 24 hours.  Target, Sony, and many other high profile breaches just wouldn’t have had enough time to conduct a thorough investigation, forensics, remediation plan and guidance to their consumers within 24 hours.

In the case of the US, 30 days notification is the maximum amount of time that a company has to do their analysis, remediation and notification – companies obviously should strive to release this information as quickly as they have a solid update to give to their customers within this time frame.”

Are you a security pro? Try our quiz!