Security pro on Twitter hacks: "No patch for human error"
For a few seconds on Tuesday, followers of the Associated Press' Twitter account were scrambling to verify a tweet that claimed there were two explosions at the White House and that President Obama was injured.
The president was not injured and there were no explosions at the White House.
At the top of the daily White House press briefing a short time later, AP chief White House correspondent Julie Pace was given the floor and said that the news organization's Twitter account was hacked and that it was being looked into. White House press secretary Jay Carney confirmed to reporters that the president was fine.
The false tweet had far-reaching effects. The Dow Jones Industrial Average took a brief, sharp dive. And the government is not taking the breach lightly. According to Bloomberg, Secret Service spokesman Ed Donovan said the agency is aware of the incident, will monitor it and will follow-up appropriately.
The AP isn't the only recent high-profile target of Twitter hackers. Previously, the Twitter accounts of the International Federation of Association Football (FIFA) and BBC Weather were both hacked. Over the weekend, CBS News confirmed that its "60 Minutes" and "48 Hours" Twitter accounts were compromised.
A hacking group going by the name of the Syrian Electric Army has claimed that they are responsible for the breaches. Typically, the hackers spread political messages and misinformation.
"People are gunning for the media because that's a great way to spread a message," Sophos senior security advisor Chester Wisniewski told CBSNews.com.
Wisniewski believes that the AP hack highlights a serious problem: Twitter's lack of two-step authentication. Verified accounts -- those belonging to famous people or organizations to which Twitter adds a check mark because of the volume of parody accounts -- are particularly in need of this. As we saw from Tuesday's event, just one tweet can affect global financial markets.
Hacking news organizations and high-profile accounts isn't new. Earlier this year, The New York Times, The Wall Street Journal, Twitter, Facebook and Apple all said their security was breached by hackers. Security experts said then that it was nothing new and will likely continue.
"Basically the main difference in these strings of cyberattacks isn't the volume or frequency of the attacks but the fact that they're being publicly disclosed by the companies," Kurt Baumgartner, senior security researcher at Kaspersky Lab, told CBSNews.com in February.
Aside from Twitter adding two-step authentication, Wisniewski thinks that having proper attribution is also important. In the case of corporate accounts, there could be several people holding the password for one account.
Sophos previously reported in a blog post that Twitter might start to implement a two-step authentication, based on information gleaned from job listings posted in February. According to Wired, Twitter has finished developing the feature and is getting ready to roll it out to a select amount of users.
Even if Twitter offers this feature, security experts say that often times in these cases it comes down to human error. The AP originally reported that a "phishing email may have compromised their Twitter account.
In many of these cases, hackers use a method called spear phishing, which are messages personalized to make the victim trust that the email is authentic. Hackers use the information from one target to access a high-value target's computer. Personalized emails create a level of believability that puts people's guards down.
"In the case of Facebook and Apple, in addition to the high value systems the attackers were after, the attacks connecting these infected websites infected unintended individual consumer computers/workstations," Baumgartner said. Having access to individual accounts adds credibility to a spear phishing email by using personal data that may be obtained.
"The consumer is then used as a pawn since the spear phish is sent in their name, which increases the likelihood that the high-value target will open the email. The spear phish maintains malware inside it which enables the attackers to compromise the computer and gain access to the high-value target's computer and network. In other words, all of the folks visiting these sites may provide some unexpected value to the attackers," Baumgartner said.
- Are cyberattacks a sign of things to come?
- New York Times: Chinese hackers attacked our computers for months
- Chinese cyberattacks prompt U.S. to beef up Pentagon security
"It comes back to the same old advice -- whether it was phishing or malware -- the only way you can be safe from that is never click a link and never enter a password. Only way to be safe is to always be suspicious," Wisniewski says.
Although companies may release security patches or offer additional authentication measures, people should still be skeptical of suspicious emails or behavior.
"There's no patch for human error," Wisniewski says.
