As Its Influence Grows, Twitter Becomes A Hacking Target

Apr 24, 2013
Originally published on April 25, 2013 1:57 pm

In recent weeks, the Associated Press, NPR and the BBC have all had their Twitter accounts hijacked. Hacks of high-profile accounts have real-world consequences, and the security at Twitter is coming under increased scrutiny.

As the social media platform has become an essential news and communication platform globally, it has also become a honey pot for hackers. It's so deliciously attractive, they can't seem to resist.

"I think more than something about Twitter's security is the fact it's so desirable as a platform because you get this instant, real-time access to a very, very large audience," says Mark Risher, founder and CEO of Impermium, which specializes in protecting social media accounts.

"It's very tempting," he says. "It's almost irresistible to these remote hackers who are able to operate really anywhere in the world and just continue these deliberate, concerted efforts to break into specific accounts."

A successful hack of the right Twitter account can make news — such as when the AP's account was used to send a false message that sent the stock mark into a brief nosedive Tuesday.

The Syrian Electronic Army claimed responsibility for the AP Twitter hack, in which a bogus tweet said there had been explosions at the White House. Last week, the same group hacked into several of NPR's accounts.

The attack against AP began with a cleverly disguised email to staffers that included a malicious link.

"Phishing messages have become much more convincing, much more realistic than those old Nigerian oil minister who wants to give you $25 million," Risher says. "And maybe most importantly they're coming from reputable channels, or at least look like they do."

If hackers compromise a computer and either steal a Twitter password or trick someone into giving that password up, they're in. That's all it takes. And Scott Behrens, senior security consultant at Neohapsis Labs, says it's not just media companies that need to be concerned.

"Imagine if an attacker compromised a Twitter feed for, say, a medical company and tweeted something about a new drug or a partnership. That could cause once again turmoil in the stock market," Behrens says.

Some simple steps could make attacks like these more difficult.

"There may be some room for Twitter to improve by adding additional technologies around logging in, such as two-factor authentication," Behrens says.

When using two-factor IDs, if a hacker logs in from an unknown location, he or she wouldn't just need a stolen password. Using this technology, the hacker would also need a one-time code sent by Twitter — delivered to a cellphone or a secure email address — before he could get in.

This approach isn't foolproof, but Twitter has hired engineers to begin rolling it out.

Still, Behrens says the primary responsibility for keeping social media accounts secure rests with the people and institutions that use them. And many need better passwords, better practices and better defenses against hackers.

Copyright 2013 NPR. To see more, visit http://www.npr.org/.

Transcript

AUDIE CORNISH, HOST:

From NPR News, this is ALL THINGS CONSIDERED. I'm Audie Cornish.

ROBERT SIEGEL, HOST:

And I'm Robert Siegel.

In recent weeks, NPR, the Associated Press, the BBC and Al-Jazeera have all had their Twitter accounts hijacked. Twitter has become a widely used communications platform. Last week, for instance, the Boston Police Department relied on its account to send updates to the world, so hacks of high-profile accounts have real world consequences. And as NPR's Steve Henn reports, security at Twitter is facing serious scrutiny.

STEVE HENN, BYLINE: Twitter has become a honey pot for hackers. It's so deliciously attractive, they can't seem to resist.

MARK RISHER: I think more than something about Twitter's security is the fact that it's so desirable as a platform because you get this instant, real-time access to a very, very large audience.

HENN: Mark Risher is the founder and CEO of Impermium. Risher's firm specializes in protecting social media accounts.

RISHER: It's very tempting. It's almost irresistible to these remote hackers who are able to operate from really anywhere in the world and just continue these deliberate, concerted efforts to break into specific accounts.

HENN: A successful hack on the right Twitter account can make news. Here's Bloomberg TV yesterday.

(SOUNDBITE OF BLOOMBERG TV BROADCAST)

UNIDENTIFIED MAN: AP's White House correspondent says their Twitter account was hacked. But the markets fell about 150 points for the Dow Jones Industrials in just seconds.

HENN: The Syrian Electronic Army claimed responsibility for the hack and posted a bogus message saying there had been an attack on the White House. Last week, the same group hacked into several of NPR's own accounts. The AP attacks began with a cleverly disguised email to staffers that included a malicious link

RISHER: Phishing messages have become much more convincing and much more realistic than those old, you know, Nigerian oil minister who wants to give you $25 million dollars and maybe, most importantly, they're coming from reputable channels or at least...

HENN: ...look like they do. If hackers compromise a computer and either steal a Twitter password or trick someone into giving that password up, that's it. They're in. That's all it takes. And Scott Behrens at Neohapsis Labs says it's not just media companies that need to be concerned.

SCOTT BEHRENS: Imagine if an attacker compromised a Twitter feed for, say, a medical company and tweeted something about a new drug or a partnership. That could cause, once again, turmoil in the stock market.

HENN: There are some simple steps that could make attacks like these more difficult.

BEHRENS: There may be some room for Twitter to improve by adding additional technologies around logging in such as two-factor authentication.

HENN: If you are using two-factor ID, hackers who log in from an unknown location don't just need a stolen password. The hackers also need a one-time code sent by Twitter to, say, a cellphone or a secure e-mail address before they can get in. This approach isn't foolproof, but Twitter has hired engineers to begin rolling it out. Still, Scott Behrens says the primary responsibility for keeping social media accounts secure rests with the people and institutions that use them. And many need better passwords, better practices and better defenses against hackers. Steve Henn, NPR News, Silicon Valley. Transcript provided by NPR, Copyright NPR.