Ways AP Could Have Avoided Its Twitter Hack

A single tweet with a phony bit of news sent the stock market into a brief dive Tuesday, pushing the Dow Jones Industrial Average down more than 140 points in the three minutes from 1:07 to 1:10 p.m. ET. When the “news” — that two bombs had exploded in the White House, injuring the president — was debunked, the market regained its footing.


Of course, phony information blasts out through Twitter all the time. The difference here is that the tweet came from a reliable source — @AP, the account of the Associated Press. A group called the Syrian Electronic Army claims to be behind it.

Although USA Today called the hack “trivial,” I think Charles McColgan, the CTO of security provider TeleSign, is closer to the truth: “This compromise had the largest financial impact of any Twitter attack to date,” he said in an email to me.

What exactly happened? It seems that several AP employees were spear-phished when they opened bogus emails and a piece of malware was installed on their computers. That gave the SEA access to the internal AP network.

Down This Road Before

This isn’t the first time we’ve heard from the SEA. In the past, it’s broken into the Twitter and Web accounts of Al Jazeera, BBC, Reuters, CBS News, NPR and the Qatar Foundation. Not only has the group been at odds with these news organizations, it’s got a beef with Twitter as well: The SEA’s had at least five previous accounts shut down as a result of its exploits.

Twitter and other social networks are targets of opportunity right now, because their reach is so broad and so immediately felt. “Nothing today is better than comprising a social target,” James Foster, the CEO of security vendor Riskive, told me in an email. “Social platforms are the new ‘sexy hacker target.’ This won’t change anytime soon.”

Simple countermeasures

One hopes that this latest assault will motivate Twitter into moving toward implementing higher security practices, such as adding two-factor authentication for all of its accounts, something Wired says is in the works. Google and Microsoft are now starting to offer this option since they have begun to fully embrace the fact that a user name and password simply aren’t sufficient to protect online accounts,” McColgan notes.

However, some analysts, such as Aaron Higbee from the PhishMe blog, feel that two-factor authentication wouldn’t have helped AP avoid this most recent exploit. It’s hard to say whether he’s right, but certainly Twitter needs to get in front of these attacks and improve its security. Higbee’s conclusion is certainly accurate: “As long as users fall for these tactics, adversaries will develop tactics to trick users into leading them around technical security layers.”

While two-factor authentication and similar mechanisms won’t stop every exploit, they can be a big help, especially since employees are continually tempted to open spurious emails and inadvertently download malware. In the meantime, keep emphasizing to your users the importance of being extra vigilant when reading their emails. You might also put in place the following measures, particularly if you’re a highly visible organization like the AP:

  • Limit the total number of people who have access to your corporate Twitter posts.
  • Implement a firewall rule that doesn’t allow Web Twitter access to the account from your internal network. The AP used a different program to post their Tweets.
  • Log all Twitter access and periodically review the entries to ensure that the above two measures are actually working.

There’s nothing earth-shattering about those steps, but we all know sometimes the most obvious approach can be the most effective.