Fox hackers exploit slow Twitter response
- 07 July, 2011 08:59
The recent hijacking and misuse of a Fox News Twitter account by unknown attackers highlights some of the risks enterprises face when using social networking and related services.
Over a period of five and a half hours on Monday morning someone using a hijacked Fox News Twitter account posted a series of false tweets grimly proclaiming that President barack Obama had been the assassinated.
The incident is currently under investigation by the U.S. Secret Service.
According to a source close to the matter, the network informed Twitter that its account had been hijacked as soon as false tweets were discovered on Monday morning.
Administrators could not get into the account because the password had been changed and the hackers disabled the "change password" function. The sources said that Fox personnel could only wait and watch hackers use the account in the five and a half hours it took for Twitter to respond.
At that point, Twitter suspended the account and returned control to Fox personnel, who immediately deleted tweets posted by the hijackers.
"The network was not in control of the account once it was hacked and Twitter was unreachable until late morning eastern time yesterday," said Jeff Misenti, vice president and general manager of Fox News Digital, in a statement on Monday. "The tweets were taken down as soon as Twitter gave back control of the account to the network."
Misenti said he has asked Twitter to investigate how the incident occurred and to come up with a plan to prevent similar unauthorized access.
Twitter did not respond to a request for comment on the incident.
The Fox incident is just the latest Twitter account to be hijacked by hackers. Earlier this week, in fact, a U.K Twitter account of PayPal was taken over and was used to send angry tweets against the service.
In the PayPal case , it took more than two hours for the tweets to be removed. It's not immediately clear whether PayPal was slow in notifying Twitter or the latter's response was slow.
PayPal officials could not be reached for comment on the incident.
The Fox and PayPal incidents are but two examples of the risks that the use of social services like Twitter can pose to companies, said Rich Mogull an analyst at Securosis.
"If you are large enough, talk to your provider ahead of time to understand how to report a problem, and who to report it to," Mogull suggested.
"Make contact, get a name, and establish a validation process to prove you are the owner of the account in an incident," he added. "The last thing you want to be doing is hanging around for a help desk person to see your request in the queue."
Companies using social media for business purposes also need to restrict access to the accounts, he said.
Chester Wisniewski, a senior security advisor at Sophos, said accounts are more easily hijacked when companies have weak password policies.
Though it's not yet clear what happened in the case of Fox News, Twitter hackers generally take advantage of easy-to-guess passwords, reused passwords or passwords that are shared among many people, he said.
Wisniewski also stressed that social networks like Twitter have an obligation to help ensure its accounts are secure. Even though the service is free and Twitter makes no guarantees about security, it should offer verified Twitter account holders some way to quickly address security problems, he said.
Twitter needs to consider offering some sort of back-channel mechanism for verified account holders to report problems.
The micro blogging service might also want to consider offering verified account holders such as Fox News a way to lock the email address associated with their Twitter account so as to prevent unauthorized users from changing it, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com .
Read more about security in Computerworld's Security Topic Center.