NetSPI Imformation Security Consulting
NetSPI Blog

Posts Tagged ‘Twitter’

Hacking Twitter for Fun (and Profit?)

| Friday, September 16th, 2011

Just last week, on the eve of the tenth anniversary of the 9/11 attacks, NBC News’ Twitter account was hacked by a group calling itself The Script Kiddies. Posing as NBC News, The Script Kiddies falsely tweeted that an airliner had been hijacked and flown into the Ground Zero site in New York City. This is the second such attack perpetrated by The Script Kiddies, the first being a  July 4 hack of the Fox News Twitter claiming that President Obama had been assassinated. In both cases, the spurious posts were quickly removed by Twitter and the news agencies.

Traditionally, hackers have chosen their targets in order to either profit financially or make a political statement (never mind the advanced persistent threats represented by nation states and powerful criminal organizations); recent publicized attacks demonstrate this. Fame and reputation have always been motivators for hackers but, in recent years, business-savvy blackhats seem to have outnumbered the jesters of the digital underground by a wide margin. Twitter hacks are hardly uncommon and generally seem to be done more for amusement than for any truly nefarious purpose, but they mostly slip by unnoticed aside from a handful of celebrity victims and entertainment reporters. As far as I can tell, the NBC and Fox attacks are no different in terms of motivation, but the side effects are much more serious. Cyber terrorism has been a buzz topic for some time now and, while false news reports may rank relatively low on the impact scale, it is probably only a matter of time before this sort of event occurs specifically in order to incite panic in the general population. That would be a real paradigm shift but I don’t know that we’re there yet. These attacks appear to serve no obvious purpose beyond self-promotion.

Permalink | Email the Author | No Comments

Tags: , , ,

Social Media and Corporate Guidance

| Tuesday, August 11th, 2009

One of the common themes I took away from the 2009 Blackhat Briefings was the inherent security risks associated with using social media and networking sites. (These concerns have also received some coverage in trade pubs; see, for example a recent Computerworld article: http://tinyurl.com/mc7yb8)

Using social media applications is not just a personal computing trend; they have also become integrated into our corporate cultures. Many organizations are using these sites for corporate marketing, file sharing, communications, and recruiting. In the past, the corporate policy of most organizations was not to post resumes online, use your corporate email account as your username to access a website, or post pictures from the company holiday party on a website (at least the potentially incriminating ones). Now, corporations are eager to get the word out about how great it is to work there, or connect with employees, or find out what events they will be attending, even posting opinionated blog entries such as this one. While these applications can open great new doors, they need some associated corporate guidance.

I say guidance because a more explicit security policy regarding usage of Twitter, LinkedIn, or Facebook is likely to be unenforceable. Employees may refrain from using corporate accounts for these applications, but if they like them, they will find ways to use them. Here are some basic guidance points that you may consider in your next security-awareness email.

  1. When using social media sites, be sure to use different passwords for different sites, and never use your corporate password. These sites have varying password reset controls; don’t let a breach of one account impact all your accounts.
  2. Remember, in the case of company documents, if it’s not meant for the company’s public website, it probably isn’t meant to be shared on some-one else’s–-even if they told you it is secure. Watch out for sites like Google docs or yammer.com that create a perception of privacy and security. Let your security team determine acceptable sites.
  3. There are a couple of key items that you should never post publicly, such as your birth-date, social security number, or employee ID. If the site requires such data, consider making something up or ensuring it’s not displayed in a public profile.
  4. There are certain items that companies don’t technically classify as confidential, yet keeping them a secret and off the social networking sites is a good thing. This could includes rumors, planned purchases, technology used, and projects you’re working on. Posting your job history may be OK, but for current activities, just keep it generic.
Permalink | Email the Author | No Comments

Tags: , , , ,