Skip Navigation

Close and don't show again.

Your browser is out of date.

You may not get the full experience here on National Journal.

Please upgrade your browser to any of the following supported browsers:

Don't Just Blame Twitter: How the AP Could Have Kept From Getting Hacked Don't Just Blame Twitter: How the AP Could Have Kept From Getting Hack...

This ad will end in seconds
 
Close X

Not a member? Learn More »

Forget Your Password?

Don't have an account? Register »

Reveal Navigation
 

 

Tech

Don't Just Blame Twitter: How the AP Could Have Kept From Getting Hacked

Yes, Twitter needs two-step verification. But the newswire wasn't helpless, either.

(Courtesy Photo)

photo of Brian Fung
April 23, 2013

If you try and view the Associated Press' Twitter account right now--Tuesday afternoon--you'll find that it's been suspended. That's because a short while ago, the news wire was hacked — allegedly by the Syrian Electronic Army — and the account sent out a bit of fake news suggesting that two bombs had gone off in the White House and the President Obama was injured in the twin blasts.

Here in Washington, everything is proceeding normally. On Wall Street, however, it's a different story. The "news" sent markets tumbling 1 percent "in a matter of seconds." (They quickly recovered.)

 

Preventing the AP's Twitter credentials from falling into rogue hands would have been simple if the service offered what's called two-step verification or two-factor authentication, where in order to log in users have to enter a secret code sent to them by a different means, say a text message, in addition to their standard username and password. As my colleague Christopher Mims alludes, it's crazy that Google, Dropbox and Microsoft all offer the feature but some of the Web's most widely used services, such as Twitter and Evernote, still don't. If you're looking for a complete list of services that do let you enable two-step verification, Lifehacker's got a comprehensive one.

But even if the AP's Twitter creds were locked down tight, that still leaves the matter of how the hackers got access to the AP's data in the first place. The AP's Mike Baker reported that just before the Twitter hack took place, employees at the news organization received what appeared to be an "impressively disguised" phishing attack. IF that's true, then somebody at the AP was duped into clicking a link or opening an attachment that contained a nasty piece of malware letting the hackers in. And that's problematic in itself -- even if the bad guys couldn't get from there into the company Twitter account, they could have broken into other emails, finding reporters' names and potentially their sources.

The AP's brush with the Internet underbelly highlights the importance of not just social-media password security, but the company's operational security writ large. Phishing attacks are among the most common types of cyber intrusions precisely because all you need to do is trick one person out of a company of tens or hundreds of thousands into making a couple wrong steps. Seeing as few as three fraudulent emails is usually enough to get someone to click when they shouldn't, according to Verizon's just-released data breach investigations report.

How do you defend against that kind of threat? One way is to run exercises on unsuspecting employees. It sounds silly to liken cyberdefense to civil defense drills, but that's exactly what one prominent defense contractor has been doing to its workers on purpose -- over and over again. Twitter needs to step up the way it protects users, and especially organizations that are in the public eye. But neither was the AP exactly helpless in this situation.

LIKE THIS STORY? Sign up for Tech Edge

Sign up for our daily newsletter and stay on top of tech coverage.

Sign up form for Tech Edge
Job Board
Search Jobs
Transportation Planner
American Society of Civil Engineers | Salinas, CA
Biomedical Service Internship Position
American Society of Civil Engineers | Flint, MI
Fire Sprinkler Inspector
American Society of Civil Engineers | Charlotte, NC
Deputy Director of Transit Operations
American Society of Civil Engineers | San Jose, CA
Structural Engineer
American Society of Civil Engineers | New Haven, CT
Assessment and Remediation Team Lead
American Society of Civil Engineers | Regina, SK
Professional Development Program Engineer
American Society of Civil Engineers | Farmington Hills, MI
Assistant Professor - Water Resources/Ecological Engineering
American Society of Civil Engineers | Auburn, AL
Quality Systems Manager
American Society of Civil Engineers | Greensboro, NC
Rail Field Construction Inspector
American Society of Civil Engineers | Jacksonville, FL
Manager, Quality Assurance
American Society of Civil Engineers | Memphis, TN
Sr. Controls Systems Engineer
American Society of Civil Engineers | Grand Island, NE
Quality Engineer
American Society of Civil Engineers | Attica, IN
Civil Engineering
American Society of Civil Engineers | Steamboat Springs, CO
Commissioning Intern
American Society of Civil Engineers | Chicago, IL
 
Comments
comments powered by Disqus