A group claiming to be part of ISIS hacked the US Central Command Twitter profile today in an act
of "cyber terrorism". While the attackers were in control of this account they made threats and posted documents with "sensitive military information".
There are a few very important things to note:
- The information posted, in many cases, was already released. Often it was previously available to the public if you knew how to request it or where to look.
- Hacking a Twitter account is hardly a feat available to only the most "1337" of hackers. (He says while double checking his two-factor auth for his Twitter accounts.)
- Twitter is not a DoD network or system. It's Twitter, let's not make this out to be a break in at the National Archives.
- United States Central Command is located in Tampa, FL. Tampa was recently named the most hacked city in the United States. Coincidence? Probably, but these stories right next to each other provide some humor.
There are however a few serious concerns and they aren't items I see making the rounds in news posts.
- I would hope that US Central Command would realize their Twitter account was at least as hackable as these celebrities.
- I've heard no confirmation of two-factor authentication being used which is available to anyone with a phone and a Twitter account for free.
- Why do these accounts exist in the first place? Is there a public outcry for tweets from Central Command about their goings on? #InternationalMilitaryCollaboration #WhereMyAlliesAt
- How did they do it? We may never really know. Password resets are tied to email accounts with wildly varying reset processes and security questions. A breach of the email account used for password reset is as good as a breach of the targeted system. Let this story of account access spiraling out of control serve as a cautionary tale.
What I would bet on is this:
- Somewhere the person in charge of this account is at a table having a terrible, horrible, no good, very bad day.
- The person on the other side of the table is ordering someone in DoD telecom to issue a Blackberry that stays locked in a safe at CentCom. This Blackberry will be used just for two-factor twitter authentication.
- A team of very serious people are combing through a mountain of logs files to determine the source of the unauthorized account access.
In the end... this is a prank. There is egg and that egg is located on someones face. There is no real danger beyond the shame of a major military organization having their Twitter "pwned".
What can you do to secure your Twitter feed?
- Set a secure password and store it somewhere safe.
- Create two factor authentication for Twitter.
- Only login on trusted devices and networks. Avoid "Free WiFi" when possible.
- NEVER login on computers in hotel business centers or Internet kiosks in public areas. These systems are prone to have malware designed to steal your passwords.
- Never use the same password across different accounts. Once one account is compromised, they all are. Your Twitter account may be two-factor, but are all the websites where you use that password enabled for two-factor authentication?
Remember, reputation is just as important as information. Protect your accounts even if the information stored on them is low value. Someone could use that access against you and harm your reputation. Just ask @centcom.