Curious point about CNN’s Twitter account compromise

Tonight as I was kicking back in my seat reading reams of documentation, my flight winged its way to my destination. Little did I realize that on the ground far below was yet another case of the Syrian Electronic Army (SEA) compromising a prominent Twitter account. This time, the victim was none other than CNN. 

Oops.

The SEA is rather adept at tricking staffers for various outfits to fall for phishing attacks. So, here is a little more about them.

From the Akamai Blog via Bill Brenner (yes, I work there too),

Also during the second quarter, the Syrian Electronic Army (SEA) claimed responsibility for several attacks against news and media companies. The attacks all exploited tried-and-true spear-phishing tactics where internal email accounts were compromised and used to collect credentials and gain access to Twitter feeds, RSS feeds and other sensitive information. The attacks were designed to spread propaganda about the regime of Syrian President Bashar al-Assad, and they have indeed attracted plenty of media attention in recent months. 

Yes indeed. But, it is kind of curious that they stop there. They haven’t, at least publicly, admitted to anything more than committing the digital equivalent of throwing toilet paper on someone’s house.

My fellow blogger, Steve Ragan, has this to say on CSO:

While they mainly stick to spreading propaganda these days, it’s important to remember that the SEA isn’t above compromising information. In July 2013, the SEA went after Truecaller.com and compromised a user database. Truecaller confirmed the breach, and noted that Phishing was the root cause.

So this evenings debacle for CNN is another exercise in embarrassment. The SEA was able to compromise CNN’s Hootsuite account which the media giant use to manage their social media accounts.

I mused on social media that they probably neglected to have two factor authentication enabled. And for this, I was met by Jack Daniel’s apt response,

@gattaca @SteveD3 @CNN There is no viable 2FA for shared accounts, is there?

— Jack Daniel (@jack_daniel) January 24, 2014

Damn.

I know that Twitter has that ability for a single user account. After some spelunking through the tubes of the Internet I was rather surprised to find that this support does not presently exist. There are options like using third party products. Sadly, there aren’t many options as a result of Twitter’s walled garden approach to their API.

This passage comes to us from the DuoSecurity blog:

We’ve already seen Twitter roll-out an updated version of their two-factor authentication platform that supports a “push” method and public-key cryptography. This is a great step for usability but customers still aren’t as flexible as they may wish for shared accounts. Ideally, Twitter and other social media networks will continue to add functionality that enables flexible authentication for multiple users and then apply strong authentication to those features.

Hmm. If you build usable security, they will come. Why is there not the option for two factor authentication using group accounts yet? 

Anyone…?

(Image used under CC from LeeLeFever)