December 22, 2024

The Caucus: Hacked A.P. Twitter Feed Jars Markets

Hackers hijacked the Twitter account for The Associated Press on Tuesday and sent out an erroneous message reporting explosions at the White House that injured President Obama.

Within minutes, Jay Carney, Mr. Obama’s press secretary, confirmed that the president was unharmed, and Julie Pace, the chief White House correspondent for The A.P., announced at a White House briefing that the account had been hacked.

Twitter suspended the account but by then the post had already moved markets. The Dow Jones industrial average abruptly plummeted more than 150 points, then surged back after it became clear there had been no incident.

A group calling itself the Syrian Electronic Army claimed responsibility for the attack. The group’s Twitter account is linked to the Web site Syrianelectronicarmy.com, an Arabic language Web site that broadcasts what the group says are its latest computer attacks. Even as the Twitter accounts for @AP and @AP_Mobile were suspended Tuesday afternoon, the Syrian Electronic Army was posting.

The A.P.’s account was the sixth prominent Twitter account to be hacked in recent months. On Saturday, three CBS-affiliated Twitter accounts were hacked and used to post suspicious links.

Hackers, saying they were part of the Syrian Electronic Army, claimed responsibility for hacking several NPR Twitter accounts last week as well as BBC Twitter accounts last month.

The episodes raise questions about the security of social media passwords and the ease of access to brand-name accounts. Logging on to Twitter requires the same process for a company as for a consumer — just a user name and one password.

Security experts say Twitter could do more. The company has yet to offer its users two-factor authentication, a service that texts a second login PIN to users’ mobile phones, to keep attackers from hijacking their accounts with a single, stolen password.

Microsoft rolled out two-factor authentication last week. Apple added it in March. Both Google and Facebook have offered the service for years.

“It’s a very established baseline,” said Mark Risher, co-founder of Imperium, a Silicon Valley start-up that aims to help social networks. “But there are costs, and user friction is introduced. You could put four deadbolts on your front door, but it’s going to be a pain every time you go to the drugstore. That said, why not offer it? I don’t have a good answer for that.”

Officials at Twitter did not return requests for comment. In the past, the company has said that security is something it does not take lightly. Twitter has automatic and manual controls to help identify malicious content on the site, and last year Twitter sued those responsible for five of the most-used spamming tools on the site.

But preventing hacking and identifying fake accounts continues to be more art than science. Security researchers estimate that as many as 20 million Twitter accounts on the platform are fakes, and real accounts continue to be catnip for hackers.

Security experts also say it is not clear whether two-factor authentication would have prevented the attack on The A.P.’s account. Paul Colford, a spokesman for The A.P., said the hacking incident was preceded by a “phishing” attempt on The A.P.’s corporate e-mail network. Employees had been sent e-mails with malicious links or attachments that, once clicked, would give an attacker a foothold.

“In the case of a phishing message, two-factor authentication would not eliminate the problem,” Mr. Risher said. “There are ways to circumvent this. I could create a fake Web page for Twitter and ask you to enter your user credentials.”

Mr. Colford said the phishing attempt had been blocked, raising the question of how hackers had grabbed credentials for the account.


This post has been revised to reflect the following correction:

Correction: April 23, 2013

An earlier version of this story incorrectly attributed a statement about a phishing attempt on The A.P.’s corporate e-mail system to a spokeswoman for the news organization. That person, an employee of The A.P., was not authorized to speak for the organization.

Article source: http://thecaucus.blogs.nytimes.com/2013/04/23/hacked-a-p-twitter-feed-sends-erroneous-message-about-explosions-at-white-house/?partner=rss&emc=rss