The embarrassing hijack of the United States Central Command Twitter and YouTube accounts on Monday by supporters of the Islamic State highlights a small but ever-present risk for government organisations.
But given the generally limited consequences of having a social media account taken over or a website defaced, for at most, a few hours, that risk is far outweighed by the massive benefits of social media.
The hack may have been a propaganda win for a high-profile enemy, but officials have been quick to hose down security fears. In a calm and measured response, CENTCOM reassured the public its sensitive military networks had not been compromised and that the incident had no operational impact.
Government 2.0 consultant Craig Thomler, who runs Delib Australia, says there’s limitations to how secure you can make a Twitter, YouTube or Facebook account. “If somebody really wants to get into your account on these things, they’re going to be able to do it,” he told The Mandarin. “People are going to hack these services from time to time.”
As an illustration, a person or group called “Anonghost” managed to deface up to nine Australian government websites last November, according to its boast, and at the time of writing one — the Boardlinks website — still displayed the message “Hacked by AnonGhost & Hamzah Uygun”. The same message was also posted on the Corangamite Catchment Authority page, and the Navy’s International Fleet Review website was also targeted.
CENTCOM hasn’t elaborated on how the attack happened, or whether its social media team had applied the highest possible security to the accounts, but reasonably strong security features and guides to using them are available from most major social media services, including Facebook, Twitter and Google.
All offer two-factor authentication, which requires a password and a log-in code, which is texted to a mobile phone, in the case of Twitter, and for Facebook generated within the mobile app.
“While two-factor security is lovely for individuals, it’s a bit harder for organisations,” Thomler pointed out. “Whose phone number do you use? There’s not necessarily one person always running the account. The best way is to use a tool that lets you individually assign different users, but that doesn’t increase the security on your actual accounts, obviously.”
How the hackers can attack
So, while it isn’t possible to beef up the security, it is helpful to understand the methods attackers and vandals use. First up is brute force, basically just guessing a password over and over using a program to automate the process.
“The second way is they can do some kind of social engineering, where they basically find out who runs the account and they get some sort of key logger or some other malware onto one of their systems that they access the account through, and they record their password that way,” explained Thomler. “Or they find out personal information about them — things like kids names, birth dates, wedding anniversaries — and see if any of them are used as passwords.”
Social engineering in the information security context is basically a way of tricking people into revealing information about themselves or others, sometimes through impersonation or phishing emails, and it’s “the number one way” criminals get access to accounts, says Thomler.
“The other thing is they’ll find the weakest link,” he said. “What is the easiest account to hack? And that may be where the server has the least security. So for example with Twitter or YouTube, if one of those services actually didn’t have as strong security and you could break in there, you then might be able to use the information from that inside that account to access a whole bunch of other accounts.”
In the CENTCOM attack, it’s likely one of the two compromised accounts was accessed first and made it much easier to get into the other. “So it’s a bit of a cascading effect,” explained Thomler. “You have to try to make sure you place the dominoes far enough apart so that if one goes down, the others don’t go down.”
We’re back! CENTCOM temporarily suspended its Twitter account after an act of cybervandalism. Read more: http://t.co/hiwvSp3uWt
— U.S. Central Command (@CENTCOM) January 13, 2015
And while social media sites may offer higher security features like biometric authentication in future — possibly at a cost — more security usually means less convenience.
“It’s always going to be a trade-off,” said Thomler. “Ultimately, the gain outweighs the risk. The security of the accounts is important, insofar as how somebody can use the account for their own purpose. A lot of government accounts are at very low risk of being hacked because there’s no value in somebody doing it; Central Command is a high-value target.
“I actually think it’s worse for an organisation to abandon a social media account, because if they abandon a social media account it can then be taken over by someone legitimately, and then they can legitimately use it to challenge the organisation or to post negative messages, or even to spam and defraud people.
“I’ve seen that with a few federal government and state government accounts. Either they amalgamated or changed the name of the department and the department didn’t simply change the name of its account, but it actually shut it down and started a new one.
“The free account name is then up for grabs — and anybody can grab it.”