Don't Just Blame Twitter: How the AP Could Have Kept From Getting Hacked

Brian Fung
National Journal

If you try and view the Associated Press' Twitter account right now--Tuesday afternoon--you'll find that it's been suspended. That's because a short while ago, the news wire was hacked — allegedly by the Syrian Electronic Army — and the account sent out a bit of fake news suggesting that two bombs had gone off in the White House and the President Obama was injured in the twin blasts.

That is a bogus @ap tweet.

— AP CorpComm (@AP_CorpComm) April 23, 2013

Here in Washington, everything is proceeding normally. On Wall Street, however, it's a different story. The "news" sent markets tumbling 1 percent "in a matter of seconds." (They quickly recovered.)

Preventing the AP's Twitter credentials from falling into rogue hands would have been simple if the service offered what's called two-step verification or two-factor authentication, where in order to log in users have to enter a secret code sent to them by a different means, say a text message, in addition to their standard username and password. As my colleague Christopher Mims alludes, it's crazy that Google, Dropbox and Microsoft all offer the feature but some of the Web's most widely used services, such as Twitter and Evernote, still don't. If you're looking for a complete list of services that do let you enable two-step verification, Lifehacker's got a comprehensive one.

But even if the AP's Twitter creds were locked down tight, that still leaves the matter of how the hackers got access to the AP's data in the first place. The AP's Mike Baker reported that just before the Twitter hack took place, employees at the news organization received what appeared to be an "impressively disguised" phishing attack. IF that's true, then somebody at the AP was duped into clicking a link or opening an attachment that contained a nasty piece of malware letting the hackers in. And that's problematic in itself -- even if the bad guys couldn't get from there into the company Twitter account, they could have broken into other emails, finding reporters' names and potentially their sources.

The AP's brush with the Internet underbelly highlights the importance of not just social-media password security, but the company's operational security writ large. Phishing attacks are among the most common types of cyber intrusions precisely because all you need to do is trick one person out of a company of tens or hundreds of thousands into making a couple wrong steps. Seeing as few as three fraudulent emails is usually enough to get someone to click when they shouldn't, according to Verizon's just-released data breach investigations report.

How do you defend against that kind of threat? One way is to run exercises on unsuspecting employees. It sounds silly to liken cyberdefense to civil defense drills, but that's exactly what one prominent defense contractor has been doing to its workers on purpose -- over and over again. Twitter needs to step up the way it protects users, and especially organizations that are in the public eye. But neither was the AP exactly helpless in this situation.