Sophos Cloud Optix
Pharmaceutical megacorp Pfizer’s Facebook page was defaced a couple of days ago, and then restored.
Responsibility was claimed by a newly-created Twitter account calling itself Script Kiddies. He/she/it urged that Pfizer should be stopped because “they’re corrupt and the damage they create is senseless”.
Intellectually challenging stuff.
Actually, calling this a hack is a bit like saying that you’re going on an overland holiday when all you’re really planning to do is to pop into the pub briefly on your way home. If the screen-grab on The Hawthorne Effect website is to be believed, the hacker – aaargh, I’m doing it again! – did nothing more than guess the password of someone at Pfizer’s PR company who had access to the page.
If you’ve ever worked with, or for, PR companies in recent years, you’ll know that they will urge even their most old-fashioned customers to embrace the social media scene. And many organisations are inclined to trust their PR companies as social media experts (which they may well be), enlisting their help to get into social networking.
But environments such as Twitter and Facebook actually need consistent and continuous tending. With just 140 characters in each Tweet, there isn’t much room for dialogue in the form of a traditional debate. Quantity and fast reaction times are much more useful characteristics in the world of social networking than quality and thoughtful consideration.
In short, it can be useful to outsource your social media interactions to a PR company. After all, initiating, noticing, receiving, sifting and replying to online interactions swiftly is what a modern PR company is supposed to be good at.
But if you do this, you don’t just need to trust your flacks to be creative communicators. You need to trust them to be at least as good at computer security as you are.
Security blunders by PR companies or contractors can quickly become the stuff of legend. In 2009, for example, McAfee was deeply embarrassed by a follow-up email sent to each attendee of its Strategic Security Summit. This erroneously included a spreadsheet with the personal details of all 1500 registrants.
And in 2010 IBM managed to hand out marketing material at a security conference on USB keys which were infected with not one, but two, items of malware.
You need to ensure that your PR company follows security guidelines which are at least as strong as yours.
For example, if you have gateway filtering in place to prevent you emailing out executable files by mistake, you should expect your PR company to have a similar restriction – at least for any users authorised to represent your account. If you have password complexity policies, insist that they follow the same policies.
At the very least, get all the staff at your PR company to watch the video below. After all, you can outsource your corporate communications. But you can’t outsource your accountability!
(Enjoy this video? Check out more on the SophosLabs YouTube channel and subscribe if you like.)
Rather than simply *guessing* the Facebook page administrator's password, my guess 🙂 would be that something different happened.
My hunch would be that it's more likely that the page admin was one of those large proportion of people who use the same password in multiple places. Which means if you get hacked in one place, the bad guys have now got a skeleton key to other accounts you might have on the net.
The recent LulzSec etc activity has involved a lot of public posting of password databases. The Script Kiddies may well have had a beef with Pfizer for a while, determined the name of the company who handles their social media activity (it's no secret) and found his email address/password in one of the published password hoards.
That's why I'd recommend to folks that they google for their own email address from time to time – it might be eye-opening where it turns up!
Anyway, it's a theory. I assume only the Script Kiddies know for sure.
Hmmm. I think what you are describing counts, very generally, as "guessing", by which I mean "using a directed dictionary attack, or making an assumption based on other passwords the user might have, or using an online search to look for likely candidates, or trying a few likely common passwords", and so forth.
The speculation about the defacement which I quoted seems to assume a Google search was enough to get in. That's equivalent to "a guess" – albeit a guided one – in my book.
I meant that the breakin was most likely not something requiring what might be called hacking (without offending our edgier readers). One or more likely candidates were listed somehow, and tried until one of them worked. No cryptographic skills, reversing, API trickery or other jiggerypokery was used. That's my guess 🙂
I couldn't think of a better (or more demeaning 🙂 way than to say "I guess the defacers simply guessed".
hey, script kiddies rep here! we did not guess the password, who does that now-a-days anyway? at this time we will not release how we gained access to the account.
lol you guys get a lot of mileage out of this ‘how to create strong passwords’ video. Also the USB image seems to have been used in the linked IBM article as well 🙂
We hope our readers get good mileage out of the video, too 🙂
As for the USB key – I was at the abovementioned conference and received one of the tainted keys. I couldn't find my own picture of the key (in a miniature "evidence bag" with a virus sticker on it) so I decided to use Graham's USB image instead.
PS. I have tracked down my original photo and changed the picture in the article.
Your password video is weak it doesn't mention using a separate, typewritten list that
isn't on ANY computter. Use that listing each website, username, login and password
and keep it updated. Keep it under lock and key when not being used. Password man-
agement programs are horrible, never use them. One password hacks all yours? NO
don't fall for this false sense of security.
You mention nothing about the Cisco Complex Password Specification. A password
should be completely random, and contain at least 3 each of the following:
Upper case
Lower Case
Numerics
Special Characters
Symbols
This should be made into a string field of 15 total (the maximum most websites allow)
and if a site doesn't let you use special characters, I'd consider NOT using their online
websites to manage or access anything.
Hard pressed by Facebook with regard to content, rules, I am astonished to see how easy it seems for hackers to invade a fan page. No wonder Pfizer decided to pull out. Facebook seems an easy target.
One should really think careful before hosting a fan page.
Not over joyous with FB in general, once your site has been marked by imbeciles for spam, offensive content, in fact anyone can cause your site's closure.
FB does not even reply your appeal, just ignore any emails.