Associated Press Twitter hack spreads fake White House bomb story, pushes down Dow Jones

Filed Under: Featured, Twitter

The Associated Press (AP) has admitted that its Twitter account was hacked and used to send out a false report of explosions at the White House.

"Breaking: Two Explosions in the White House and Barack Obama is injured" was the message that went out to the Twittersphere.

With just under two million followers, including myriads in the financial sector, AP's Twitter account has a wide reach, and is influential.

Influential enough, it seems, that even a false rumour of this sort can have a visible affect on the stock market.

The Dow Jones Industrial Average, for instance, shows a clearly-noticeable stutter at the time of this offending tweet:

→ If you're a market analyst, you might consider this a "brief plunge"; if you're a lexicographer, you might insist that a "plunge" needs to be both extreme and uncontrollable; if you are an arithmetician, you might say simply that the Dow dipped very slightly, by under 1%, before rising to a level very slightly higher than before the slight drop.

Just how the hack was orchestrated is not yet clear, but AP's own notification observes that:

The attack on AP's Twitter account and the AP Mobile Twitter account was preceded by phishing attempts on AP's corporate network.

Of course, given the prevalence of phishing attempts by email, this phishing might merely be coincidental.

There are many ways other than phishing by which the passwords to your corporate Twitter could end up in the hands of cybercriminals, from keyloggers, through poor password choice and password reuse, to insider abuse of official privilege.

→ A keylogger is malware that sits in the background on your computer and records what you type when you fill in password forms; poor password choice is using easily-guessed passwords like "letmein"; password reuse is using the same password on many sites so a criminal needs to penetrate only the weakest one; and insider abuse is when someone who is trusted and authorised goes rogue.

Another challenge in the business world is that a single Twitter password might be shared by many staff in marketing, all of whom are under pressure to "keep those Tweets coming."

Only one of those users needs to lose, leak or divulge the password to put everyone in danger.

Interestingly, the fact that information published on Twitter is invariably meant to be public (so there is no need for confidentiality) can mislead users into treating the overall security of their Twitter accounts less seriously.

But security isn't only about confidentiality.

It also requires a robust approach to authenticity, to prevent imposters ftom publishing possibly harmful information with your imprimatur.

And it requires integrity, to prevent bogus or modified information being accepted as correct.

So here are three pieces of safety advice you can follow when it come to social networks:

  • To journalists and Dow Jones investors, "Check your facts."
  • To corporate Twitter users, "Don't share your corporate password widely."
  • To Twitter itself, "Bring on two factor authentication, at least for corporate users."

, , , , , , ,

You might like

2 Responses to Associated Press Twitter hack spreads fake White House bomb story, pushes down Dow Jones

  1. Given there is potentialy a very large amount of money to be made when the markets do this, by shorting in advance or less riskly just plain buying at the bottom, the incentive to recreate the stuation is considerable. I doubt this will be the last time we see this happen especially after such a striking demonstration. It may well be that in the interests of finacial market stability the regulatory bodies start to look at the problem.

    Yes you can (as you have above) say that investors should check their facts but there is in this the very real problem of timing, once the slide down starts it can be very fast and even a few seconds delay can cost a considerable amount. Added to that is the use of automation in trading platforms so a house that is not responding to a twitter message directly may find itself doing so indirectly due to automation.

  2. Nigel · 897 days ago

    "But security isn't only about CONFIDENTIALITY.

    "It also requires a robust approach to AUTHENTICITY, to prevent imposters ftom publishing possibly harmful information with your imprimatur.

    "And it requires INTEGRITY, to prevent bogus or modified information being accepted as correct."

    Yes! In fact, those are general principles that apply to all kinds of transactions involving all kinds of property, not just information.

    (Sorry for SHOUTING the key words, but the impoverished formatting capability of the comments composer leaves no other way to retain the emphasis in the quoted text.)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog