AP Twitter hack an education for end users

Charles McColgan, CTO of California-based TeleSign, questioned the structure of the tweet, but says most people would, and did, consider the AP bogus tweet as an authoritative news source.

“From a security perspective [Twitter’s security] seems fairly rudimentary,” explains McColgan to Canadian Security. “I think that one of the things that’s happened, you have twitter which is basically a consumer way to exchange information and now it’s being used by large media organizations. I think they really need to stay abreast of that and offer security that is sort of commensurate with the way it’s being used.”

McColgan is an advocate for user education and believes that not only should Twitter take action, but AP should as well.

“[To reduce internal risk] all AP employees can have their e-mails signed, where you use some sort of signature on the e-mail,” he explains. “So you say okay well if it’s from my colleague at AP, I know it will be signed and this is how it’s digitally signed.”

He also recommends Twitter follow in Google’s or Microsoft’s footsteps and incorporate a two-step authentication process.

SEA instigated an attack on AP employees via an e-mail that appeared to be sent from a colleague with a legitimate-looking message of: “Please read this message, it is very important” and web address that was “from” the Washington Post.

This is known as a spear-phishing attack, says McColgan who has been in the security industry for about 14 years.

“Spear phishing is where high-value individuals are targeted with Phishing attacks in order to get [sensitive] information from them, credentials from them or fool them into installing software or exposing them to zero day exploits that will compromise underlying systems,” he says.

McColgan notes that SEA seem impatient with their attacks.

“Maybe it’s related to the political situation in Syria and it being so volatile,” he speculates. “ So it’s kind of like they’re living for tomorrow.”

However, he says this particular attack was well executed with the Boston bombings, and the more recent allegations of a terrorist plan to attack Via Rail train in Canada.

There’s going to be less scrutiny given the recent attacks, whereas if they waited a month it wouldn’t be as believable, he says.  

SEC has also attacked BNN, and CBS News’ “60 Minutes.”

A few seconds after the release of the bogus tweet by AP, the Dow Jones dropped about 150 points, affecting many investors whose accounts were electronically set up to cash out when the Dow reaches a certain low.

High-speed trading systems use newsfeeds as part of their data input for stocks and investment opportunities.

The fact that high-speed trading systems use insecure channels for news and updates is scary, McColgan says. People should pause and maybe rethink that decision because the effects it can have on the stock market are dangerous.

I think the thing they did learn that there is a link between hacking Twitter accounts and manipulating the stock market, he adds.

These fake tweets came out just weeks after the U.S markets watchdog, the Securities and Exchange Commission (SEC), decided to allow public companies to use Twitter, LinkedIn and Facebook to release news to their investors.

SEC motioned for clarification after Netflix disclosed its updated viewer count on their Facebook instead of filing through SEC or a press release. The SEC stated companies could only use social media to leak information if they notify all investors.

Canada’s premier markets regulator, the Ontario Securities Commission, hasn’t been as liberal. Despite not following SEC, however, it recently allowed public companies to post on their website rather than mailing the information to all of its shareholders.