AP Twitter Hijacking Proves Need for Better Authentication, Encryption

American media suffered another black eye Tuesday afternoon when U.S. stock markets briefly went into a tailspin after the Associated Press’s Twitter account was hijacked and used to broadcast this false message: “Breaking: Two Explosions in the White House and Barack Obama is injured.”

In a two-minute span between 1:08 pm EDT and 1:10 pm EDT, just after the fake tweet hit Twitter, the Dow Jones Industrial Average dropped 145 points. The market quickly corrected itself after the Associated Press disclosed that it had been hacked and its Twitter account suspended while it sought to correct the issue. The White House also confirmed that President Obama was “fine.”

An organization calling itself the “Syrian Liberation Army” quickly claimed responsibility.

According to CBS News, the Associated Press confirmed that the hijacking of its Twitter account was preceded by a phishing attempt on its corporate network.

George Waller, executive vice president and co-founder of security specialist StrikeForce Technologies, says the incident calls attention to the need for enterprises to insist upon out-of-band two-factor authentication for remote access users (which includes anyone who accesses Twitter accounts, for example) and keystroke encryption.

“Most likely, what happened here is what we’ve seen time and time again: The malware writers are constantly spear phishing for folks like this AP guy,” Waller says. “What reporter out there doesn’t have his email address out there in the public domain? Essentially, with that, they’ll phish you and pass you a piece of malware in an email. It could be a pitch, breaking news, something like that. You’re going to open it up and get infected.”

“Most likely, they infected that person’s machine with a keylogger and they watched and got his Twitter account when he logged in,” he added.

Protection Requires 2-Factor Authentication and Keystroke Encryption

Protecting yourself and your organization requires two things, Waller says. First, you must use out-of-band two-factor authentication. In other words, when someone initiates a login, completing the login process requires entering a one-time password sent to the individual over a different channel—a text message on a mobile device, for example.

But even that is not enough, Waller says.

“If I put a keylogger on your system and you have out-of-band two-factor authentication, I may not be able to crack your password, but I can still watch everything you write,” Waller says.

Because of that, the second essential component is keystroke encryption.

“Everyone needs to encrypt every stroke,” Waller says. “Most likely if the AP reporter had keystroke encryption, he wouldn’t have had that breach. The only way to protect real, live data in motion is you’ve got to encrypt every keystroke at the point of origin.”

“In the past three years, if the world had out-of-band authentication and keystroke encryption on everyone’s computer, probably greater than 95 percent of corporate data breaches and identity theft cases would have been prevented,” Waller adds.

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Thor at tolavsrud@cio.com