A few hours ago twitter account of Fox News @FoxNewsPolitics was hacked and misinformation was tweeted.
The contention of this blog is to not discuss how @foxnewspolitics got hacked but a few recommendations on how to save yourself from embarrassment.
FOXNews has been on the radar of hackers for past few months and they have had a breach a few months ago (somewhere in the first week of May) wherein the user details were leaked.
One may wonder how this is all done well here is a sneak preview:
1: Phishing attacks: Social Engineering toolkit offers the attacker the ability to clone any website and specially crafted mails are then sent to the user.
Though the tell-tell signs are quite evident to a sharp mind but entering the information without any proper rationalized thought will always ensure that you end up sending your login credentials to the attacker.
2: Keyloggers: Keyloggers is the hard way to access your keystrokes. The evolution of keyloggers has gone a long way, and the only way to defend yourself is to use an application based Virtual Keyboard. In near future I will be writing about these type of Virtual Keyboards. Some of the Virtual Keyboards which are available in the market do not provide any sort of protection from keyloggers, all they provide is a fancy interface which is accessible through a Mouse.
3: Re-use of passwords – LulzSec hacks and the subsequent challenges posed by LulzSec to its followers have disclosed this gaping security lapse on part of IT users to re-use or use a common password on all online and social networking media sites. It has been documented time and again that most Internet users have re-used their passwords for almost every account they own, whether its paypal account or a twitter account or the good old Gmail.
4: Storage of passwords in a secure media. Always store your passwords in a secure media, encryption tools are available eg. TruCrypt, use them – they don’t cost a dime. Its also been a known fact that passwords stored in the browsers are accessible to third party applications and malware, so refrain yourself from storing passwords in the browser.
In their 50-day romp under the banner of LulzSec, they have proved beyond doubt that no-matter which appliance/application you use to protect your servers, silly mistakes on the part of the users or the network administrators just don’t have any place in IT security.
Security researchers often harp on using complicated passwords but the programmer decides otherwise and ends up storing the password in plain text or using MD5 hash with the password length policy going in for a toss.
It is often taught to sanitize the query parameters but a small mistake ends up making your well designed website a market place for SQLi based attacks. Who needs a 0day Apache hack when your website is vulnerable to SQLi.
Twitter is one media which Corporate’s should treat with respect. One wrong tweet has its own ramifications and repercussions.
FoxNews is going to have a tough time on all fronts – security-wise and from the public glare.
Such hacks are a grave reminder that social mediums like Twitter / Facebook are now a part of our lives and they can be manipulated.
Wishing all US Citizens a Happy Independence Day.