Officials have launched an investigation into the alarming hack, which saw the accounts briefly carrying messages promoting the Islamic State.
(Shown here is an image of the compromised U.S. Central Command Twitter account.)
On Tuesday, Pentagon spokesman Col. Steve Warren told reporters that he has ordered all 50 Office of Secretary of Defense social media websites to change their passwords and increase the strength of their passwords — and offered a tip sheet to social media account administrators on “how to keep their accounts more secure.”
DoD has thousands of social media websites that it is operating in an official capacity.
Security experts say that the Central Command hack should serve as a wake-up call for military social media. “They probably could have avoided this using ordinary [password] hygiene,” Roger Kay, president of research firm Endpoint Technologies, told FoxNews.com.
Standard security procedures include the use of long passwords with multiple characters and ensuring that only a small number of people can access the accounts, according to Kay. “You want to have just one or two individuals responsible for the account,” he said. “They should be named individuals, so that if there’s a problem, you can go to those people.
Tim Junio, a cybersecurity fellow at Stanford University’s Freeman Spogli Institute for International Studies, also highlighted the risks posed by weak passwords.
“If, in fact, the accounts were breached due to poorly chosen passwords and security challenge question responses, the advice would be to make sure that the staff responsible for social media for DoD are well trained in best practices for strong passwords and unique security question answers,” he told FoxNews.com, in an email.
Twitter and YouTube have not yet responded to a request for comment on this story. A DoD spokeswoman told FoxNews.com that the FBI is investigating the intrusion and working with the department to determine the nature and scope of the incident.
In a statement released on Monday evening, Central Command said that its Twitter and YouTube accounts were compromised for approximately 30 minutes, before being taken temporarily offline while officials investigated the incident. The Twitter account and YouTube channel were back online late Monday.
In its statement, Central Command explained that the sites reside “on commercial, non-Defense Department servers.”
Endpoint Technologies’ Kay said that, while the hack is clearly embarrassing, moving the sites to specially-built servers within the Defense Department is not necessary. “They should continue to use commercial servers, but secure them using normal methods,” he said. “My sense is that they were a little bit careless with their security.”
Ofer Hendler, CEO of cloud security specialist Skyfence, told FoxNews.com that multi-factor authentication, which uses a combination of passwords, personal information, and device verification is a powerful way to protect against account takeover. “It forces would-be attackers to present at least two forms of authentication — one that involves something you own (e.g., a mobile device) and the other something you know (e.g., a one-time password),” he explained, in an email.
In its statement, Central Command noted that its operational military networks were not compromised in the hack and downplayed the incident as “a case of cybervandalism.”
The Twitter account, while it was compromised, carried an image identifying the page as “CyberCaliphate” with a message that said, “I love you ISIS.”
The hacker group may be the same one that is under FBI investigation for hijacking the websites or Twitter feeds of media outlets in the last month, including a Maryland television station and a New Mexico newspaper.
The intrusion on the military Twitter account carried the same logo, CyberCaliphate name and photo that appeared on the Albuquerque Journal’s website in late December when one of its stories was hacked. And earlier this month, it appeared that the same hackers breached the Journal’s Twitter account and also took over the website and Twitter feed of WBOC-TV in Salisbury, Md.
During the Central Command hack, tweets contained what appeared to be military plans and contact information for military officials — one posting even showed what appeared to be an image from a computer webcam in a military facility.
Central Command said that, based on its initial assessment, no classified information was posted and that none of the information came from its server or social media sites. “Additionally, we are notifying appropriate DoD and law enforcement authorities about the potential release of personally identifiable information and will take appropriate steps to ensure any individuals potentially affected are notified as quickly as possible,” it said, in its statement.
Original article can be found here. 1/13/2015