(Please do share this! Let’s get people to be smarter about protecting their accounts online).
Here’s some breaking news thanks to the online community that covered this quite well and quite fast.
Qatar Foundation’s social media accounts have been ‘hacked’. People have been saying that it’s Assad Supporters Syrian Electronic Army. No they’re not a professional organization, it’s just some people trying to make themselves sound bigger than they really are.
You want to know what I think? No this isn’t the result of a ‘hacking’ attempt (because then the headline would be ‘twitter’ hacked, not QF), but more probably (and realistically) the result of poor password protection. (I’ll come onto that in a second, but let’s see what the community said).
At around 10:30AM on the 1st of March tweets started coming in that the Qatar Foundation twitter account was tweeting ‘anti-Qatar’ posts. Of course the online community, being mostly comprised of intelligent people, quickly realized that this was indeed the result of a hijacker.
Some people criticized QF for not being quick enough to react, but let’s face it; it’s a Friday morning. People are either praying, sleeping, with family, or doing the weekend chores. I personally think that they reacted as fast as they could. Who’s to say that they weren’t already taking action anyway? If the account was compromised, how could they have deleted the tweets in the first place? They wouldn’t have had access to the account. I don’t think many organizations have 24hour social media monitoring services in general. (Although I’ve been telling people that they should just pay for the ‘Alto’ social service, ah well.)
It’ll be interesting to see how the Cybercrime unit in Qatar responds. This is the chance for them to help set precedent for online justice.
The big point is though, that in most similar cases, this could have been avoided!
ictQatar had put together a great event called the ‘Safer Internet Day‘ yesterday (28 of February) at Qatar University. I was also one of the panelists there too. A number of topics were discussed and I particularly emphasized the irony that websites having stricter requirements to have more complex passwords is forcing people to pick the most simplistic password (or easily guessable) password string. Other discussions were identity theft and how people are not being secure enough. It’s not really that difficult (and I’m tempted to even prove it).
All you need is a bit of information and some good old fashioned social engineering.
1- Figure out the email address that the account is linked to. (It’s either the social media manager’s email or a generic email that’s being used by the company/ institution itself rather than a private and undisclosed one).
2- Try to infiltrate that person’s email address. Go with the ‘Forgot Password’ route. It’ll probably ask some basic questions that are guessable. Even if you didn’t know the answer, getting them could be easy. Some of the questions are “When was your mother born”, “What’s your maiden name”, “What’s your favourite color”. If I wanted that info and I knew who the social media manager was, all I’d need to do is ‘interview’ that person to get the answers I wanted.
3- If you manage to gain access, now go onto the social account you want to access. For twitter, click forgot password, type in the username you want access to, it’ll send a reset link to the email (you should have access to). For some social channels they make the mistake of sending you the password! (Once you have that, in many cases it’s the same for all the other social accounts).
4- You could also go the guessing route. Too many people go with passwords like. “Monkey123″ (Yes that’s common!), Password123, P@ssw0rd, 123456, a1b3c3d4, “generic word + 69″ (Do you see a password you’ve used here before? Post it in the comments below :D)
A brute password cracker can easily guess your password in a few days.
This is all theory but either way, How do you avoid having your account hijacked?
1- Use an undisclosed email address
2- Don’t use easy to guess answers
3- Don’t use the same password for ALL accounts
4- Don’t use an easily identifiable pattern
5- Where possible, go with two tier security (like google authenticator which is FREE).
6- Set up an alert if possible so that every time someone logs in (from another country) you get notified.
So what’s the latest? Twitter and Facebook have already been notified of the situation, we’re told. They’ve removed all access for ‘resetting’ the Qatar Foundation passwords or changing the profile, while everything is cleaned out. We saw a message on Twitter’s page that said that they’ve disabled password resetting. Good first move! Let’s hope that a proper security policy is put in place to avoid these things in the future.
Let’s ALSO hope that other companies (and government instutions) learn from this. This is a great wakeup call. (Speaking of calls, give me a call anytime whoever you are, happy to be of service 😉 )
Tell me people, what are your thoughts?