Following news that Skype social media platforms were hacked by the ‘Syrian Electronic Army‘, here are some thoughts and opinions from Lancope, LockPath, High-Tech Bridge, Cenzic, New Net Technologies & AccessData on how & why this happened.
Bala Venkat, CMO at Cenzic said:
“Cyber criminals are taking to media networks and platforms to put fear into enterprises and the government. The attack on Skype was no exception. This illustrates how social media and communication platforms are becoming pricey soft targets.
One vulnerability is all it takes for the hackers to get in and do some costly damage! While this attack originated at the social media networks, it could easily propagate across the digital chain and pose serious consequences at the national and global level. Enterprises must put tight security programs and controls in place across all stages of the development and deployment process. Better to be proactive than sorry!”
Mark Kedgley, CTO at New Net Technologies said:
The objective of the attack on Skype´s social media platforms by the ‘Syrian Electronic Army’ seems to be pure ‘hacktivism’, with the aim of highlighting the NSA/Microsoft collaboration which they have absolutely achieved.
This sort of attack demonstrates that even seemingly ‘valueless’ IT assets such as your social media channels can be targeted. And if hacked, this can cause huge damage and embarrassment by association. The conclusion of your customers will be that ‘your company has been hacked and has questionable security’.
Organisations should treat social media accounts like any other – regularly change passwords and use complex pass phrases where permitted.
Tim ‘TK’ Keanini, CTO at Lancope said:
Keeping your social media accounts for your company safe and secure is not as easy as it sounds with larger organizations. Often times, it is an outsourced company that staff’s these Twitter, Facebook, Pinterest accounts and their security practices may not be up to industry standards. They often will not turn on the two-factor authentication because it assumes that a single user will be associated with the account and often times with these large online brands, there are multiple people who staff a single account and two-factor makes it almost impossible to manage.
Larry Slobodzian, Senior Solutions Engineer for LockPath said:
Breaches like these can be prevented with a proactive, holistic approach to security and compliance that includes an enterprise-wide approach to managing governance, risk and compliance (GRC). For instance, software that is not correctly configured may allow hackers to access sensitive data. While security tools can scan and manage vulnerabilities, the tools often require a combination of functional teams and create data silos, making it hard to enforce and track efforts to manage the vulnerabilities. A GRC program can set the policy and expectations for identifying software vulnerabilities across the enterprise and provide a single view of the current risk, trends, and process performance.
Ilia Kolochenko, CEO at High-Tech Bridge, said:
“I will focus my attention on the technical side of the attack, which is quite interesting. According to the BBC, Skype’s web blog and twitter account were compromised. These two resources are not usually interconnected and a compromise of one should not lead to the compromise of the other, therefore I see the three most probable attack scenarios as being:
1) Password reuse technique. In this case the web blog could be compromised via XSS or SQL injection attack and when the hackers managed to get the passwords of admins they probably tried them on other resources such as social networks. Conversely, hackers could bruteforce Skype’s twitter account password [in 2013 simple or predictable twitter passwords led to a number of important hacks of celebrity accounts] and try it to login into the blog.
2) An APT (Advanced Persistent Threat) scenario. Here, hackers may have profiled Skype employees (via LinkedIn or other public “self-exposure” places) to find the person who may manage its web and social media resources. The person was then compromised and the hackers gained access to multiple corporate resources that were accessible from his or her machine. Many people have huge email archives on their work stations, including dozens or even hundreds of “password recovery” or “registration confirmation” emails. This is a very dangerous practice as attackers can easily get access to such email archived information and, for them, it’s a golden mine.
3) The web blog had a direct link with the twitter account, which allowed posting of tweets directly from the web application. If this was the case, the Skype team should investigate how their website was actually compromised.
As a conclusion, this sad example is a good reminder that hackers don’t care about public holidays and while you are relaxing in the mountains they are still busy hacking your network.”
Lucas Zaichkowsky, Enterprise Defense Architect at AccessData said:
“The Microsoft Skype breach appears to be limited to social media accounts used by whoever is in charge of posting on behalf of Skype. The good news is that means the Skype service itself wasn’t affected and users shouldn’t be concerned. This is a modern day equivalent of web site defacement, a form of hacktivism that goes back over a decade (e.g. Mafia Boy). It’s a black eye for Skype and hopefully a wakeup call for all organizations to be careful to secure the systems and accounts used for social media. Making use of two factor authentication is an excellent example.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.