By Mousume Roy, APAC Reporter, HCL Technologies Ltd.
The British Army has confirmed the ‘breach’ of its Twitter and YouTube accounts after they were briefly hacked and flooded with posts about cryptocurrencies and non-fungible tokens. The official YouTube channel was flooded with videos on cryptocurrency using images of billionaire businessman Elon Musk, while the Twitter account retweeted several posts related to NFTs (Non-fungible tokens) - a distinct cryptographic token that cannot be replicated and acts as a certificate of ownership for virtual items. Both accounts have now been restored.
Cyrptospam, Elon Musk, and Bapesclan
For some time, the army’s Twitter account name was changed to ‘BAPESCLAN’ accompanied by a profile picture featuring an ape-like cartoon figure in clownish make-up. While the description had been changed from: “Follow us for news and information on deployments, training exercises, ceremonial duties & regimental events. Recruiting @armyjobs”, to: “#1 metavesto clan on the ETH chain with multi-billion-dollar experience. Powered by @chaintchlabs”.
The army’s YouTube channel was also targeted. The account name was changed to Ark Invest, while the logo featured an image of Tesla founder Elon Musk. with an account named Ark Invest. It is not clear who is behind the hacking incidents. The Ministry of Defense has said it had launched an investigation into the attack.
Coordinated social engineering attack
This is not the first-time the accounts have been hacked. In July 2020, hackers took over major US accounts in a clear Bitcoin scam. The accounts affected for the July 2020 hack included Elon Musk, Jeff Bezos, Bill Gates, Barack Obama, and Joe Biden to name a few.
Twitter called the 2020 hack a ‘coordinated social engineering attack’ in a blog, where cyber criminals “manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through the two-factor protections. After gaining access to privileged systems, the attackers attempted to hack 130 user accounts.
This attack raises an important question on the existing security policies of social channels. Despite the known security risks, tech giants are struggling with breach, hacks and enforcing a password hygiene.
Zero trust to the rescue?
Organizations must understand that user credentials might be stolen and may not be trusted to validate and authenticate employees/subscribers. Enterprises of all sizes need to build a network that operates on the principle of "zero trust”—a remote secure application access approach that continuously verifies and re-verifies users to guarantee their identity.
As a concept, Zero Trust says ‘trust nothing’ with the idea that there are attackers both within and outside of the network, so no users or machines should be trusted. This multifaceted approach to network security incorporates several principles, technologies, and a full ecosystem of control—cloud, network, endpoint, IoT (Internet of Things), and applications.
Microsoft’s Zero Trust Adoption Report 2021 reported that 96% of the decision-makers in charge of cybersecurity believe that zero trust is critical for their company’s success, with 76% implementing the model. Zero trust is increasingly being viewed as a top priority.
For organizations planning to implement Zero Trust, there is no one-size-fits-all approach or an ideal starting point or security risk areas (endpoints, apps, network, data, infrastructure) that stand out for a Zero Trust strategy. Organizations must consider their needs, risks, and objectives to plan a strategy that balances a Zero Trust defense with operational agility to reduce threats, achieve digital resiliency, and leap towards the future of security.
Privacy enhancing biometric multi-factor authentication (MFA)
Twitter said, hackers “got through” their two-factor protections and that their access management and authentication failed to prevent hackers from getting to the powerful internal tools. Two-factor authentication solutions depend on passwords, and if a password is compromised or shared willingly between people, a hacker only has to compromise the user’s device or email accounts to bypass 2FA.
Biometric multi-factor authentication (MFA) solutions depend on the user proving who they are via their unique biometrics and via proof that they have their registered device. Biometrics are not as easy to hack (as passwords) and are much more secure than 2FA solutions. With privacy enhancing technology, multi modal biometrics can provide a secure, frictionless, and password free authentication solution that sets stringent access controls for users, safeguarding that only the right people have access to the right tools at the right time.
Will this hack be a wakeup call?
Looking at the past incidents involving tech giants like Twitter, the most current hack is unlikely to be a wakeup call. In addition to spending on security measures, training employees, and prioritizing ‘zero trust’, changes in existing laws and regulations are required.
Bruce Schneier, a prominent security technologist and fellow at Harvard Kennedy School raised some valid points after 2020 Twitter attack, “If this were a bank, there would be lots of regulations,” he said. “More importantly, senior executives would get fired. Unregulated monopolies are bad for society,” he added. “And this is an example of unregulated monopolies being bad.