Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Twitter The Military United States

US Central Command's Twitter Account Hacked, Filled With Pro-ISIS Messages 128

schwit1 writes with news that U.S. Central Command lost control of its Twitter account today, apparently to people sympathetic to the Islamic State militant group. CENTCOM's YouTube account was also compromised, and two videos related to ISIS were posted. Two U.S. defense officials, speaking on condition of anonymity, said the hacking was an embarrassment but did not appear to be a security threat. ... "In the name of Allah, the Most Gracious, the Most Merciful, the CyberCaliphate continues its CyberJihad," the Centcom Twitter feed said after being hacked. The Twitter feed had several messages from hackers, including one telling American soldiers to "watch your back," and the YouTube account had two videos that appeared to be linked to Islamic State. The Twitter account published a list of generals and addresses associated with them, titled "Army General Officer Public Roster (by rank) 2 January 2014."
This discussion has been archived. No new comments can be posted.

US Central Command's Twitter Account Hacked, Filled With Pro-ISIS Messages

Comments Filter:
  • by Anonymous Coward on Monday January 12, 2015 @03:24PM (#48796441)
    U.S. Central Command had a weak twitter password and looks like idiots today.
    • by Anonymous Coward

      Another title suggestion: twitter is a joke, and a well written email is usually enough to have them hand over the keys to an account.

      • Another title suggestion: Having a Twitter account does nothing but make an organization look unprofessional.

        • by zlives ( 2009072 )

          Senator Richard Pictweet (D) agrees with you.

        • by rmstar ( 114746 )

          Another title suggestion: Having a Twitter account does nothing but make an organization look unprofessional.

          Have you been hiding under a rock? Nowadays, to look really professional you need a string of icons for different social media. Twitter, Facebook, and a bunch of others.

          That it is utterly ridiculous - granted. That it looks unprofessional - unfortunately not to most people.

    • by Anonymous Coward

      U.S. Central Command had a weak twitter password and looks like idiots today.

      More likely, US Central Command twitter, which is nothing but external resource, has a weak password on purpose, so once it is "haxed" it becomes a visible example of why they need much more money for their offensive cyber command.

      Before you say I'm making shit up, sorry, these things happen ALL THE TIME. Failure is one of the ways how you get more money.

    • by Solandri ( 704621 ) on Monday January 12, 2015 @05:50PM (#48797747)

      [organization] had a weak twitter password and looks like idiots today

      This is actually a serious problem I've encountered in business, with no real tools to address it. You can have the tightest security within your organization, but things like Twitter accounts are out of your control. You have to rely on the security of Twitter.

      Unfortunately, most businesses rarely have a single person who needs access to that type of account. Generally they have an entire department which needs to use it. But companies like Twitter and Facebook don't support any sort of multi-user logins for a single account (Google sort of does with Google Apps for Domains). It's one account, so there's one password, and that password has to be shared with everyone who needs to access that one account. So it inevitably ends up posted on the refrigerator door, or stored on the server as a shared file, or even emailed around. Easily stolen by anyone who hacks in or even visits the premises and happens to glance at the refrigerator door.

      The best solution I could think of was if a password manager like KeePass would support managed multi-user credentials. That is, each individual has their own KeePass keychain with their own personal passswords, but an administrative user can insert a special hook for a shared password. So the user could use their KeePass passphrase to login to the shared Twitter account, but they wouldn't actually know the Twitter password and it wouldn't be stored on their keychain. Any time they needed to login, their KeePass would authenticate itself with the admin KeePass, which would log them into Twitter for them. When the person quits or is fired, the admin can just revoke that person's access to the admin KeePass keychain. No need to change the password and email the new password to everyone (thus creating a potential security breach) because the person who left is a potential security breach.

      • by jaseuk ( 217780 )

        Facebook has fine grained permissions for pages/groups etc.. (admin/editor/contributor etc.)

        Twitter/Facebook also allow you to offload the running of the account to an app. (e.g. Hootsuite, SocialOomph, Tweetdeck, etc.)

        Either of these solutions mean that you don't have a single password in use for social networking.

        Jason.

      • by lemur3 ( 997863 )

        The best solution I could think of was if a password manager like KeePass would support managed multi-user credentials. That is, each individual has their own KeePass keychain with their own personal passswords, but an administrative user can insert a special hook for a shared password. So the user could use their KeePass passphrase to login to the shared Twitter account, but they wouldn't actually know the Twitter password and it wouldn't be stored on their keychain. Any time they needed to login, their KeePass would authenticate itself with the admin KeePass, which would log them into Twitter for them. When the person quits or is fired, the admin can just revoke that person's access to the admin KeePass keychain. No need to change the password and email the new password to everyone (thus creating a potential security breach) because the person who left is a potential security breach.

        LastPass supports this on their "Premium" and "Enterprise" accounts.

        You can add sites to a folder which the administrator can control and that administrator can decide if the user will be able to 'see' the password or leave it hidden to all users.

        Users will need their own unique password (and potentially Two Factor auth) to access the 'hidden' Twitter password account.

        https://enterprise.lastpass.co... [lastpass.com] enterprise
        https://helpdesk.lastpass.com/... [lastpass.com] 'premium'

      • by AmiMoJo ( 196126 ) *

        Twitter supports two factor authentication. For an organization this big, is it really beyond their ability to have a phone or tablet running Google Authenticator plugged in for the Social Media Relations department?

    • U.S. Central Command had a weak twitter password and looks like idiots today.

      Tomorrow:

      U.S. Central Command had a moderately stronger twitter password but still looks like idiots.

    • If communication is critical and false communication could result in the loss of life, twitter is not an appropriate resource. I'm sorry it's the only way to share info in a way the masses will listen, but it's just reality that there is no way to make consumer social media communications safe for state sponsored critical communications. In order to be remotely sane you'd at least have to have and extremely long complex password, 2FA and you need some mechanism where two authorized parties have to approve a

    • Is anything specifically known about how ISIS got in?

  • by QilessQi ( 2044624 ) on Monday January 12, 2015 @03:24PM (#48796443)

    This time, try 1-2-3-4-6! That's the new password on my luggage!

  • by barlevg ( 2111272 ) on Monday January 12, 2015 @03:27PM (#48796475)
    ...just remember this XKCD: http://xkcd.com/932/ [xkcd.com]
    • So close, but instead of a poster, it's a 140 character scribble on the bathroom wall of the Internet, and childish clips of kids kicking each other in their nuts.

      https://www.youtube.com/watch?v=r_4jrMwvZ2A [youtube.com]

    • ...just remember this XKCD: http://xkcd.com/932/ [xkcd.com]

      You're assuming they aren't using the same password for their Twitter account that they're using for the Nukes launch codes.

      Oh... you think I'm kidding?
      Seriously... it's a real concern:
      http://www.theguardian.com/wor... [theguardian.com]

      • by Anonymous Coward

        ...just remember this XKCD: http://xkcd.com/932/ [xkcd.com]

        You're assuming they aren't using the same password for their Twitter account that they're using for the Nukes launch codes.

        Oh... you think I'm kidding?
        Seriously... it's a real concern:
        http://www.theguardian.com/wor... [theguardian.com]

        Besides the physical security thing involved with a nuclear missile silo

        • I'm not sure the physical security [cnn.com] is that much of a deterrent (there was another article that I couldn't find which listed a host of similar issues, including allowing pizza delivery guys to the silo). The job of being a silo-jockey is not considered particularly prestigious in the USAF and we aren't getting the best of the best to guard our most powerful weapons.

          On the other hand, finding a floppy disk [slate.com] these days to launch the damn things might be a bit harder to manage.

    • Scrolled down for this. Left satisfied.

  • So, um... (Score:5, Funny)

    by fuzzyfuzzyfungus ( 1223518 ) on Monday January 12, 2015 @03:28PM (#48796495) Journal
    Has Twitter not realized that they could, perhaps, develop at least one non-ridiculous alleged source of revenue by charging cost-insensitive, but potentially touchy, users substantial additional fees for more secure access?

    Have they done so; but CENTCOM can't afford an auth fob because of cost overruns incurred by the F-35?

    Somebody here is an idiot; but who?
    • by Anonymous Coward

      CENTCOM. Why do they have a twitter account? Do they also have accounts on various porn sites?

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Every political organization has a public relations portal. Yes, CENTCOM needs money, so:yes, CENTCOM is sensitive to political visibility.

        It's also a method for outsourcing the cost of communications infrastructure in a BYOD world, with the understanding that everything said via that channel is OSINT and needs to be sanitized for OPSEC/sensitive materials. The OSINT subscribers have to be sensitive to the potential for misinformation which can be exploited.

        Shit like this is normally just used for press rel

        • If there's one thing our country needs to devote less money to it's "defense" spending. Well hell, we can't afford to deliver proper healthcare or education to our people, but we can sure as hell sinks trillions of dollars into a shiny new jet fighter program. Our defense spending dwarfs that of any other nation in total expenditures, and with a few exceptions (Saudi Arabia being the most notable example) as a percentage of GDP.
          • We can afford to deliver proper healthcare. Total up what US governments spend on medical expenses, and you can find countries with good universal health care that spend less than that per capita.

      • Well, the options seem to be (A) some 'social media guru' has moved to sponging directly off the DoD, (B) it's the more-pathetic arm of another delightful propaganda effort, along the lines of whatever they were trying to buy 'persona management' sockpuppetware for, or (C) it's a shamefully feeble attempt to cultivate 'soft power' by emulating kids these days.
      • Every MAJCOM has one. As well as facebook. Most of the commanders have a public one as well.
      • "CENTCOM. Why do they have a twitter account? " That's the first thing I thought of. What possible reason could a military organization have for needing a twitter account? I understand the desire to not get "left behind" the tech revolution and all, but what the hell? Generally speaking, I have a great deal of respect for front-line soldiers, but decidedly less so for the kinds upper echelon "leaders" that believe it makes sense to waste defense resources on such utter bullshit. Perhaps they should also ha
        • Why do they have a twitter account?
          An enemy of the U.S.A. has been detected in your building. Ordnance has been dispatched, You have 30s to evacuate your family. Thank you

          • You have 10 minutes to evacuate your family
            Your family has been wiped out
            Your family has been crushed into a cube
            You have 30 minutes to remove your cube

    • by Tvingo ( 229109 )

      Most of these sites should have two factor autentication set up at least with a mobile so you don't need a FOB for free. Google does. Not sure how many others do.

    • Whom

  • by Anonymous Coward on Monday January 12, 2015 @03:28PM (#48796497)

    "Hey Jamal, what are you doing?"

    "Well, Achmed, you remember how the American pigs blew up my family when I was hiding behind them and using them as a shield, and how they continually try to bring modern culture and women's rights and so on to our country?"

    "......Yes...."

    "I finally have my revenge! Look! Look what I have done for Allah!"

    "That....that's nice, Jamal. It...you....ummm....I'm sure the Americans are weeping in shame and fear right now. If...if you'll excuse me, I need to go someplace....else...."

  • And? (Score:4, Insightful)

    by mitcheli ( 894743 ) on Monday January 12, 2015 @03:31PM (#48796517)
    Seeing as how 15 year old school girls make a point to hack their boyfriends twitter feeds on a regular basis, I'd hardly say that the efforts of the cyber caliphate qualifies as "leet". And as for the threats of watching their backs, US military personnel have been involved in deployments overseas non-stop since 2001 and even before that. I think they know that already. Think I'd have to agree. It's embarrassing (kinda like getting caught with your zipper down) but ultimately, an annoyance and nothing more.
  • by Tokolosh ( 1256448 ) on Monday January 12, 2015 @03:35PM (#48796557)

    Oldie, but goodie:

    Muslim suicide bombers in Britain are set to begin a three-day strike on Monday in a dispute over the number of virgins they are entitled to in the afterlife. Emergency talks with Al Qaeda have so far failed to produce an agreement.

    The unrest began last Tuesday when Al Qaeda announced that the number of virgins a suicide bomber would receive after his death would be cut by 25% this February from 72 to 54. A spokesman said increases in recent years in the number of suicide bombings has resulted in a shortage of virgins in the afterlife.

    The suicide bombers' union, the British Organization of Occupational Martyrs (or B.O.O.M.) responded with a statement saying the move was unacceptable to its members and called for a strike vote. General Secretary Abdullah Amir told the press, "Our members are literally working themselves to death in the cause of Jihad. We don't ask for much in return but to be treated like this is like a kick in the teeth" Speaking from his shed in Tipton in the West Midlands, Al Qaeda chief executive Haisheet Mapants explained, "I sympathize with our workers concerns but Al Qaeda is simply not in a position to meet their demands.

    They are simply not accepting the realities of modern-day Jihad in a competitive marketplace. Thanks to Western depravity, there is now a chronic shortage of virgins in the afterlife. It's a straight choice between reducing expenditures or laying people off. I don't like cutting benefits but I'd hate to have to tell 3,000 of my staff that they won't be able to blow themselves up.

    Spokespersons for the union in the North East of England, Ireland, Wales and the entire Australian continent stated that the change would not hurt their membership as there are so few virgins in their areas anyway.

    According to some industry sources, the recent drop in the number of suicide bombings has been attributed to the emergence of Scottish singing star, Susan Boyle. Many Muslim Jihadists now know what a virgin looks like and have reconsidered their benefit packages.

    • Re: (Score:1, Funny)

      by Tablizer ( 95088 )

      Shortage of virg1ns? Try mining Slashdot. The contract says nothing about quality.

    • by zlives ( 2009072 )

      " now know what a virgin looks like and have reconsidered their benefit packages"

      holy crap that was funny. wish i had mod points

    • by tsqr ( 808554 )

      These [zazzle.com] are not the virgins you are looking for.

  • by ErichTheRed ( 39327 ) on Monday January 12, 2015 @03:35PM (#48796561)

    The PFC appointed as Social Media Officer probably chose a weak password. Seriously, whenever I see a news article about a social media account being "hacked," I really wish journalists would understand these are just password-protected web services!

    Celebrities' naked pictures and Twitter feeds get hacked because they have simple passwords, not because some genius hacker spends months looking for an exploit on their personal phone and the opportunity to introduce it. And even "security question" based password resets don't work when a celebrity will choose answers that anyone can find in 100 gossip rags.

    • by gstoddart ( 321705 ) on Monday January 12, 2015 @03:39PM (#48796599) Homepage

      The PFC appointed as Social Media Officer probably chose a weak password. Seriously, whenever I see a news article about a social media account being "hacked," I really wish journalists would understand these are just password-protected web services!

      Except it doesn't matter.

      Because, much like the DMCA made even incompetent security enshrined in law ... if you or I 'hacked' into someone's Twitter feed using these simple techniques, we would be facing serious criminal charges.

      In the eyes of the law, this trivial form of 'hacking' is as serious as anything else.

      I can't tell you how many websites which have a pre-determined list of "security questions" which almost anybody could get through public sources.

      All you have to do is pretend to have some security and it's just as illegal.

      The media doesn't need to differentiate between one form of hacking and another -- because the fscking law doesn't. Unless of course it's law enforcement doing it, and then it's apparently perfectly legal.

      • by Bob the Super Hamste ( 1152367 ) on Monday January 12, 2015 @05:55PM (#48797787) Homepage
        The trick to those stupid security questions is just to put in a random string there is nothing that says it has to be the real answer. For example:
        Q: What was your first pet's name?
        A: Kd1hRuhe^bhNfyh*285kwlLojs5g0kaSjn
      • Except it doesn't matter.

        Because, much like the DMCA made even incompetent security enshrined in law ... if you or I 'hacked' into someone's Twitter feed using these simple techniques, we would be facing serious criminal charges.

        Serious question, why shouldn't you?

        "Simple techniques" can be used to get through my locked front door, but guess what: it's illegal. And should be.

    • The PFC appointed as Social Media Officer probably chose a weak password. Seriously, whenever I see a news article about a social media account being "hacked," I really wish journalists would understand these are just password-protected web services!

      Celebrities' naked pictures and Twitter feeds get hacked because they have simple passwords, not because some genius hacker spends months looking for an exploit on their personal phone and the opportunity to introduce it. And even "security question" based password resets don't work when a celebrity will choose answers that anyone can find in 100 gossip rags.

      And cockroaches scuttling across a restaurant floor don't mean the place is dirty either. But I get up and leave either way.

    • by glwtta ( 532858 )
      Maybe it's just me, but "attack against weak passwords" seems like a perfectly cromulent use of the word 'hack'. In the "gain unauthorized access to a computer system" sense, anyway.
  • Merciful? (Score:5, Funny)

    by Anonymous Coward on Monday January 12, 2015 @03:45PM (#48796645)

    In the name of Allah, the Most Gracious, the Most Merciful...

    You keep using that word. I do not think it means what you think it means.

    • I think that it's 'merciful' in a slightly more Arabic variation of the "Caedite eos. Novit enim Dominus qui sunt eius." school of mercy.
    • In the name of Allah, the Most Gracious, the Most Merciful...

      You keep using that word. I do not think it means what you think it means.

      To be fair, they're saying God is merciful, not themselves.

    • by Anonymous Coward on Monday January 12, 2015 @05:46PM (#48797713)

      Reminds of The Onion post Sep. 11th: http://www.theonion.com/articl... [theonion.com]

      God Angrily Clarifies 'Don't Kill' Rule

      NEW YORKâ"Responding to recent events on Earth, God, the omniscient creator-deity worshipped by billions of followers of various faiths for more than 6,000 years, angrily clarified His longtime stance against humans killing each other Monday.

      "Look, I don't know, maybe I haven't made myself completely clear, so for the record, here it is again," said the Lord, His divine face betraying visible emotion during a press conference near the site of the fallen Twin Towers. "Somehow, people keep coming up with the idea that I want them to kill their neighbor. Well, I don't. And to be honest, I'm really getting sick and tired of it. Get it straight. Not only do I not want anybody to kill anyone, but I specifically commanded you not to, in really simple terms that anybody ought to be able to understand."

      Worshipped by Christians, Jews, and Muslims alike, God said His name has been invoked countless times over the centuries as a reason to kill in what He called "an unending cycle of violence."

      "I don't care how holy somebody claims to be," God said. "If a person tells you it's My will that they kill someone, they're wrong. Got it? I don't care what religion you are, or who you think your enemy is, here it is one more time: No killing, in My name or anyone else's, ever again."

      The press conference came as a surprise to humankind, as God rarely intervenes in earthly affairs. As a matter of longstanding policy, He has traditionally left the task of interpreting His message and divine will to clerics, rabbis, priests, imams, and Biblical scholars. Theologians and laymen alike have been given the task of pondering His ineffable mysteries, deciding for themselves what to do as a matter of faith. His decision to manifest on the material plane was motivated by the deep sense of shock, outrage, and sorrow He felt over the Sept. 11 violence carried out in His name, and over its dire potential ramifications around the globe.

      "I tried to put it in the simplest possible terms for you people, so you'd get it straight, because I thought it was pretty important," said God, called Yahweh and Allah respectively in the Judaic and Muslim traditions. "I guess I figured I'd left no real room for confusion after putting it in a four-word sentence with one-syllable words, on the tablets I gave to Moses. How much more clear can I get?"

      "But somehow, it all gets twisted around and, next thing you know, somebody's spouting off some nonsense about, 'God says I have to kill this guy, God wants me to kill that guy, it's God's will,'" God continued. "It's not God's will, all right? News flash: 'God's will' equals 'Don't murder people.'"

      Worse yet, many of the worst violators claim that their actions are justified by passages in the Bible, Torah, and Qur'an.

      "To be honest, there's some contradictory stuff in there, okay?" God said. "So I can see how it could be pretty misleading. I admit itâ"My bad. I did My best to inspire them, but a lot of imperfect human agents have misinterpreted My message over the millennia. Frankly, much of the material that got in there is dogmatic, doctrinal bullshit. I turn My head for a second and, suddenly, all this stuff about homosexuality gets into Leviticus, and everybody thinks it's God's will to kill gays. It absolutely drives Me up the wall."

      God praised the overwhelming majority of His Muslim followers as "wonderful, pious people," calling the perpetrators of the Sept. 11 attacks rare exceptions.

      "This whole medieval concept of the jihad, or holy war, had all but vanished from the Muslim world in, like, the 10th century, and with good reason," God said. "There's no such thing as a holy war, only unholy ones. The vast majority of Muslims in this world reject the murderous actions of these radical extremists, just like the vast majority of Christi

  • It's always good when terrorist groups act like 13-year old haxxor boys.

    I hope their god is proud of them.

    • by DoofusOfDeath ( 636671 ) on Monday January 12, 2015 @04:09PM (#48796893)

      It's always good when terrorist groups act like 13-year old haxxor boys.

      I hope their god is proud of them.

      Yeah, joke's on them. Those script kiddies are the 72 virgins!

      • It's always good when terrorist groups act like 13-year old haxxor boys.

        I hope their god is proud of them.

        Yeah, joke's on them. Those script kiddies are the 72 virgins!

        Somebody needs to write a musical called Seventy Two Virgins for Seventy Two Virgins!

  • by Anonymous Coward

    But where are the Charlie Hebdo cartoons Anonymous should be putting on IS' Twitter feed?

  • Does that mean they used to same password? If not, someone must have a keylogger on their system. That seems a bit more serious.
    • Even if they did have a key logger I am wondering why their NIDS didn't detect the bad outbound traffic. Having worked in places that probably have just slightly lower security standards and a well defined set of traffic flows this is the ideal job of a properly set up NIDS. Now add in that a correct set of NIDS rules has a direct mapping to firewall rules (on the hosts and on the network firewall devices which they should have) and this should have been stopped.
  • by hilather ( 1079603 ) on Monday January 12, 2015 @05:57PM (#48797791)
    It's still the shitty applications that don't enforce standard complexity requirements that play a role as well.
  • Re: (Score:2, Troll)

    Comment removed based on user account deletion
  • by jpellino ( 202698 ) on Monday January 12, 2015 @07:31PM (#48798573)
    need a Twitter feed and a YouTube channel?
    • by gtall ( 79522 )

      Because social media is the new battleground. Where have you been the last 5 years?

      • Well, my stepson was fighting an actual battle on an actual battlefield, and it had nothing to do with posting to Twitter or Youtube.
        • by Gryle ( 933382 )
          Your stepson is fighting what's called the "kinetic" fight. That's the part where guns, bigger guns, and a whole lot of ammunition and ordinance are pointed at the enemy. YouTube and Twitter are part of what's called the "non-kinetic" war, which is a fancy term for "propaganda battle" or "making the world think we're the good guys." And frankly, Islamic insurgent groups (IS/ISIS/ISIL in particular) are winning that war (at least in Iraq, Afghanistan, and a number of other predominately Muslim countries) t
  • This reminds me of the "Are you my grandson?" Twitter gag. Someone sent messages to hundreds of celebrities and media personalities stating things like, "Are you my grandson?" and "Where am I?" The account got tens of thousands of followers and mentions on the radio and in the media.

    Then, suddenly, one morning the user changed the name and picture and started tweeting jihadist propaganda.

Time is the most valuable thing a man can spend. -- Theophrastus

Working...