More HBO Hacks
Following a cyber attack against HBO earlier this month which lead to confidential information and content being leaked, the media company has once again become the target of hackers. This time around the Twitter accounts of several HBO shows appear to have been compromised by hackers believed to be OurMine.
Background & Impact
The name OurMine has previously been used in several hacks of social media accounts belonging - among others - to Mark Zuckerberg, Jimmy Wales and Sundar Pichai, as well as during a notable breach of content aggregator Buzzfeed’s website security in late 2016. Whether this week’s hacks of HBO twitter accounts were performed by the same attacker(s) is unknown. While some attackers choose to publish cryptographically signed messages which prove that different attacks were performed by the same agent, OurMine is not known to do so.
Apart from a short message posted on several of the affected Twitter accounts urging HBO to contact OurMine, no malicious actions appear to have taken place.
Defending Social Media Accounts
There is a lot of public confusion surrounding the hacking of social media accounts. On a large scale, accounts are usually compromised through weak or leaked passwords. However surely CEOs of tech companies like those previously having their Twitter accounts hacked by OurMine know how to select a secure password and not reuse it.
It turns out that protecting Twitter accounts is surprisingly tricky.
Twitter has to provide users with a way to reclaim their accounts if they forget the password or lose access to two factor authentication devices such as their phone. Without such recovery methods, a large amount of accounts would become inaccessible every year as passwords are inevitably forgotten or phones lost and broken.
Customarily, account credentials are reset by sending an email to a registered email address. Thus attackers with access to a victim’s email also ultimately have access to their Twitter account. Alternatively, accounts may be verified though text messages sent to registered phone numbers.
This approach seems secure until taking into consideration that mobile phone companies can assign phone numbers to SIM cards at will. So a dedicated attacker can use traditional identity theft techniques to convince a phone company to assign the victim’s number to their own SIM, thus receiving all further text messages for that number.
With control of a phone number, they can then either directly access the Twitter account or use the number to reset the credentials for email accounts and access Twitter though them.
While by no means all such attacks are successful, it only takes a single gullible support worker at the target phone company to breach security. Thus while attackers get a virtually infinite amount of attempts and many support workers are not trained to see the security implications of moving phone numbers, attacks are bound to keep succeeding.
Resetting credentials is one of the classic chicken and egg problems of the internet. While most corporate infrastructure relies on their own authentication systems, Twitter can not be integrated with any of them. At the same time, the international footprint and anonymous nature of the network makes demanding government ID to reset account credentials highly impractical.
As such, resetting credentials though email or phone messages is likely to remain the standard for the foreseeable future. With this standard in place, attackers will continue to occasionally take over high priority accounts and abuse them to broadcast their messages.