AP Twitter Hack

[jimmy olsen]

Phishing attacks like that can't be stopped. Someone will always click the link.

http://www.slate.com/blogs/future_tense/2013/04/23/ap_twitter_hack_would_you_click_the_link_in_this_phishing_email.html

Would You Click the Link in This Email That Apparently Tricked the AP?

By Will Oremus
Posted Tuesday, April 23, 2013, at 10:11 PM
Share on Facebook

Hacking a prominent Twitter account, like the one that the Associated Press uses to broadcast breaking news to some 2 million followers, sounds like it would be hard. Apparently it isn't.

At least, it doesn't seem to be hard lately for a rogue hacker outfit that calls itself the Syrian Electronic Army, which claimed responsibility for Tuesday's AP tweet-jacking. The SEA, which seems to have a pro-Assad agenda though it claims it isn't affiliated with the Syrian government, has been racking up successful hacks at an alarming rate in the past few months. And the roster of reported victims, as collected by Reuters earlier today, reads like a checklist of the most credible and influential English-language news organizations: the BBC, NPR, CBS' "60 Minutes," Reuters News, and now the AP.

It wasn't immediately clear whether the hackers obtained the AP's password by installing keystroke-logging malware on employees' machines or by tricking them into entering their credentials on a bogus site. But an internal AP email, posted on Jim Romenesko's media blog, gives us a good idea as to how they might have gotten in the door: by spear-phishing. That means targeting specific people with legitimate-looking emails designed to trick them into giving up sensitive information. In this case, several AP employees received an email shortly before the Twitter hack that appeared to come from one of their colleagues. Here's what it looked like, according to Romenesko's source:

    Sent: Tue 4/23/2013 12:12 PM
    From: [An AP staffer]
    Subject: News

    Hello,

    Please read the following article, it's very important :

    http://www.washingtonpost.com/blogs/worldviews/wp/2013/04/23/

    [A different AP staffer]
    Associated Press
    San Diego
    mobile [removed]

Notice that it lacks most of the telltale signs of a scam. The "from" field contains not some unknown name, but the name of someone you know and work with. The topic is generic, but it's also something that AP staffers have to be looking out for all the time: news. And the URL in the link looks legitimate—it seems to point to Max Fisher's WorldViews blog on the Washington Post site.
http://www.washingtonpost.com/blogs/worldviews/

Would you click the link in that email if it appeared in your inbox in the middle of a busy workday? Probably not, right? But if you were distracted—if the name in the "from" field was that of a friend or your boss—if you were in a hury—isn't there maybe at least a chance that you'd click before you even took a moment to think about it? And when you consider that this email was probably sent to a bunch of different people at the AP all at once, and the odds of at least one or two clicking on start to look pretty good.

In other words, blame the AP if you like, but if spear-phishing was indeed the SEA's way in, then what happened to them could happen to just about any organization. Chet Wisniewski of the security firm Sophos told me the attack points to the need for Twitter to offer two-factor authentication, and it seems likely that the company is indeed working on that.

But forget Twitter for a second. The other takeaway here is just how effective a well-targeted spear-phishing attack can be. Everyone knows to avoid emails from Nigerian princes. By now most people know to be wary of Facebook or Twitter messages from their friends that say things like "lol ur famous now." Now it seems we have to watch out for work emails from colleagues that are properly spelled and punctuated, on-topic, and generally plausible, if a little vague. Good luck everyone!

[jimmy olsen]

What the fuck! 

http://redtape.nbcnews.com/_news/2013/04/23/17881215-fake-tweet-shows-country-sensitive-to-any-news-that-sounds-like-terrorism?lite

If you define the term "hacking" loosely, you might consider that whoever wrote the fake tweet hacked not only AP's account, but the entire Wall Street trading system. The trades which sank the market Tuesday were almost certainly initiated by automated trading programs designed to profit by fast-twitch reacting to good or bad news.

The combination of a jittery public, automated trading, and a worldwide rumor tool was toxic for the markets.

"That goes to show you how algorithms read headlines and create these automatic orders — you don't even have time to react as a human being," said Kenny Polcari of O'Neil Securities. "I'd imagine the (Security and Exchange Commission) is going to look into how this happened. It's not about banning computers, but it's about protection and securing our markets."

[DGuller]

Algorithm trading is the one of the parts of the financial system that IMO are purely harmful to society.  Their whole purpose is to claw back the profit from regular investors and inferior algorithms.  It's entirely zero-sum, and on the whole it actually destroys liquidity rather than increasing it.

[Admiral Yi]

"Sank?"  "Toxic?"  The Dow dropped 1 fucking percent and immediately recovered.

The only people I ever hear bitching about algorithm trading are market timers that are now getting beat by machines that do the same thing.  And DGuller.

[Josquius]

Whats the problem with that link? Looks totally legit. Odd.

[DGuller]

The only people I ever hear bitching about algorithm trading are market timers that are now getting beat by machines that do the same thing.  And DGuller.

You must not be listening very carefully.  They are very serious questions about how algorithm trading makes the system more fragile to shocks.

[CountDeMoney]

The only people I ever hear bitching about algorithm trading are market timers that are now getting beat by machines that do the same thing.  And DGuller.

HEY NOW

[MadImmortalMan]

Some of the algos are probably linked to twitter aggregators and google analytics. It makes total sense if you think about it. I wonder what would happen if anonymous somehow organized a mass tweet offensive saying great things about some particular stock.

Actually, if it were a super low-volume penny stock it might only take a couple dozen people... 

[CountDeMoney]

Some of the algos are probably linked to twitter aggregators and google analytics. It makes total sense if you think about it.

No, it doesn't.  It should be illegal.

[derspiess]

Some of the algos are probably linked to twitter aggregators and google analytics. It makes total sense if you think about it.

No, it doesn't.  It should be illegal.

Now mention shareholder value.

[fhdz]

The only people I ever hear bitching about algorithm trading are market timers that are now getting beat by machines that do the same thing.  And DGuller.

You must not be listening very carefully.  They are very serious questions about how algorithm trading makes the system more fragile to shocks.

[Admiral Yi]

I'm no expert on the subject, but I don't think we're talking about the old program trading that caused a 20% one day drop in the market back in the 80s.

Just take a look at this: people thought there was a bombing of the White House, the market dropped 1% and instantly recovered.  Hardly a good data point for fragilizing the market.

[fhdz]

How about the 2010 "Flash Crash"? That was over a 1000-point drop IIRC.

[Josquius]

How did the thread suddenly change to being about stock markets?

Anyway, computerised tradigin systems are an abomination, they go totally against what the stock market should be about and turn it into something horrible and very dangerous.

[Admiral Yi]

What should stock markets be all about Squeeze?