Trump, Twitter and Hackers? Don’t Just Use Passwords

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

President Donald Trump loves to tweet. He has millions of personal Twitter Inc. followers, his White House account shows signs of being just as popular and his tweets frequently make news around the globe.

So consider this: If Trump’s Twitter accounts were hijacked, hackers could exploit them to send fake tweets with potentially severe economic and national security consequences for the U.S., cybersecurity professionals told Bloomberg BNA.

Companies could see their stock prices change in reaction to hacked presidential tweets, much as they have already seen temporary stock price dips in direct response to authentic Trump tweets over the past year.

Corporate executives and corporations should better monitor and respond as quickly as possible to the president’s messages, if they cast a company in a bad light. Another lesson is to move employees, particularly high-ranking ones, away from using passwords as a sole security measure, and get them to adopt multifactor authentication and other available login verification procedures, the pros said. In short, the hijacked social media account of a politician or executive of a large company, such as Microsoft Corp. or Facebook Inc., can pose significant dangers from the spread of false information, they said.

“If Trump’s Twitter account is hacked and hijacked, a fake tweet could impact the stock market, threaten national security, or possibly prompt a foreign military action,” Evan Blair, co-founder and chief business officer of Baltimore-based social media security and threat intelligence company ZeroFOX, told Bloomberg BNA.

Twitter is one of the world’s most popular social media platforms, with an average of more than 313 million monthly active users, according to the company.

Trump has been very active on Twitter, often tweeting statements about sensitive issues instead of holding official press conferences or sending press releases. With more than 20 million followers and 34.3 thousand posts, his personal tweets are closely followed, scrutinized and publicized.

The correlation between a Trump tweet, regardless of its veracity, and an immediate effect on stock prices is well documented by Bloomberg data. Various companies, including Boeing Co. and Lockheed Martin Corp., have been on the receiving end of Trump’s market-moving tweets.

global x uranium etf

In a Jan. 23 report, Bloomberg View provided a playbook of how companies can respond to “possible Twitter attacks by Trump.” It suggested monitoring Trump’s statements, reviewing corporate policies, preparing messages in advance, lining up allies and identifying channels to the White House.

Given the considerable influence that Trump’s personal tweets have, if a hacker compromised Trump’s personal Twitter account and sent a rogue tweet, the resulting consequences could be devastating, the cybersecurity professionals said.

The issue of potential hacking of a Twitter account doesn’t arise because of any special weaknesses in Twitter’s systems or security practices. It has more to do with Twitter users failing to take advantage of available safeguards, the cybersecurity pros said.

In June 2016, the online industry nonprofit group Online Trust Alliance named Twitter as the consumer-facing website with the best security, data protection and privacy practices.

Twitter didn’t respond to Bloomberg BNA’s request for comments.

Trump’s Tweets Have Real Influence

Blair, of ZeroFOX, told Bloomberg BNA, “take a look at the real world market fluctuations after the President-elect’s tweet targeting Boeing and Lockheed’s contracts, Air Force One & F-35 programs respectively.”

Immediately following Trump’s Dec. 6 tweet criticizing the cost of the new Air Force One, Boeing’s stock initially dropped but recovered throughout the day. According to Bloomberg Technology, Trump’s criticism of the “out of control” costs of the F-35 program “tempered a post-election rally” of defense companies’ shares. Lockheed shares fell 3 percent and Northrop Grumman Corp., which is a major supplier of the F-35, and Raytheon Co. tumbled the most since August 2015, Bloomberg Technology reported.

These weren’t the only instances of Trump’s tweets affecting the market. After Trump tweeted Dec. 22 that the U.S. must “greatly strengthen and expand its nuclear capability,” a uranium exchange-traded fund surged immediately.

In the hands of a bad actor, Trump’s Twitter account “could be used to target certain corporate valuations or even market segments,” Blair told Bloomberg BNA.

Trump’s personal Twitter account “has become the official mouthpiece of the United States, making the national security or domestic safety implications of a compromised account far ranging,” Blair said. “What if a ‘nasty’ tweet was fired off by a bad actor at the North Korean dictator or the Iranian regime? What if a racially charged tweet was published with a call to action?” Blair asked.

There already is an example of Trump’s tweets spurring an official response by another state. Following a series of Trump’s tweets criticizing China’s stances on Taiwan, international trade, the South China Sea and North Korea, Chinese state news agency Xinhua responded in a commentary post that Trump’s “Twitter foreign policy” was “undesirable.” Instead of Twitter, Xinhua called for diplomacy behind closed doors and through traditional channels.

Threat of False Information

Alex Cox, Director of RSA's Threat Intelligence team in Reston, Va., told Bloomberg BNA that most of the activity associated with a hacked social media account revolves around politically motivated hacktivism, including defacement of websites, phishing and other cybercrimes, such as social engineering phishing of e-mail recipients and leveraging hacks to access other accounts.

“A Twitter account probably has no financial value by itself but depending on the account owner, it could be used to spread false information and create wrong impressions,” Amit Ashbel, director of product marketing and cyber security evangelist at application testing company Checkmarx Ltd. in Tel Aviv, told Bloomberg BNA.

There are real life examples of Twitter accounts being hijacked and posting rogue messages. In May 2016, hackers gained control of pop star Katy Perry’s Twitter account and started posting uncharacteristic tweets filled with profanities.

In December 2016, hacking team OurMine accessed Netflix Inc. and Marvel Entertainment LLC’s Twitter accounts and posted the message, “Hey, it’s OurMine, Don’t worry we are just testing your security, contact us to help you with your security.”

As Ashbel puts it, “these are all potential possibilities, and ones that could spark irreversible upheaval within the U.S. and around the globe.” The possibility of damage is also present for a popular corporate Twitter account. A “hacked account with a large number of followers could create quite a mess and confusion,” for a company, he said.

Multifactor Authentication

According to cybersecurity pros, it’s not very difficult to hack into a Twitter account. The true factor lies in the users’ security measures.

“Hacking a Twitter account is generally the same as any other account that uses username/password pair,” Cox said. According to Ashbel, “hacking any account is possible.”

Passwords are “too easy to guess, too often reused and many times not protected in a sufficient capacity,” Cox said.

DataGravity Inc. Chief Information Security Officer Andrew Hay agreed.

“Generally speaking, it’s not that difficult if the account owner utilizes an insecure password and doesn’t employ the more advanced features—such as enabling two-factor authentication,” Hay said. “Like many large social media companies, Twitter is security savvy and offers two-factor authentication measure,” Cox said.

“Two-factor authentication is probably the best course of action that a user could employ for all online accounts,” Hay told Bloomberg BNA. “When linked to a physical token, such as a mobile phone, the difficulty to compromise the account becomes exponentially more difficult,” he said. “Two-factor authentication is a necessity,” Blair said.

Trump should be using “all available measures Twitter provides,” Ashbel said. “Two-factor authentication would be an obvious one,” he said.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security