What Do CENTCOM’s Twitter Hack and GoDaddy Have in Common?

This screen grab made Monday, Jan. 12, 2015 show the front page of the U.S. Central Command twitter account after is was hacked.

This screen grab made Monday, Jan. 12, 2015 show the front page of the U.S. Central Command twitter account after is was hacked. AP

Featured eBooks
Digital Transformation
Read Now

Federal IT Modernization Still a Major Challenge

Read Now

DHS’ next chapter as an enterprise services provider

Read Now

What's happening in health tech

Read Now
Aliya Sternstein By Aliya Sternstein,
Senior Correspondent

By Aliya Sternstein

|

Two Tennessee Valley Authority sites were compromised in 2013, when an adversary broke in through a software flaw.

The embarrassing hack of U.S. Central Command's Twitter feed earlier this month by purported terrorist sympathizers lay bare the inherent insecurity of normally locked-down federal agencies using external Web services. But this is far from the first time it's happened.

The Tennessee Valley Authority was left similarly red faced by a previously undisclosed 2013 incident, in which the government-owned power corporation’s public website was entangled in a hack targeting Web-hosting provider GoDaddy.

Two of the corporation's sites managed by GoDaddy were compromised, according to Tennessee Valley officials. The adversary broke in through a software flaw in WordPress, a content management system powering the webpages.

"Attackers had utilized a vulnerability to gain administrative access to the websites and create unauthorized accounts on the websites," special agents said in a March 2013 inspector general report obtained by Nextgov through a public records request. 

Here's where the CENTCOM Twitter hack and the Tennessee Valley hack differ. The corporation detected the intrusion ahead of the public, even before cyber sleuths at the Department of Homeland Security or FBI suspected anything.  

A Tennessee Valley communications employee noticed the compromise, additional research uncovered the second breach, and then GoDaddy worked to help immediately fix the situation, corporation spokesman Jim Hopson told Nextgov Jan. 23. The hack happened Jan. 11, 2013, and the inspector general opened an investigation two days later.

"The breach was reported the same day it was detected," a DHS official confirmed Friday. 

Unlike the Twitter breach, the bad guys didn't seem to have their eyes set on embarrassing Tennessee Valley, per se. The intrusion was aimed at GoDaddy's host server, Hopson said. Around the time of the TVA hack, some payday loan scammers seemed to be compromising other GoDaddy WordPress sites. 

“It was a broad assault on an external third-party server, did not target TVA specifically and could not have impacted our electric generation or power transmission system," he said.

But it would not be outside the realm of possibility for a hacker to jimmy open a weak GoDaddy doorway to tamper with an agency's informational resources. Over Thanksgiving, Assad sympathizers self-dubbed the Syrian Electronic Army allegedly did just that by hijacking readers of CNBC, the Chicago Tribune and other media outlets -- and rerouting them to a fraudulent page. 

GoDaddy did not respond to a request for comment.

"While we do have monitoring systems in place, it is fair to say that they are less robust externally than they would be internally," Hopson said. "I think that's fair to say of most places because you don’t usually have the same controls outside your own firewall."

The year the corporation was hacked, researchers at WP White Security and EnableSecurity determined 73 percent of the 40,000 most popular websites using WordPress software were vulnerable to attacks.

In the TVA case, a connected computer server was of no help identifying the perpetrator because "logging had not been turned on," the agents reported. Without that evidence, there is "no basis for a criminal investigation," they concluded.On Friday, FBI officials said they typically neither confirm nor deny the existence of an investigation.

Power Grid Hacked?! Not Quite

There is an immediate visceral reaction when one hears a utility has been breached. Even though this system had no link to Tennessee Valley's own networks, the hack could tarnish the agency's reputation and create additional risks to deal with, said Patrick Miller, founder of EnergySec, a nonprofit cyber advocacy group partially funded by the Energy Department.

If employees were using the same password to log onto their work computer and GoDaddy, the attacker might have walked away with some government credentials. 

"People sometimes reuse credentials they use in other areas of the business," Miller said. "I always worry about that." 

Tennessee Valley officials say there are multistep ID checks in place, as well as other security layers to prevent hackers from using any stolen passwords to access email or other work accounts.

Something else to consider after a public-facing website is hacked: the credibility of the information presented to citizens. 

"I understand that everyone thinks compromised public information won’t have any impact because it’s public, not confidential, but the integrity of public information can cause reputation issues," Miller said. "If it’s public information, but it’s the wrong information, that can have a very significant impact especially when you are a highly ranking industry, such as the power sector."

Hackers also theoretically could move financial markets by manipulating rates on public energy sites like OASIS, a tool for sharing information on transmission prices and product availability.

"OASIS is the open access information system that is used so that we can keep the insider trading out. We publish information to all participants at once through our OASIS sites,” which usually are hosted by an outside company, Miller said. “It’s all public information because everybody in the world is supposed to see it at the same time, but if that information was wrong, the traders could take action on some wrong information.”

Tennessee Valley's information security staff stifled the unauthorized activity before damage was done, corporation officials say. 

Even so, they have a public perception scrape. "Though no one can take control of the power grid, they are still a company and they still have to clean up a problem that was created due to some third-party flaw in software that they had no control over," Miller said.

The proliferation of agencies using third parties and fourth parties to showcase public information increases the attack surface for intruders, experts and feds agree. 

"There is an enormous benefit to communicating through a mechanism such as Twitter, but Twitter is not owned by CENTCOM so there are risks associated with using it," Hopson said of the social media hack earlier this month where alleged ISIS sympathizers took over CENTCOM’s Twitter and YouTube accounts, defacing them with threatening messages.

Most of the time, the advantage of being able to communicate with citizens in the forum they choose outweighs the cyber risks, if proper precautions are taken, he said. 

"The most secure system that you can have is to operate in an island and not connect to the Internet, but you handicap yourself as an agency when you do that," Hopson said. 

NEXT STORY: Hackers Sell Details on Members of Russian Dating Site

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.