Cyber Security

News 95.7 hack a reminder it could happen to anyone, says expert

Digital security expert Chester Wisniewski offers advice for staying secure

First it was News 95.7 in Halifax, then it was News 1130 in Vancouver.

In the span of two days, the two radio stations lost control of their Twitter accounts to hackers who posted hateful and racist tweets.

Cyber security researcher Chester Wisniewski says it could happen to anyone, but there are ways to reduce risk.

“This is happening constantly, and all of the social media companies are terrible at dealing with this,” says Wisniewski. “When it’s really dangerous is when it happens to large media accounts and they send out links to malicious content.”

News 95.7, a Halifax station owned by Rogers, was hacked late Tuesday night. The next night, another Rogers affiliate — News 1130 in Vancouver — posted nearly identical tweets before the organization was able to regain control of the account.

Both stations deleted the tweets and posted apologies.

Twitter user @YoJoshCx claimed responsibility for the News 95.7 hack. Both hacks included tweets that referenced streamer and online personality Paul Denino, who goes by the alias Ice Poseidon. Denino’s fans have orchestrated Twitter hacks like these in the past, though it is unclear whether the streamer was directly involved in the hacks.

Hacking: it’s more likely than you think

Wisniewski, who works at cybersecurity company Sophos, says hacks like these — not-for-profit and orchestrated by people with enough free time — are more common than most people think.

A 2017 study from the University of Maryland’s Clark School found hackers attack computers about once every 39 seconds.

In this week’s hacking, the tweets didn’t contain malware links and there was no request for money. Wisniewski says the hackers were likely motivated by their political message, and found the news stations to be easy targets.

“If you come across one affiliate of a company … and you see that they have bad security practices in how they secure their Twitter accounts, odds are all the other affiliates owned by the same company aren’t going to have a strategy either,” he says.

Media companies, like the radio stations, are especially at risk, says Wisniewski. Their social media accounts often need to be accessed by multiple people, so they use easy to remember passwords and don’t use extra security measures.

Twitter recommends users create strong passwords and use two-step verification. Tips for a strong password include using 10 or more characters and a mix of letters and symbols, as well as not using common words or personal information.

They can also use login verification. Login verification is a second security step where Twitter sends a code to a user’s mobile device that must be entered to access that account.

Four ways to stay safe

Wisniewski says even two-factor authentication isn’t the most reliable form of protection anymore.

“Until recently, those six-digit codes that you got sent deterred most attackers, and nobody was regularly bypassing that if they weren’t spies,” he says.

Now, hackers can create fake websites to fool users into giving them the authentication codes, making two-factor authentication less secure.

While many social media hacks are aimed at people and organizations with large audiences, hackers looking to make easy money can target anyone.

“It’s like locking your car door,” says Wisniewski. “It’s not like I can’t pop the lock on your car door, but if your car door is locked and the one in the parking spot next to it isn’t locked, I’m breaking into that one.”

Staying safe, he says, only takes a few extra steps.

1. Keep long, unique passwords using a password manager

Wisniewski says one way to keep information secure is by having long and unique passwords. It can be hard to keep track of complex passwords for every website, but free password managing apps can generate and store these passwords for you.

If you can’t keep all your passwords different in a password manager, Wisniewski says the most important accounts to secure are email, social media, and finances. He recommends setting long and different passwords for each of these key accounts.

“What really matters is the length. Computers can automate breaking any password less than 12 characters in a few minutes, so the longer it is the better it is,” he says.

2. Use universal two-factor tokens

One easy and affordable extra security step is a universal two-factor token, a physical chip the size of a fingernail that connects via USB to most computers and phones. Rather than remembering a series of long passwords, users can connect the security chip and be instantly authenticated.

Wisniewski says chips are affordable and easy to find and purchase online.

“The problem is you gotta get people to use them, and nobody is,” he says.

3. Always report hacks, no matter how small

Most small hacks are unlikely to be prosecuted, says Wisniewski, but that doesn’t mean they shouldn’t be reported to the local police or RCMP.

“Even though they may not investigate it, it’s really important for us to know the frequencies that these things happen,” he says.

Wisniewski has been working with RCMP to prove the impact and frequency of hacking to the federal government.

“One of the challenges we have is allocating budget to Parliament to equip the police to investigate these crimes,” he says.

More reporting leads to more funding, which leads to more constables who are trained to handle the complex digital forensics needed to track down hackers.

And there’s good news for victims of more serious hacks.

“If the perpetrators are in the U.S. or Canada, we can almost always pick them up and prosecute them,” says Wisniewski.

4. Don’t panic

Wisniewski’s most important piece of advice regarding digital security is to stay calm. Take the extra steps, but don’t stop enjoying the internet.

“The key is to do your best, try to be safe, make sure you have passwords on your phone and have fun. Use stuff, don’t worry about it,” he says.

“The more careful you are, the less likely you are to be a victim.”