CNN is the latest western media organisation believed to have been targeted by the Syrian Electronic Army (SEA) hacktivist group that supports Syrian president Bashar al-Assad.
The organisation’s social media accounts and one of its blogs were briefly compromised by the SEA, according to US reports.
The hacktivist group emerged in May 2011, during the first Syrian uprisings, when it started attacking media outlets and spamming popular Facebook pages.
In more recent months, attackers claiming to be part of the SEA have hit the social media accounts of Microsoft and Skype to protest against US internet surveillance.
In the latest attack, CNN’s Facebook and Twitter accounts showed content from SEA for about an hour, including tweets that said the US was “brewing lies that the Syrian state controls Al Qaeda".
The SEA said the attack was in protest against CNN’s “biased reporting on Syria”.
Commentators said the SEA targets social media and blogging accounts because of the low standard of security.
Read more on hacktivism
- Ira Winker: Does recent hacktivism news justify enterprise hacktivism defense?
- Peter Kuper on hacktivism, the evolution of hacking and mobile threats
- Hacktivism examples: What companies can learn from the HBGary attack
- Dutch police arrest 16-year-old over pro-Wikileaks hacktivism
- 2011 the year of the hacktivist, Verizon data breach report reveals
Password security for these public-facing apps is an often overlooked issue, said Thomas Pedersen founder and CEO of identity management firm OneLogin.
“The attack on CNN’s social media accounts is another reminder that bad password hygiene, coupled with a lack of access control, can create weak points in any company’s ability to securely manage their marketing applications,” he said.
Pedersen said it is critical that any organisation – especially larger organisations with distributed internal and external users – locks down access to all applications.
“Password Vaulting is often combined with an IAM system and is a way of adding an additional layer of protection to web apps such as Twitter or in-house content management systems,” said Pedersen.
“By storing the passwords securely server-side and injecting them into an application’s login page during sign-on, there is no reason why a communications worker should ever know his or her password to an app or be able to share it with colleagues,” he said.