• Minister Christopher Pyne’s Twitter account ‘liked’ porn video
  • It was ‘liked’ by the account of the Defence Industries minister shortly after 2am 
  • He has denied the incident, claiming he was ‘hacked’ overnight

On Wednesday 15th November 2017 Cabinet Minister Christopher Pyne claimed his Twitter account was ‘hacked’ after it ‘liked’ a hardcore gay porn video.

The explicit video, which shows two men engaged in a number of sex acts, was ‘liked’ by the account of the Defence Industries minister shortly after 2am on Thursday.

It is not clear how the tweet, posted by an apparently Mexican porn website, came to be ‘liked’ by Mr Pyne’s account, but it had been removed by around 6.45am.

At around the same time Mr Payne told his Twitter followers his account had been ‘hacked’.

He said there were no defence secrets that could have been obtained in the breach and his office had changed the password of his account.

“It is very annoying that my Twitter account was hacked at Thursday morning at 2am, I was very fast asleep at 2am on Thursday morning and we’ve taken the necessary steps that you would take in these situations,” Mr Pyne said.

“It is a private Twitter account it is not a defence or government or parliamentary account, we’ve changed the passwords, we’ve obviously deleted the material, changed our approach in the office to social media and informed Twitter which is the same precedent that we followed that Julie Bishop and Scott Morrison went through when they have the same thing happen to them in 2016 and 2014.”

Mr Pyne’s spokesman would not say whether the Twitter account was protected by multi-factor authentication. “The account in question was a public, online, social-media account, not a Defence, government or parliamentary social media account,” he said.

“There are no defence or national security implications. It’s a salutary reminder to all of us that not everyone out there wishes us good will, to routinely change passwords and to be mindful of cyber security.”

It was then announced that the minister’s office was alerted by Facebook that there were attempts to breach his Facebook account.

Malcolm Turnbull said he was “concerned” by Mr Pyne’s hack, saying it was a lesson to use multi-factor authentication.

“What has happened here is someone has got hold of his password, this is just a reminder that you have got to change passwords regularly and in particular, as would often happen in a political office, if the Twitter account is being operated by a number of people over time there is always a risk that the password becomes known or it might be one that is guessed,” Mr Turnbull said.

The story from the perspective of I.T security issues:

Giving Mr Pyne the benefit of the doubt, to me, the story points to a number of information security failings within the Australian government.

Mr Pyne, who is currently overseeing Australia’s $50 billion defence manufacturing program, rejected the need for an internal investigation. Given the serious nature of this incident (1 successful breach of a Twitter account, 1 attempted breach of a Facebook account) and the highly sensitive information open to Mr Pyne, you would expect the AFP and other relevant authorities to investigate.

Reason being in October of this year it was revealed that top secret information about Australia’s military was hacked and that almost anybody could have penetrated its security due to a simple password fail. It is alarming that our own Defence Industry Minister still does not understand the need for password security:

 

How are passwords hacked generally? Well attackers use a variety of techniques to discover passwords including, but not limited to:

  • Interception: Passwords can be intercepted as they are transmitted over a network
  • Brute Force: Automated guessing of billions of passwords until the correct one is found.
  • Searching: IT infrastructure can be searched for electronically stored password information.
  • Manual Guessing: Personal information, such as name and date of birth can be used to guess common passwords.
  • Social Engineering: Attackers use social engineering techniques to trick people into revealing passwords.
  • Key Logging: An installed keylogger intercepts passwords as they are typed.
  • Shoulder Surfing: Observing someone typing their password.
  • Stealing Passwords: Insecurely stored passwords can be stolen – this includes handwritten passwords hidden close to a device

These recent events are a timely reminder for people and businesses to protect their online accounts by using a good, strong, difficult-to-guess passwords and switch on two-factor authentication.

Two-factor authentication, an extra layer of security available on many platforms including Twitter, requires a user to provide a second piece of unique information when logging in. This is usually a code sent to a mobile phone or app.

Other valuable enterprise password security measures include:

  • Blacklisting the most common password choices
  • Monitoring failed login attempts… train users to report suspicious activity
  • Not storing passwords in plain text format.
  • Change all default vendor supplied passwords before devices or software are deployed
  • Using account lockout, throttling or monitoring to help prevent brute force attacks.

Where cyber security is concerned it is always better to be safe than sorry, always best to expect the worst. If you would like help securing your IT systems, we’d love to help.