ROUNDTABLE: What’s next, now that we know V.I.P Twitter users can so easily be spoofed?
Judging from the criminals’ meager pay day, the high-profile hack of Twitter, disclosed last week, was nothing much.
Related: Study shows disinformation runs rampant on Twitter
The hackers insinuated their way deep into Twitter’s internal system. They were able to get into a position from which they could access some 350 million Twitter accounts, including numerous accounts of the rich and famous.
They then hijacked control of the accounts of Barack Obama, Jeff Bezos, Elon Musk, Bill Gates, Joe Biden, Mike Bloomberg and Kanye West, among others. Next they used the accounts — posing as the celebrities — to pitch Bitcoin variants of the classic Nigerian Prince-type of grift. The con game ran for a little over an hour before Twitter shut it down – and the criminals hauled in only $118,000.
However, because of how Twitter has become a tool to manipulate social discourse, spread disinformation and even influence presidential elections, this hack could yet have a much more devastating long-run impact. Last Watchdog gathered observations from a roundtable of cybersecurity thought leaders. Here’s what concerns them, going forward:
Mounir Hahad, head of the Juniper Threat Labs at Juniper Networks
“This is a very serious hack that could have resulted in a lot of damage in financial markets, should a tweet have been attributed to a personality with influence like POTUS, the Treasury Secretary or the Chairman of the Federal Reserve Bank. In a very short period of time, one of the Bitcoin wallets saw more than 300 contributions, some at around $5,000, totaling over $118,000 in received funds.
This was obviously a carefully coordinated attack that required a non-trivial amount of preparation. Given the scope of the hack, it is unlikely the accounts were compromised via typical credentials phishing. Unless Twitter identifies the root cause and patches it, we could see similar attacks in the near future.”
Ambuj Kumar, CEO, Fortanix
“The Twitter hack is truly staggering. Not only some of the most visible accounts got hacked but the hack may have permanently damaged trustworthiness of social media. How would we ever know if a tweet is really from the user or was planted by a hacker?
Jack Dorsey confirmed that social engineering was used to compromise employees. There are screenshots showing that hackers bribed an employee who assisted with the hack. The hack was definitely financially motivated since hackers used rogue tweets to solicit bitcoins from unwitting followers.
This brings us to the core question – why does any employee or a group of employees have so much control over users’ accounts? Twitter was caught storing plaintext passwords in logfiles two years ago. Apparently, Twitter did not learn from that experience or take sufficient steps keep user credentials and accounts secure.”
Karthik Krishnan, CEO, Concentric.ai
“Honestly, I think we’re lucky the attackers had a financial motive here. Twitter is used for so many things – including public health and safety – and it’s the platform for a ton of consequential conversations. Better that we should learn to have some skepticism via a Bitcoin exploit than an international misunderstanding caused by a spoofed tweet from the account of one of our global leaders.
There’s been some criticism about Twitter’s initial handling of the incident related to accounts being locked out while Twitter assessed the situation. I think that criticism’s misguided. I’d rather see them temporarily limit communication than see a flood of potentially very dangerous spoofed tweets.
This is a good time to reinforce the security principle of least-privilege. Insiders should be granted access only to the things they need to do their work and nothing more. This extends not just to your IT teams, but to everyone and for every electronic interaction they have – up to and including the files they create and manage on a daily basis.”
Colin Bastable, CEO, Lucy Security
“The wider question is what else has been accessed? Is there more info to be released, like DMs? It is highly unlikely that Biden or Obama run their Twitter accounts – they have operatives to do that, so probably not much private gold to be mined at that level.
The enablers for this attack were 1.) Work from home — #wfh. Twitter encourages its staff to work remotely. People’s behaviors change when their work environments change, and this has made the ‘mark’ (victim) more susceptible to a targeted spear phishing attack. 2.) Twitter’s process for putting its thumb on the scales of users it wishes to censor; aka shadow-banning. Apparently, this is done manually, and the mark was an employee who had the ability to backdoor into accounts. That’s a big security failure. And 3.) third-party scheduler apps may have provided the route to the mark.”
I don’t think the public associates Jack Dorsey with Square to the extent that he is seen as ‘the man in black at Twitter.’ But, given that he appears to have strong top-down control over both businesses, and given Square’s financial role, I’d say that regulators will want to take a hard look at governance.”
Roger A. Grimes, data defense expert, KnowBe4
“You will hear many tout multi-factor authentication (MFA) as the way to prevent the type of social engineering attack that Twitter suffered. MFA will not work to stop these types of attacks. More than likely Twitter’s compromised employees were already using MFA, proving that it isn’t a perfect protection.
Most big companies use Application Programming Interfaces (API) to do their account administration and control. APIs rarely allow MFA to be used. Once you have an “API key” or logon credentials, you can do nearly anything the system is capable of doing. A major portion of password attacks over the last few years have involved attacks against APIs.
MFA is great for stopping general, broadcast-types of attacks against millions of potential victims where phishers are trying to get a bunch of passwords or trick users into installing trojan horse programs, but they are not great at stopping targeted attacks. As an attacker, if I know you use MFA, I can use your imperfect understanding of how it works and what it prevents against you and your company.”
Sean Koontz, VP Solution Consulting at Clear Skye
The Twitter hack exemplifies how powerful social media platforms have become in our society and the high stakes game we’re playing with hackers and vulnerabilities in the backend systems and IT tools that run these social media services. It exposes how influencers – and their public personas – need sophisticated protection.
It’s unclear if anyone internal at Twitter was behind the tweets or compromised influencers’ credentials, but, either way, Twitter needs better controls to monitor, track and protect who has access to their customer’s credentials.
For the media teams of the influencers (e.g., Bill Gates, Elon Musk, Kanye West,) ensuring two-factor/multi-factor authentication is enabled to protect their Twitter feed is crucial. However, if this breach was enabled by a security bug in Twitter’s own code it goes to show that we still have a ways to go in both developing secure code, inspecting code before and once published and putting in place continuous security monitoring.”
Casey Kraus, president, Senserva
“Not having the correct tools in place to ensure that user configurations are accurate to internal security policies drastically increase the risk of an organization for a potential breach.
The state of security of digital commerce from this hack and other recent incidents shows that is somewhat like the Wild Wild West. Technology is rapidly expanding to where it is out pacing the people working on it, causing more risk.
The public should be made aware that everyone should work on Zero Trust policies — not just in business, but as you can see from Twitter, in their personal environment as well. The old saying rings true, ‘If it sounds too good to be true, it likely is.’ ”
Jess P. Parnell, VP of Security Operations, Centripetal Networks
The problem is no one knows how they got hacked, there’s a lot of guessing happening including how they managed to bypass MFA; seems it is potentially an insider. At this time the answers would simply be guesses to his questions.
Somehow hackers gained access to prominent and influential people somehow bypassing MFA where they requested funds, via bitcoin, and scammed people out of thousands of dollars. Some appear to be Ponzi scam others appear to ask for donations.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/roundtable-whats-next-now-that-we-know-v-i-p-twitter-users-can-so-easily-be-spoofed/