Graham Ivan Clark, Onel de Guzman and Michael Calce. These three names will go down in the history of internet commerce, right alongside Jack Dorsey, Mark Zuckerberg and Jeff Bezos.
We’re all familiar with the high-profile entrepreneurs who gave us the tools and services that underpin our digital economy. However, Clark, de Guzman and Calce are equally notable as leading members of the Hall of Fame of script kiddies – youngsters who precociously shed light on the how these same tools and services are riddled with profound privacy and security flaws.
The trouble is Clark, 17, of Tampa, Florida, is teaching us much the same lessons in the summer of 2020 that de Guzman and Calce did in the spring of 2000. De Guzman authored the I Love You email virus that circled the globe infecting millions of PCs; Calce, aka Mafiaboy, released the Melissa Internet worm that knocked offline Amazon, CNN, eBay and Yahoo.
Judging from the success of script kiddies, the tech giants apparently have not learned very much about security in 20 years. Clark was arrested in late July and charged with masterminding the hijacking of the Twitter accounts of A-list celebrities, and then Tweeting from those accounts to pull off a Bitcoin scam. His caper is worrisome on two counts. First it shows how resistant companies continue to be with respect to embracing very doable cyber hygiene practices – measures that would prevent these sorts of hacks. And second, it reminds us how much capacity to wreak havoc truly malicious parties — not just script kiddies – possess. This is chilling considering the times we’re in. On the cusp of electing a U.S. president, with the world struggling to recover from a global pandemic, there are nuanced lessons we can learn from the Twitter Bitcoin hack. Here’s what all consumers and companies should heed going forward.
How the hack transpired
Court records and reporting by the New York Times portray Clark as a self-absorbed youth who got started down the wrong path by cheating other players of the video game Minecraft, and then gravitating to mobile hacking scams to steal Bitcoin. Using the handle “Open” and “OneHCF,” Clark became notorious for selling cool Minecraft names and accessories, like capes for characters, for $50 to $100 to other players; he’d make the sales pitch, collect the cash, but then never delivered the goods, or quickly reclaimed the items.
He next graduated to SIM swapping. This involved gathering personal information about a targeted victim, and then using that intel to persuade a wireless carrier employee into swapping the victim’s SIM card metadata onto a blank SIM card in his possession. In 2019, Clark gained control of the smartphone of a tech investor from Seattle and allegedly stole 164 Bitcoins, then worth $864,000, from him. The U.S. Secret Service got involved and returned 100 Bitcoins to the victim. Notably, authorities let Clark off the hook, though they had evidence of his role, according to the New York Times’ coverage.
Emboldened, Clark next took aim at Twitter. Clark and several co-conspirators used a two-step approach. First he phished his way onto Twitter’s corporate network. Next, they moved laterally, where ever they could, to gain an understanding of how Twitter’s network was laid out.
“This knowledge then enabled them to target additional employees who did have access to our account-support tools,” the company said in a statement. “Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately tweeting from 45, accessing the DM inbox of 36 and downloading the Twitter Data of seven.”
The intruders took control of the accounts of Barack Obama, Jeff Bezos, Elon Musk, Bill Gates, Joe Biden, Mike Bloomberg and Kanye West, among others. Tweeting from the official accounts of these celebrities, they carried out Bitcoin variants of the classic Nigerian Prince-type of grift, hauling in $118,000 in Bitcoin payments in a little over an hour, before Twitter spotted the bogus activity and shut it down.
Fallout of social media abuse
It’s easy to dismiss a teenager cleverly using rogue Tweets to sell gullible victims on a too-good-to-be-true, get-rich-quick scheme as a triviality. However, the Twitter Bitcoin hack highlights the capacity for social media to be abused for malicious purposes. In these times, this is anything but a trivial development. Consider how social media services have emerged as potent tools for influencing public opinion — at a time when some weighty questions about civilization as we know it are on the table: Will democracy give way to authoritarianism in the U.S.? Can the nations of the world unite to arrest climate change? What will the global economy look like post Covid-19? Is social injustice and skewed wealth distribution destined to carry on, as usual?
Another script-kiddie hack, of sorts, vividly illustrates the immense potential of social media services to be abused by anyone, with whatever motives. I’m referring to how the youthful users of the TikTok and K-pop social media sites registered en masse for tickets to attend a Trump rally last June in Tulsa, Oklahoma. This duped the rally organizers into bragging about receiving 1 million reservation requests. Only 6,200 people showed up at a venue set up to cater to an overflow crowd of 20,000.
Meanwhile, Facebook CEO Mark Zuckerberg has come under fire this summer from his own employees for equivocating and ultimately declining to do anything about Trump’s Facebook posts inflaming the George Floyd protests. By contrast, Twitter CEO Jack Dorsey has been forthcoming about details of how his company got hacked and has promised to do better. And on July 21, Dorsey, in something of a mea culpa, also directed the removal of thousands of Twitter QAnon accounts used to spread baseless conspiracy theories.
Zuckerberg finally caved to public pressure, and on August 7 followed Dorsey’s lead by suspending the Facebook account of one of the largest public groups fomenting QAnon conspiracy theories. QAnon for several years now has been using Twitter and Facebook to kindle fear and hatred. You might recall this is the group that spread the Pizzagate, a conspiracy theory accusing Hillary Clinton of operating a child sex-trafficking ring from a Washington, D.C., pizzeria. This led to a vigilante gunman turning up at the restaurant in December 2016 and opening fire into a closet.
I’m not at all surprised that the public is demanding that social media companies get more in line with the social justice movement. Moving in that direction would put Twitter and Facebook in much better standing with a wide percentage of the populace. Yet doing so conflicts with the profit making imperative of their own boards of directors.
“Facebook and Twitter are in the unenviable position of being stuck in between titanic, multi-front societal conflicts,” observes Karthik Krishnan, CEO of Concentric.ai, a San Jose, California-based supplier of artificial intelligence systems. “There’s no way these social media giants are going to make everyone happy.”
The need for ‘least privilege’
It would be a major step forward if Twitter and Facebook would at least do more to shore up the security posture of their corporate IT systems. Like many large enterprises, the social media giants have put far too much emphasis on agility — on opening up their systems to all-comers — and not nearly enough on basic cyber hygiene. There’s really no excuse for this. Twitter has a market valuation north of $30 billion dollars, yet when it’s Chief Information Security Officer (CISO) left last December, the company did nothing; it was still searching for a replacement CISO seven months later — when the celebrities’ accounts got hijacked.
Clark’s successful hack showed Twitter was not even taking a “least privilege” approach to account access, which is a baby step towards adopting full “zero trust” identity and access management (IAM) procedures, something that many progressive enterprises in the tech and financial sectors have moved to. Had it been enforcing least privileged access, Twitter would have had a very narrowly defined and closely monitored list of employees who could take control of the celebrities’ accounts. It would’ve been much harder for the young Mr. Clark to find, and dupe, someone on that short list. And even if he did, any unusual use of that access would have quickly tripped an alert.
Zero trust, actually, is where Twitter and Facebook should already be, given the sensitive personal data they collect and monetize. Zero trust boils down to never trust anyone until they can prove who they are and why they deserve access. In order to do this, zero trust uses automation and machine-learning to slice and dice access queries on several planes. This makes breaches much more difficult to pull off; it limits the damage that can be caused by any hacker who does break through.
We could all just wait for human users to somehow become much less gullible. Short of that ever happening, zero trust is the future. Twitter and Facebook should have been steering towards zero trust long ago. Will they do so now, given all that’s happened thus far in 2020? We’ll see. I’ll keep watch.
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/my-take-lessons-learned-from-the-summer-of-script-kiddies-hacking-twitter-tiktok/