“This is a big deal” : what the massive Twitter breach tells us about the porous nature of “cyber security” (did Putin come calling?)

The plot to steal bitcoin is small potatoes compared to what is surely to come. 

16 July 2020 (Chania, Crete) – It’s the most elaborate hack, the biggest breach Twitter has ever had to tackle. And let’s make this clear: you can’t say we didn’t see it coming. And not to see possible Russian games being behind this … well, read on.

Whatever Twitter eventually comes to say about yesterday’s events, when it suffered the most catastrophic security breach in company history, it must be said that the events were set in motion years ago.

This is a monumental fail by Twitter, for a whole host of reasons from the specifics of the case to the overall architecture of the service. Last month I did a full analysis of Twitter’s shambolic infrastructure and operations so I am not gong to repeat all of that again. The most obvious takeaway from this attack was that (again) Twitter appeared wholly unprepared for this sort of hack. From Ben Thompson’s blog early this morning:

What is fascinating about this breach is that Twitter appeared wholly unprepared to handle it. The company eventually shut down the ability of verified accounts to tweet or change their email address [explained below], but it seems likely that had the infiltrators not clumsily tweeted a lame bitcoin scam Twitter would have never known something was afoot; to put it in more concrete terms, the attackers, because of their ability to change the email address associated with any Twitter account, had access to every Twitter account. A far more sophisticated attacker — which, by the way, this attacker could still be, only time will tell — might have used such power to access direct messages, manipulate stocks, or, in the most frightening scenario, instigated geopolitical conflict.

So just a few things that hit me straight away:

• Start with the administrative access to all Twitter accounts held by an extraordinary number of Twitter employees. This has traditionally been very common in tech, not simply because of laziness, but also for customer support reasons. The problem is that at some point companies like Twitter cross a line where the potential downside of an employee going rogue outweigh the convenience of “god-mode”, but far too few companies – including, apparently, Twitter – proactively lock down access, instead relying on internal mores and individual employee restraint.

The best example of this was in 2017 when a a contractor (a contractor!) deactivated Trump’s account. The Trump example highlights how lax Twitter’s defaults were: the individual wasn’t even a full-time employee, but a contractor for the company’s Trust and Safety division; it never occurred to anyone at Twitter that this level of power should probably be reserved for the company’s most senior executives (the New York Times reported that Trump’s account now has this sort of elevated protection). Again, though, this isn’t just a Twitter failure, but one that is common throughout the tech industry.

• All of the accounts attacked yesterday had the blue check mark next to the name – supposed to indicate that you can trust the identity of the account. Trump essentially governs via the social network, dictating policy and threatening world leaders. In the wrong hands, that account could start a war. It all highlights (again) the deeper problems relating to Twitter’s structure.

• Beginning in the spring of 2018, scammers began to impersonate noted cryptocurrency enthusiast Elon Musk. They would use his profile photo, select a user name similar to his, and tweet out an offer that was effective despite being too good to be true: send him a little cryptocurrency, and he’ll send you a lot back. Sometimes the scammer would reply to a connected, verified account — Musk-owned Space X, for example — giving it additional legitimacy. Scammers would also amplify the fake tweet via bot networks, for the same purpose.

• The events of 2018 showed us three things. One, at least some people fell for the scam, every single time — certainly enough to incentivize further attempts. Two, Twitter was slow to respond to the threat, which persisted well beyond the company’s initial comments that it was “taking the issue seriously”. And three, the demand from scammers coupled with Twitter’s feeble initial measures to fight back set up a cat-and-mouse game that incentivized bad actors to take more drastic measures to wreak havoc, and to continue to test Twitter’s infrastructure weakness.

Experts at the time noted the plot to steal bitcoin was small potatoes compared with the much worse things a malefactor could do with access to Twitter’s highest profile accounts. So cyber experts deemed this a “dry run”.

• The most disturbing bit. Late last night, in a Tweet thread, the company announced “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”

Why does that matter? Because in 2010 Twitter settled a matter with the Federal Trade Commission over the very same lapses that allowed administrative access to Twitter accounts. The key paragraph:

The FTC’s complaint alleged that between January and May of 2009, hackers were able to gain administrative control of Twitter on two occasions. In January 2009, a hacker used an automated password-guessing tool to gain administrative control of Twitter, after submitting thousands of guesses into Twitter’s login webpage. The administrative password was a weak, lowercase, common dictionary word. Using the password, the hacker reset several passwords, and posted some of them on a website, where other people could access them. Using these fraudulently reset passwords, other intruders sent phony tweets from approximately nine user accounts. One tweet was sent from the account of then-President-elect Barack Obama, offering his more than 150,000 followers a chance to win $500 in free gasoline. At least one phony tweet was sent from the account of Fox News.

During a second security breach, in April 2009, a hacker was able to guess the administrative password of a Twitter empoyee after compromising the employee’s personal email account where two similar passwords were stored in plain text. The hacker reset at least one Twitter user’s password, and could access nonpublic user information and tweets for any Twitter users.

Attackers hijacked Twitter DNS in order to route users to a defacements page … the exact modus operandi in yesterday’s hack. In ten years, Twitter learned zero.

Given the level of sophistication of this attack, it could make it difficult to track those responsible. But because of that sophistication many in the intelligence community (IC) are pointing to Russia and view this as a “test drive”. In an IC Zoom chat last week, we discussed the “ramped up” disinformation tools used by Moscow against the West. Technological advancements in artificial intelligence and cyber capabilities have opened them up to more opportunities, and those increasingly sophisticated cybertools make attribution almost impossible.

As to the U.S. elections in the fall “the Russians are gonna hack everything in November. It will be child’s play. Poor supply chain management, poor security implementation and overall lack of national and state governance on cyber security, and worse, zero integrity-checking on e-voting machines – it just opens the doors. Social media? Eh. It has not seen anything yet”.

Or maybe somebody simply got paid off. Let’s look at the attack.

I spoke to Craig Bicksman of CrowdStrike who examines these types of attacks for a living. He looked at the leaked internal screenshots of the Twitter administration dashboards (Motherboard and scores other media sites have posted them) and he said:

This is a big deal. You’d almost think somebody paid a Twitter insider. Did an employee hijack the accounts themselves or gave hackers access to the tool? Because its clear the accounts were taken over using an internal tool at Twitter. I looked at the screenshots for the account of Binance [one of the accounts that hackers took over]. According to screenshots, at least some of the accounts appear to have been compromised by changing the email address associated with them using the tool. And it also looks like they changed ownership of some so-called OG accounts [accounts that have a handle consisting of only one or two characters] as well as facilitating the tweeting of the cryptocurrency scams from the high profile accounts.

NOTE: Twitter has been deleting screenshots of the panel and has suspended users who have tweeted them, claiming that the tweets violate its rules.

If so, this is familiar ground. Two former Twitter employees previously abused their access to spy on users for the Saudi regime, according to the Justice Department. And all tech companies face the issue of malicious insiders. Motherboard has previously revealed how Facebook employees used their privilege access to user data to stalk women; how Snapchat workers had a tool called Snaplion that provides information on users; and how MySpace employees abused a tool called “Overlord” to spy on users during the site’s hayday.

To speculate much further, said Craig, would be irresponsible. But he said “this is not your garden-variety hack in which a bunch of people reused their passwords, or a hacker used social engineering to convince AT&T to swap a SIM card. This is damn sophisticated.”

Claude Kinski at FireEye (another cyber security client of mine) agreed with Craig after he looked at the leaked screen shots and said hackers could have accessed internal Twitter tools, and he would not be surprised if it was an “inside job”. If so, he said, Twitter’s response to the incident was pathetic:

The company’s initial tweet on the subject said almost nothing, and two hours later it had followed only to say what many users were forced to discover for themselves: that Twitter had disabled the ability of many verified users to tweet or reset their passwords while it worked to resolve the hack’s underlying cause.

 

 

Me? It makes you wonder what contingencies the company has put into place in the event that it is someday taken over not by greedy Bitcoin con artists, but state-level actors or psychopaths. After today that it is no longer unthinkable, if it ever truly was, that someone takes over the account of a world leader and attempts to start a nuclear war. Last week I sent to my cyber security subscriber list a report on that very subject from King’s College London which you can read here.

This failure is not simply one of policy, but mindset. We still, we still, we still maintain this “Pollyannish Assumption”, the idea that everything is mostly good but for some bad apples. A more realistic view – that humanity is capable of both great beauty and tremendous evil, and that the Internet makes it easier to express both – demands a more proactive approach. This, unfortunately, applies to tech company employees just as much as it employees to tech platform users, and the sheer scale of the latter should factor into the degree of trust given the former. Yes, this will make operations less efficient, but, as the saying goes, with great power comes bureaucratic constraints on individual action.

The threat here is not simply user privacy and data security, though those threats are real and substantial.

Side point to anyone using Twitter for confidential private messaging:  huge mistake, and not simply because Twitter DMs is one of the most neglected opportunities in tech history. It turns out any Twitter employee with a grudge or given a bribe can give away everything.

This is about the striking potential of Twitter to incite real-world chaos through impersonation and fraud. As of today, that potential has been realized. For Americans, they can only worry about how, with a presidential election now less than four months away, it might be realized further.