Who’s Behind Wednesday’s Epic Twitter Hack? — Krebs on Security
Twitter was thrown into chaos on Wednesday after accounts for some of the world’s most recognizable public figures, executives and celebrities starting tweeting out links to bitcoin scams. Twitter says the attack happened because someone tricked or coerced an employee into providing access to internal Twitter administrative tools. This post is an attempt to lay out some of the timeline of this attack, and point to clues about who may have been behind it.
According to Ambuj Kumar, CEO of Fortanix: “The Twitter hack is truly staggering. Not only some of the most visible accounts got hacked but the hack may have permanently damaged trustworthiness of social media. How would we ever know if a tweet is really from the user or was planted by a hacker? Jack Dorsey confirmed that social engineering was used to compromise employees. There are screenshots showing that hackers bribed an employee who assisted with the hack. The hack was definitely financially motivated since hackers used rogue tweets to solicit bitcoins from unwitting followers. This brings us to the core question – why does any employee or a group of employees have so much control over users accounts? Twitter was caught storing plaintext passwords in logfiles two years ago. Apparently, Twitter did not learn from that experience or take sufficient steps keep user credentials and accounts secure. You wouldn’t use a 4-digit passcode to secure nuclear missiles. With great power comes great responsibility. There are multiple technological solutions out there that can prevent such hacks in future. Confidential Computing can ensure that even if the privileged employees that turn rogue, get bribed, or phished, the user credentials, sensitive data, and applications remain secure. Twitter employees should not have administrative access over user accounts or the ability to send a Tweet from an account. Twitter users should have full control of their own accounts. If we have to maintain any semblance of trust, it’s imperative social media companies implement transparent effective technical solutions to prevent insiders from accessing customer data.”
Tom Patterson, Chief Trust Officer of Unisys: “This Twitter hack highlights a current weakness in the identity process, expanding risks of work from home, lack of sufficient internal segments, and the continued effectiveness of social engineering. Beyond the social engineering of employees, this hack exposed more security issues. When employees work from home, companies frequently don’t have the same levels of security controls available, and thus employees get ‘too much access’ just to ensure they get enough. This is most commonly seen in the rush to open virtual private networks from corporate offices to employee homes. It’s critical that companies recognize that the issue is not just about educating their employees, but they have a fiduciary responsibility to implement proper security controls that work in today’s work from home environment. This can and should be done with new security methodologies including Zero Trust, new technologies led by microsegmentation, and new identities based on the latest FIDO standards. If it can happen to Twitter, it can happen to you.”