Twitter is a popular social media platform where users can connect and share their thoughts with a wide variety of audiences. Users generally trust that Twitter keeps their information safe, but that trust appears to have been shaken after a very public and dramatic hack that recently revealed glaring holes in Twitter’s security.
Last week, on July 15th, 2020, a number of high–profile Twitter accounts—including those of Barack Obama, Joe Biden, Elon Musk, Kanye West, and Warren Buffet—were briefly taken over by hackers and used to promote a Bitcoin scam.
Twitter locked things down late Wednesday, restricting the ability of any verified account to send tweets as well as restricting other functionality as well. According to Twitter, about 130 accounts were targeted by the attack, and of this number, only a small subset was compromised and used to tweet. Still, given the broad reach of the affected profiles, millions likely saw the messages the attacker(s) sent out. The scam quickly netted over $115,000 in Bitcoin, which, for reasons explained later, was relatively unremarkable.
While Twitter quickly took down the hacker’s messages and secured the affected accounts, it didn’t take long for people to start asking tough questions: How had the tech giant let this happen?
What We Know
Twitter offered an explanation the night of the attack: “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
This internal tool is used by Twitter employees to monitor and control the accounts on its platform. Normally, access would be locked down tightly, but hijackers were able gain either direct or indirect control of this tool for the duration of the attack. That was achieved with help from an employee.
Social engineering refers to attacks in which victims are manipulated into surrendering sensitive information either willingly or unwillingly (often through phishing). In the case of last Wednesday’s attack, it appears willing. A Twitter insider was not tricked but paid for his cooperation, according to sources obtained by Motherboard.
This revelation—along with the fact that some of Twitter’s biggest accounts were affected as opposed to a select few—makes the incident stand out in the social media company’s history.
“What’s interesting about this particular breach is that it was not another case of Twitter users being careless with their credentials,” writes Jingcong Zhao with Security Boulevard. “It was the result of security vulnerabilities within Twitter’s internal systems and missteps made by employees.”
Regardless of who “pulled the trigger” or why, Twitter’s tool, once compromised, was quickly used to change the email address of each targeted account. Then, explains Louis Columbus with Forbes, two–factor authentication was disabled so alerts about account changes were sent to the hacker’s email rather than the account operators themselves, allowing them to act in secret…at least until they got the attention of millions by tweeting about their Bitcoin scam.
Why This Matters
To put it bluntly, this hack, albeit dramatic and harmful to those who lost money to the Bitcoin scam, could have been much worse.
Brian Fung with CNN demonstrates this beautifully, explaining how, “with the level of access they enjoyed, the hackers could have triggered a sell-off in the financial markets, issued fake policy pronouncements or disrupted entire presidential campaigns.”
It also would have been a simple matter, he explains, to use the hacked account of someone influential—the President’s daughter, for example—to trigger a global, possibly nuclear, conflict. That’s terrifying.
Fung also makes a great point that the approximately $115,000 secured by the hackers in their Bitcoin scam pales in comparison to the millions of dollars hackers force business and organizations to pay through other financially motivated attacks. And since Bitcoin transactions are all available on a public ledger, the online wallet with the stolen funds is “radioactive,” meaning they’ll be monitored extremely closely. In other words, no hacker would reasonably attempt a withdrawal as it would likely lead investigators right to them.
So, if a relatively small amount of money was stolen and the hackers can’t even get to it, what was the point?
We can’t be one-hundred percent sure what the hackers hoped to accomplish (or did accomplish) besides making a big splash on the news. Fung speculates that the hackers could have also made off with other sensitive information about the high-profile accounts that can be used for later release—things like private messages, photos, phone numbers, and email addresses. In fact, Twitter confirms this happened. At least 36 accounts had their direct message (DM) inboxes accessed, and eight had all their data downloaded. (DMs included). Time will surely reveal more about that else was stolen, but one thing is certain now: If released at the right time, compromising information like this could be disruptive to people’s public and private lives.
What This Means for Cybersecurity
Twitter’s scandal will go down in history as a perfect example of the dangers of insider threats. Cybersecurity infrastructures spend most of if not all their efforts and resources on defending against potential attacks from outside the company—malware, trojan horses, spoofing, phishing, and so on.
Although it’s uncomfortable to admit, employees can also disrupt a business with their behavior. Verizon’s 2019 Insider Threat Report defines five categories of insider threats, and their names do a great job of explaining themselves: there’s the Careless Worker, the Insider Agent, the Disgruntled Employee, the Malicious Insider, and the Feckless Third-Party.
With everything going on in the world since the start of 2020, workers are going to be more vulnerable to bribery. That’s a fact of any recession, but it’s especially true during a worldwide pandemic. An employee facing a furlough, a pay cut, a layoff, or any number of external stressors from home may be desperate enough to look for new ways to make money or even get revenge.
Probably the best way to defend against threats from internal workers is to have and strictly enforce strong privilege practices.
“A very important component of your defense strategy should be the approach of zero standing privileges,” explains Dr. Torsten George, Cybersecurity Evangelist. “That means that I have normal privileges and entitlements to do my job, like answering emails and using the Internet, but that’s probably all I need. If I need more access, I’ll have to elevate my privilege for the time needed to do that particular task but then rescind that privilege once it’s done.”
He continues: “If I have zero standing privileges – even if somebody compromises my credential, even if I’m an insider – I don’t have immediate access to the keys to the kingdoms to do whatever I want.”
“A very important component of your defense strategy should be the approach of zero standing privileges.” -Dr. Torsten George
In the case of last week’s incident, the employee clearly had privilege to operate the internal tool that Twitter uses to control and monitor its accounts. But was this necessary?
“Did these employees truly need access to these internal systems to do their jobs?” asks Jingcong Zhao. “Did anyone in IT security review these employees’ access privileges recently? Was multi-factor authentication enabled on the compromised systems?”
These are great questions to ask. Answering them could have meant the different between this attack succeeding or it failing. As George pointed out, an attack would not have been immediately successful since the compromised employee would have had to have formally requested elevated privilege to make the changes necessary to take control. On a day-to-day basis, requiring employees to make formal requests like this could add some extra complexity, but that is the trade-off of heightened security. Twitter is probably kicking themselves for making this trade in favor of ease-of-use, or maybe it was just a genuine oversight. Either way, everyone can learn a lot from this breach.
And it seems like people are doing just that.
“How to stop these kinds of security breaches has become the subject of growing efforts within the cybersecurity world,” writes Kevin Collier and Jason Abbruzzese with NBC News. “Which employees have access to what systems is closely watched, and security software can look out for employees who are doing things out of the ordinary.”
One possible way to protect against insider threats and bad actors with unintended access is to use machine learning. Algorithms would be able to identify when a user is behaving maliciously or unusually, such as performing an action outside of a typical maintenance window or from a different location, and send a request for multi-factor authentication to confirm his or her identity.
What Can You Do?
Addressing the topic of insider threats is never an easy topic, but it’s one that every business needs to be considering now. The Twitter breach is a stark reminder that overlooking privileges and access to internal tools can spell disaster. We can all consider ourselves lucky that the hackers didn’t do more to disrupt things (although there may be more fallout in the future). An attack at your business may not end the same way.
That’s why experts are urging companies to overhaul their approaches to cybersecurity.
“Organizations have to rethink the way that they’ve structured their defense controls and truly take an approach of an in-depth strategy with a different layer of defenses,” explains Torsten George. He goes on to add that enabling multi-factor authentication is “low hanging fruit” that many companies are not taking advantage of.
Businesses also need to do more than maintain and monitor their systems regularly—although that remains a critical element to cybersecurity as exploiting out-of-date software remains a key threat.
“Security holes come and go. Sometimes there’s something urgent happening but once you patch and update, you’re good to go,” writes Mikko Hyppönen, chief research officer at F-Secure. “The human weaknesses are there always. Every day. Forever.”
Small businesses can be especially vulnerable to human disruption. Not only are employees critically lacking basic education on avoiding phishing attacks, but the small businesses that hire them may not be able to afford the salaries security experts that could analyze and upgrade their policies and systems.
That’s where outside help comes in. For a low, predictable monthly expense, small businesses can partner with a wealth of trusted experts that value the same things they do. Managed service providers bring enterprise-quality services, technology, and solutions to the Little Guy. In a world that has proven itself susceptible to disruptive and malicious threats, today’s business leaders can’t afford to go it alone.
You can reach out to us here at Machado Consulting by giving us a call at (508) 453-4700. We can’t wait to show you what we can do for your business.