Follow Mark on LinkedIn Follow @marknca on Twitter Follow marknca on GitHub Follow marknca on YouTube

imgs/hero.jpg

One Month After the Twitter Hack

Published 2020-Aug-14 |An icon depicting a retail tag with a heart for 'favourite'PrivacySocial MediaSecurity

Watch the episode on YouTube

Read the follow-up newsletter

On July 15th, 2020, Twitter was hit with the most visible hack of a social network of all time. 130 of the top accounts tweeted out a bitcoin scam. A month after, have we learned anything? What’s the impact of continuing to use Twitter?

In this episode we’re going to take a look at the issue to see if we can’t answer those questions and more.

Index

References

Transcript

[00:00:00] A month after the most visible hack in social media history, nothing has changed and there's barely a peep in the news let alone an outcry. Should you worry about using Twitter?

[00:00:15] The most visible hack in social media history. What happened? Well, it all started with a tweet. I'm giving back to the community. All bitcoins sent to the address below will be sent back doubled. If you send $1000, I will send back $2000. Only doing this for 30 minutes. And that of course was followed by a bitcoin wallet address where you could send the money.

[00:00:40] Now this tweet was sent out by Apple, Elon Musk, Barack Obama, Uber, Joe Biden and a host of others on the afternoon of July 15th. The tweets were quickly removed, but not before the cyber criminals made off with about $120,000 US dollars. While the tweets were removed quickly and no more appeared, Twitter was still responding to this incident for hours. For a portion of that time, they also took the significant, but justified, steps of preventing any verified accounts from sending out new tweets.

[00:01:14] There's no doubt about it. This was a serious incident. And after the initial incident, Twitter had a very b> and transparent communications plan. They sent out regular updates and eventually published a very good post incident report. They should be commended for that. However, we also learned some troubling things about how Twitter operates behind the scenes that should concern you as a user of the platform. The incident itself was possible because the cyber criminals who have since been charged and are currently working their way through the legal process in the United States, were able to socially engineer a small number of employees.

[00:01:53] That means they tricked them into giving up access that they shouldn't have. Now, despite what you hear in your corporate information security training, it's not your fault. People have been getting tricked since the beginning of, well, people. The challenge in this situation is that the attackers used that access to get more control over Twitter. Specifically, they were able to access a support system that appears not to have had sufficient controls in place to detect and prevent abuse.

[00:02:23] With this access in hand, the attackers used Twitter's own support tools to send out their bitcoin scam from 130 of the top accounts on the platform. Furthermore, they were able to reset the passwords of 45 of those accounts. This gave the cyber criminals access to those accounts direct messages or DMs. And the cherry on top was that they were able to download the complete data archive for eight of those accounts as well.

[00:02:51] If this doesn't sound like a lot, but remember these are some of the top accounts on the platform. They're linked to major brands and very influential people. [00:03:00] And in the days that followed the attack, it was discovered that about 1500, 1500 people had access to Twitter's support tool that provided some level of control over almost any Twitter account. This is the source of the issue and it's important that we understand its impact.

[00:03:18] That when you're using any internet service, you have to take precautions to make sure that your account is as safe as possible. The normal advice which is still solid is to do the following. Use a b> password. Now, it's a password that is as long as possible. Think more passphrase, not password. And ideally you store that in a tool called a password manager. Number two is you want to turn on any password reset protection that that service offers. This feature usually asks for more than just the old password when you're creating a new one.

[00:03:48] Also, enable two factor authentication wherever it's supported. This feature will either send you a unique code via text message or in a special app that you'll need to, uh, along with your username and password to log in. It's one of the best ways to stop someone from hacking into your account. And finally, regularly review the third party applications that have access to your accounts.

[00:04:13] All the fun games, the other apps and the various connections you make to your accounts are a risk because if those services gets hacked, those attackers could gain access to your account on this service. The problem with this Twitter hack was that even if you took every one of those steps to protect your account, it was all useless. The attackers in this case managed to compromise the support infrastructure. This goes around all the security protections that you, the user has access to. So why do these support tools exist?

[00:04:45] Well, because people will always have problems. Technology doesn't work as expected. People genuinely forget their passwords. They change their email address and other issues. Any number of these things could pop up and while we all agree that security is very important, at the end of the day, you will be really ticked off if a simple mistake prevents you from getting back your account in the name of security.

[00:05:09] So, companies make support tools that can bend or even break the rules. And they mitigate or reduce the risk of these tools by putting b> processes and procedures around their use. But guess what? Cybercriminals don't usually follow company procedure and in this case, as soon as the attackers tricked the Twitter team members into giving up access, it was game over.

[00:05:32] The only saving grace here was that the attack was so visible and the attackers so apparently incompetent that they used this unprecedented access to run a bitcoin scam. Now, this incident brings to light a startling truth for most people. Your Twitter account isn't actually yours. If it was yours, you would control access to it.

[00:05:55] Now, the existence of the support tool highlights the reality that these accounts are all TWitter's [00:06:00] which, for the record, is in the terms of service that nobody reads and we all just use these accounts for a while. Making matters worse, there are reports that various team members at Twitter abuse the privilege access in order to snoop on various celebrities. This again, shows that the account isn't actually yours.

[00:06:18] Now, that's not actually necessarily a bad thing. You just need to be aware of it. Now, your use of the platform is bounded by those unread terms of service and the privacy policy. These documents set out the relationship between you and Twitter and any other service. This situation isn't unique to Twitter. Now, most of the time this relationship is a reasonable trade off.

[00:06:38] For access to and use of the service, you provide the company with something of value. Access to your attention. That's what Twitter sells to advertisers. Now, the problem is when the trust in this relationship is overtly broken. This is a situation the hack highlighted and it raises a lot of questions. The sad truth is that as a user of the platform, you have little to no power. The terms of service and the privacy policy can be changed at any time by Twitter.

[00:07:05] Again, that's standard. Which means that they are whatever the company really wants them to be. Making matters worse, here we are a month after the hack and no one is talking about it or even calling for change. If this is all out of our hands since the support tools are necessary and we have no power to change the nature of the relationship, what a positive and uplifting episode. What's the point of this? Well, the reason I think this issue is important to call out is to highlight the impact that these support tools can have on your privacy.

[00:07:36] Most platforms don't encrypt private messages end to end. Now, that's a technique that means only the sender and the intended recipient can read the message. Everyone else including support only sees that a message was sent between the sender and the receiver. They don't see the contents.

[00:07:52] Now, Twitter and most social networks don't use this technique for a multitude of reasons. Why? Well, we'll get into that in a future episode. The important takeaway here, the impact to your privacy is that these direct messages are not private. Yes. You send a DM to me and it appears that we're the only people in that conversation. But the data is stored in a database somewhere and someone at Twitter could read it if they chose. Keep that in mind the next time you send a direct message. It might just change what you write.