For those of us who spend way too much time on Twitter

For those of us who spend way too much time on Twitter, you may have noticed something strange pop up on your timeline late last week.

On Wednesday, July 15th, a long list of celebrities, politicians, and business leaders like Jeff Bezos began posting the same exact tweet:

This post was immediately suspicious as people around the world began asking themselves if Jeff Bezos would ever really “give back to my community.” This couldn’t be right, something was up.

But Amazon’s CEO was far from the only account posting this obvious Bitcoin scam. Former President Barack Obama, Warren Buffet, Kanye West, Elon Musk, and many others had the same post appearing at the top of their timeline.

Responding to the incident, Twitter posted a thread of updates:

At this point, it is too early to tell whether the attack was carried out through a social engineering operation as described by Twitter’s statement or if they had an insider that knowingly gave them access to the internal controls.

In the case of SIM swapping, it is not uncommon for compromised employees to simply carry out the swapping for cash. No social engineering needed. We know that this short-lived crew was part of OGUsers where this is standard practice.

The real question, and failure for Twitter from an organizational/security point of view, is how did the compromising of one employee give the attackers access to have such a high level of control over the very, very valuable assets?

This serious breach of security protocol at a site of critical infrastructure was not a plot by a Russian APT crew to turn off the power in the dead of winter. Instead, it was something much, much more ridiculous. Apparently, a number of employees figured that the computing power at their site was going to waste, so why not harness it to mine some cryptocurrency?

At this point, hacking for crypto mining is a common trope of the internet. Someone does something incredibly risky, but thankfully it’s usually just aimed at making a couple of digital bucks. But honestly, who knows? This whole incident could have been a diversion for a more targeted attack that we will only find out about later, if ever.

As an industry and a public, we need to recognize these events for what they are — clear and present warnings of a threat to national security that should be taken seriously.

Cases of harm coming from dangerous statements from politicians in power are easy to imagine. Think also about what kind of damage could a hacker do by impersonating a CEO of a major corporation and posting that they were selling all of their stock due to some crisis? What if it wasn’t Elon Musk, whom we’ve gotten used to doing outlandish stunts at this point, but Bill Gates who also had his account taken over?

So if we want to take it seriously, how should we as companies approach this challenge?

From my perspective, the key lies in a combination of limiting the damage that an attacker can do once they have made it past your barriers through defense at depth, and creating systems that fail gracefully when something does go wrong.

The Principle of Least Privilege tells us that we should grant users within our organization the number of permissions that they need in order to do their job and no more. This is far from an exact science since it forces us to balance between usability and security.

If you give someone within your organization more permission than they need, then it will probably reduce a lot of friction since they won’t have to spend time requesting access. The downside is that it raises your level of risk. The converse is equally true since locking down access too harshly can bring productivity to a grinding halt.

Interestingly, organizations’ assumptions about who needs to have the most privileged access are often based on company hierarchy over actual needs. If you think about it for a minute, does your CEO really need regular access to your servers? Probably not and it raises the level of risk to give him or her wide-reaching access without the operational need.

The more permissions that are granted, the harder they become to manage securely.

In the case of the Twitter hack, my question (which may never be answered) is how many employees have access to change passwords on user accounts? Is there any consideration given by Twitter to VIP-level accounts when it comes to providing additional security measures? How are they going to keep service running the next time that an attack occurs?

My hope is that the attackers got lucky and found the one Twitter admin who had singular access to these accounts. Unfortunately, I doubt that this was a fluke. Moving forward, I hope that someone within that company moves to segment access to high-value accounts to a small team and that if their internal admin tools are compromised for their less critical users, that these riskier accounts will not be impacted.

Along with policy measures, there are some tools that they can use to identify attackers quicker and limit the damage. There are more than a few great companies out there offering solutions from different angles that are worth considering.

Moving forward, we need to utilize prescriptive, and not predictive, analytics that will help us to make better decisions. But that’s fodder for another post at a later date.

We need technology that helps us to identify red flags. If numerous high-profile accounts are acting suspiciously — changing their passwords or associated email/phone number for example — then alarm bells should be ringing that an attack is imminent.

Maybe find a way to identify when some of these VIP accounts post cryptocurrency wallet addresses and automatically prevent them from going live. These addresses are distinct enough from the usual posts of someone like Bill Gates or Joe Biden that odds are that they are not the ones posting them. Again, sometimes Musk is just going to Musk.

These are just a few suggestions of steps that we can take to limit the damage of the next attack. And there will be more. Platforms like Twitter play an outsized role in global conversations and will continue to be targeted.

The only question is when the next incident occurs, will companies like Twitter take the necessary steps to mitigate their risk and reduce the possible level of damage?

Time will tell, but until then, keep safe out there folks.

-Dotan

Related posts:

This blog is referenced from: https://developer.okta.com/blog/2020/03/23/microservice-security-patterns?fbclid=IwAR1RqjHffB0YelLKjL8cWVBzNJExVdFAANPdKHSPTP9fMKil25DlD-T6VjY for research purpose.

Hello data enthusiasts! Since you have landed here, I presume you have made it this far (till the time-series problem) into your journey are eager to grasp its concept and hands on experience. So…

When Equifax revealed weeks ago that its servers were hacked, it exposed hundreds of millions of adult Americans (possibly Canadians and British too) to identity theft. It also illustrated how a…