On July 15, 2020, Twitter experienced a hack, or more accurately, a misuse of credentials[1]. This unfortunate incident yielded access to Twitter’s proprietary administration tool.
We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.
— Twitter Support (@TwitterSupport) July 16, 2020
This was disruptive, but it was an important step to reduce risk. Most functionality has been restored but we may take further actions and will update you if we do.
— Twitter Support (@TwitterSupport) July 16, 2020
Twitter categorized the event as a “social engineering attack”, in which very high profile accounts (notably Elon Musk, Bill Gates, Barack Obama, Apple, and Kanye West) posted malicious Bitcoin offers. For those unaware, this was a combination of two other tactics – Bitcoin extortion (normally a follow-up to widespread account/password theft or business email compromise), and the more dangerous, and more recent, mobile “SIM swapping” compromise (which has led to fundamental changes by global cellular providers).
What is the Risk?
Distancing ourselves from Twitter for a moment, this exposes three significant issues for organizations:
- Companies (and high-profile individuals) have unwillingly outsourced their identities
- A single privileged account holds the keys to managing many other accounts
- There is an unclear separation between “security of the cloud” and “security in the cloud”
First, outsourcing security and management to third parties. The key challenge is that, by using cloud-based services (in this case, social platforms), organizations and their leaders entrust safety and security to others, without full visibility of their governance and security controls. This is risky, and needs to be better validated through regular audits.
Second, as is the nature with privileged access management, a single account offers a “golden ticket” to impact many others. In Twitter’s case, they did not properly secure the account, the account had outsize trust and control, and Twitter did not properly audit their credentials nor revoke access on a regular basis.
Finally, this exposed the security of the cloud and security in the cloud. That is, Twitter should do a much better job securing their platform, while at the same time protecting / preventing which activities can be performed, and by whom. Posting false Bitcoin offers
How Did This Happen?
It appears that, according to Motherboard, prior to the misuse of privileged accounts, the hackers convinced an insider to go along with their scam/ruse.
The insider threat is real. Whether it is a lone wolf “second streamer” (someone profiting from their access), a collaborator (knowingly working with outside parties), or a pawn / goof (both unwittingly helping criminals from the inside), there remains a gap which needs to be filled.
This can be reduced leveraging technology and non-technical methods, as seen below.
Source: “Emerging Insider Threat Detection Solutions“, Avivah Litan, Gartner Research, 2018-04-05
What Can We Do to Prevent It?
While there is no way to completely prevent attacks, we can reduce the risk.
First, learning from the financial services industry, their “two key” model mandates a minimum of two person approval. This would have prevented the issues witnessed over the past few days. For social media – especially when Bitcoin and other financial instruments are in play – this should be a minimum requirement. Clearly, it is not.
Second, we should better identify systems and utilize the information collected from third parties. There is a tremendous expense in gathering and validating data – but this is no excuse.
Finally, web services and social media platforms should be held to a higher standard. They should monitor accounts for access on a regular basis, and be subject to audits before something goes wrong. Based on many recent events, Twitter clearly does not do this.
This isn’t saying that they should be regulated like other industries; rather, they should use proactive identity audits to effectively manage themselves. And by doing that, protect others.
As will become more critical moving forward, YouAttest automates the creation and review of credentials – who should have access, who does have access, and the ability to quickly make changes if something is wrong. All of this is presented in a certified report which may be presented as evidence.
Please write us @ info@youattest.com.
Guest Writer: Josh Linder
Advisor, Channel Alliances to YouAttest
[1] https://www.autoblog.com/2020/07/16/twitter-hack-bitcoin-scam/