Twittergate: This time you can’t blame technology
Giles Hamlin, Information Assurance Consultant
So often when we read about a cyber attack or a data breach, it’s the technology vulnerabilities that are ‘blamed’. Either a threat actor managed to crack passwords using some code or they bypassed weak security detection to gain access to a network or server by using any number of tools and techniques available on the dark web. It’s often not as simple as that and often there is human error as a contributing factor. But there are times when the beleaguered technology companies or software developers and IT engineers can confidently look on with unassailable bewilderment.
Twittergate has two parts: the 15 July bitcoin scam and the subsequent trial on 5 August, of one of the perpetrators, that was disrupted by Zoombombers.
Just in case you missed it, on 15 July, a large number of high-profile Twitter user accounts were hacked and used for bitcoin scams. What’s the big deal? Another day, another Twitter account hacked, right? Well, yes and no. This particular situation is different due to its unprecedented scale—130 accounts were accessed, including those belonging to Barack Obama and Elon Musk—and the method used by the hackers – they didn’t hack user accounts individually, instead they used social engineering practices to access Twitter’s internal administration tools.
In a statement, Twitter claims that “….attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems”. The latest update of the statement, released on 30 July, goes into detail about the social engineering process attackers used.
This disclosure was followed up by yet more human error once the FBI caught up with the perpetrators and brought one to court. During his bail hearing held via Zoom call—we’re in the middle of a pandemic after all—aptly named ‘Zoombombers’ conned their way onto the Zoom session and played loud music and shared a video from their personal ‘entertainment’ collection. It turns out the court did not set up the Zoom call correctly, not only allowing anyone to join the call, but also not limiting the screen sharing and microphone functionality.
Going chronologically in reverse, in the court case there was no technological vulnerability to blame. For all its previous development faults, there is a full suite of protection controls on Zoom to prevent every disruptive activity that happened. Yes, the C-19 pandemic has caused us to quickly adopt different ways of doing things, but even given that, this was simply sloppy risk assessment and inadequate thought to basic controls by a criminal justice system that is fully used to assessing risks to the integrity of the judicial process.
Turning to the offence itself, could Twitter have proactively implemented anything to prevent this? With more than 330 million monthly active users, Twitter is amongst the largest social networks in the world and administering and policing the platform is hard and represents a constant battle to achieve the balance of global freedom of speech while still supressing activity that actively causes harm to society. The challenges that global social media platforms like Twitter are up against are varied and many, including struggling to control terrorism-related content, criticism of user banning policies and allegations of bias and impropriety amongst senior staff. While these complaints are symptomatic of the difficult balancing act Twitter faces in moderating its platform, this most recent hack should maybe not be treated with the same level of sympathy. This is because elements of it would usually be preventable with basic information security hygiene.
By using the Twitter statement, in conjunction with other verified information that is already in the public domain, a few facts about the attack can be established:
1. It wasn’t a phishing campaign against the user
The most common way these criminals get access to Twitter user accounts is through the use of phishing. Commonly, an attacker will send out a legitimate looking email inviting the victim to enter their login details – seemingly to read an important or time-sensitive email from Twitter or to action a fabricated issue with their account.
In this case, it appears that there were no phishing attempts against the Twitter account owners. Instead, using social engineering techniques, the attackers gained access to tools used internally by Twitter support administrative teams and used this privileged access to change email addresses linked to the affected Twitter accounts. At this point, they were able to reset the passwords on any account they wished to hijack. In short, the accounts were hijacked through no fault of, or error by, the users of the affected accounts.
2. Two-factor authentication was ineffective
Many high-profile users of Twitter enable two-factor authentication as a matter of course. This provides an extra layer of protection. But, because of the way the attackers gained access to admin control panels, this security layer was rendered moot because—in addition to gaining the ability to directly change a user’s email address—they were also able to disable two-factor authentication.
While affected users did receive a warning message when their two-factor authentication was disabled, in many cases, by the time the user was able to login and attempt to address this, their accounts were already hijacked and had been used illegitimately.
3. Twitter does not appear to effectively implement the principles of least privilege and segregation of duties
Segregation of duties is the act of ensuring that certain operational activities that incur a degree of risk are split amongst employees. A common physical world example of this is in a Finance Department where a purchase order would be generated by one employee and approving the purchase order would need to be done by a second employee. This is a standard, basic security principle to prevent error, malicious insider behaviour and cases of malicious external control.
If Twitter had applied this basic control policy effectively, it may have considered implementing the requirement for two different administrators to change an email address and disable something as critical as two-factor authentication.
Additionally, Twitter could have reduced its exposure to the risk of internal staff facilitating account hijacking. It has been widely reported that more than 1000 staff and contractors had access to the tools that were used to facilitate the attack. Applying the principles of least privilege alongside regular reviews of staff account privileges may have led Twitter to significantly restrict the number of staff that wielded the kind of powerful account privileges the attackers exploited.
4. Twitter’s top level management does not appear to have considered information risk within Twitter’s Corporate Risk Management
Top level management commitment is essential for information security to be appropriately recognised by an organisation and incorporated into business as usual activities; ideally as part of a digital security strategy which supports the overarching corporate strategy.
When senior executives and board-level employees are engaged with information security risk and fully understand their specific operational risks—posed by a lack of information security—it becomes easy for issues to be appropriately identified, escalated and addressed before they manifest as large-scale, high-impact and often reputationally damaging incidents. Indeed, for this to happen, the entire organisation needs to actively integrate digital security within business as usual operations. This can only realistically happen with a top down board-lead approach where the leadership itself must balance and take accountability for the ‘security vs usability’ calculus.
It has been reported that concerns around the risk of unauthorised access to key Twitter accounts and the ease by which support tools may be exploited to facilitate this were raised to the board and Jack Dorsey, Twitter CEO, on multiple occasions since 2015. Having a basic effective risk management process in place would have enabled Twitter to identify and track this risk and undertake appropriate steps to mitigate the impact.
Little is known about the internal risk management processes of Twitter but given that the company was aware of a significant and unmitigated risk for several years, one can only assume that Twitter’s internal risk management processes were either severely incomplete, not applied correctly or by-passed. A risk management process would have ultimately provided Twitter with an effective route to the Board to make an informed strategic decision on how to manage it.
5. Personal data was breached
In addition to the 130 hijacked accounts, it has also been established that the personal data of some of these accounts was accessed including the private messages of at least 36 accounts.
In real terms, this means that potentially private email addresses, telephone numbers, contact details and private messages of the individuals have been exposed. There are multiple risks to data relating to such high-profile individuals being disclosed, which include:
- Reputational damage to the targeted individuals stemming from the contents of disclosed private messages.
- Potential extortion attempts should the attackers threaten to disclose embarrassing, damaging or sensitive and confidential private messages – an increasingly common trend.
- Damage to third parties through disclosure of any interaction they may have had with the targeted individuals.
- Usage of private information to access additional accounts outside of Twitter, including the possibility of this information being used to bypass two-factor authentication on external accounts.
There are important lessons for all organisations to learn from Twittergate, regardless of the type of organisation.
Non social media lesson: In the same way that confidential information was accessed in the July attack, any sensitive corporate information (or personal information that may be embarrassing to the company/organisation to which they are connected) that your organisation or its employees may exchange on an application or on its systems could potentially be compromised and leaked in the event they are targeted in a similar attack, where the criminals exploit the administrative powers of the system administrators rather than the users.
Social media lesson: The overlap between personal and corporate use of social media is increasingly blurred and while organisations cannot employ direct controls to prevent employees from sharing confidential information in this way, this risk can be managed through the use of a social media policy, awareness training and through appropriate contractual non-disclosure clauses. Social Media policies are an increasingly critical part of risk management.
Remote working measures: While there can be interminable debates about the relative security benefits of different video conferencing systems, nearly all are equipped with basic security controls to ensure that such sessions are run entirely within the security parameters that most organisations need. And the controls are easy to switch on and off at will and basic security risk assessments about their use are easy to inform which controls should be activated.
6. An ISMS (Information Security Management System) may have prevented all of this, or at least reduced the impact of the hack
Twitter or Hillsborough County Court do not claim NIST or ISO 27001 certification on their websites and they make no mention of this within the policies we could find. Both these are risk-based standards through which both Twitter and Hillsborough would have been encouraged to look at their unique operational risks and employ mitigating controls to both prevent these risks from exploitation by an unauthorised third party and also to reduce the impact should this occur.
Technology isn’t always to blame
Ultimately, it’s clear that neither the Twitter hack nor the court case were the result of the exploitation of a technical failing, but the culmination of multiple process and procedural issues that allowed attackers almost unfettered access to the infrastructure they wanted to abuse. As such, had appropriate controls been in place, it is likely that either attempt would have been made far more difficult to execute and most likely would not have succeeded at all. And in this case, those responsible for technical infrastructure can, for once, legitimately bat off ‘blame’ and perhaps help re-focus the debate to look at poor risk management decisions as well as technological weaknesses.
Are you confident you have a similar risk covered?
In the same way that neither event was the result of one single vulnerability, there is no single or silver bullet solution. To manage cyber (or digital) risk, a mix of straightforward technical and human-based controls are required; these may include adopting an Information Security Management System like ISO 27001 in order to streamline and secure information policies and procedures, system configuration checks, testing for technical and human vulnerabilities with a range of penetration tests and vulnerability assessments, and educating your workforce to spot threats with desktop exercises, awareness training or phishing assessments.
Talk to PGI about your organisation and we can help you identify the most cost-effective mix of mitigation activities. Call us on +44 (0) 845 600 4403 or email us via firstname.lastname@example.org