What happened?
Back in July, many high profile verified Twitter accounts (including big tech CEOs like Bill Gates and politicians like Joe Biden) were compromised and were advertising a Bitcoin scam. Tweets were being sent out on these accounts with a Bitcoin address saying that if people sent Bitcoin to that address, they would get double the amount sent back. Of course, no bitcoin was being sent back, the entire thing was a scam. How did this happen?
How did this happen?
A 17 year old Floridian, used a social engineering tactic called “vishing”, where the criminal impersonates a contractor and makes calls to tech company employees to trick them into giving up their credentials. A high number of employees that were phished did not fall for this, but a small number of employees did. These tech company employees had highly privileged accounts that could control any Twitter account.
Twitter’s Initial Response
As soon as they realized they were under attack, Twitter turned off tweeting capabilities for all verified accounts and accounts whose passwords were changed recently. Additionally, Twitter slowly cut off their employees from the internal VPN. Afterwards, the security team had every employee log onto a video conference call with their managers to change their passwords in front of them to ensure every employee had their password reset.
Twitter’s Security Policy Changes
Two factor authentication utilizing physical security keys is now required for all Twitter employees and contractors. Internal security training for employees has also been improved, especially for employees that have access to proprietary, sensitive tools. High profile accounts such as politicians are now required be more locked down (i.e. with two factor authentication). Finally, Twitter claims that they have enhanced their security monitoring and threat detection capabilities, in case of another incident of compromise. They have mentioned in their message on security that they are now investing more into penetration tests. An important note is at the time of the attack, Twitter does not have a Chief Information Security Officer (CISO) and still has not hired one.
One final question…
All companies and organizations are at risk of being breached/hacked at any time in today’s world, but it seems that management and corporate executives don’t realize how big this threat is until a major breach like this happens to their company. So, why do they not invest in higher security controls beforehand, so that this doesn’t happen in the future? Many security firms offer security consulting and review for organizations, such as penetration testing, red teaming, and compliance review, and hopefully more organizations take advantage of this testing so that when the real hackers try to get in, they will have a better chance at keeping them out.
Written by Andrew Quan
Sources:
https://www.wired.com/story/inside-twitter-hack-election-plan/
https://www.bbc.com/news/technology-53445090
https://blog.twitter.com/en_us/topics/company/2020/our-continued-work-to-keep-twitter-secure.html
RIT Cyber Security Policy and Law Class Blog 