The Twitter Hack: What can it teach us?

(Twitter, Inc, 2020, An Update on our Security Incident)

It is a common practice that certain employees have the tools and options to do virtually anything, but that being compromised by a 17-year-old is beyond scary.

As the attack involved social engineering, Twitter is urged to revise their internal policies on the trustworthiness of the employees’ trust access/separation to certain systems. This is yet another bad grade for Twitter as this sort of protection is often the most basic form of cybersecurity awareness – “don’t trust people and don’t open strange links”. 

Debricked is always striving to keep you in the loop of all the events happening in the cybersecurity world, as well as help analysing the consequences of how these events can affect us. On July 16, one of the most mind-blowing cyber attacks on social media led to numerous Twitter accounts of famous businessmen, politicians and celebrities being hacked by the use of social engineering.

How did the largest ever Twitter cyber attack happen, what can we learn from it and what can we do in regard to our own security? Stay tuned to find out the opinion of Debricked CEO Daniel Wisenhoff on this issue in the interview section!

The unprecedented attack

Later, fraudulent messages appeared on the pages of former US President Barack Obama, his former Vice President and current presidential candidate Joseph Biden, billionaire and former New York Mayor Michael Bloomberg, rapper Kanye West, as well as other celebrities, including the cryptocurrency community. Messages were also sent from Apple and Uber corporate accounts.

Overview of the Dramatic History of Twitter Hacks

This incident created the most consequences of any cyberattack on Twitter users in the history of the social network. The first massive hacking took place in 2009 when then-current US President Barack Obama also became the victim of the malicious actors. Donald Trump’s account was hacked in 2015 before he was elected the President of the United States.

In 2019, attackers were even able to send tweets on behalf of Twitter CEO Jack Dorsey. Previously, hackers gained access to other verified accounts, renamed them to “Elon Musk” and also offered to double bitcoins, sometimes even in the comments under the tweets of the real Elon Musk.

The Malicious Masterplan

 As a result, the attackers were able to gain access to unnamed internal systems and tools which they took advantage of, seizing control of many popular accounts. 

Graham Ivan Clark, a 17-year-old college student, was charged as the mastermind behind this terrific attack promoting a bitcoin fraud. Interestingly enough, according to The New York Times, Clark has started his fraud journey with online Minecraft scams, and, being pressured by tense family relationships, his online scamming skills evolved continuously. He did so primarily by the means of phishing and directing his energy into cryptocurrencies.

Ambiguous Security

New York’s Attorney General Laetitia James said the Twitter attack raises serious concerns about data security and how such platforms could be used to harm public debate. The prosecutor’s office also launched its own investigation.

Another key point highly relevant to general security yet slightly deterred from the attack discussed, senator Ron Wyden wonders why the social network has not yet implemented end-to-end encryption for private messages, although they were working on this functionality back in 2018. He was supported by activist Eva Halperin of the Electronic Frontier Foundation, who claimed that Twitter wouldn’t even have to be concerned with the hackers stealing or modifying private messages if e2e (end-to-end) was implemented, which has been demanded by EFF for many years.

Revelations of the Hack

This incident has highlighted the significance of raising cybersecurity awareness and improving the established measures. The multidimensional nature of cybersecurity is taking a quantum leap in complexity with its emerging vulnerabilities. Maintaining safety becomes more and more challenging, especially when the human aspect of this issue is being neglected, despite it being the most common vector of attacks (Milkovich, 2019). Specifically, a few lessons could be learnt from this incident :

1. The true potential of this hack, if operated in some more villainous and smart ways, could be terrifying!

According to Alexi Drew from the Centre for Science and Security Studies at King’s College London: 

“These accounts could be used for far more nefarious and destabilizing applications. This kind of access could undermine elections, damage responses to health or climate emergencies through compromising critical communications links with the public, and in a worst-case scenario lead to a conflict between state actors.” 

The facts that so many accounts have been hacked simultaneously, allegedly by a social engineering attack, signifies the fundamental problem with the whole platform if it can so easily be accessed from the inside. One of the possible solutions to such blatant failure is to make Twitter decentralised, as already suggested by its CEO Jack Dorsey back in 2018, which is being currently researched by the company. So, if the hacker would have been a bit more knowledgeable, the crime had a potential for a really enormous outcome! (More about this in our Interview Section)

2. Are users becoming more aware of social media scams? 

$118.000 was stolen (12 Bitcoin), implying that rather few people actually became victims of the hack, taking into account the incredibly large scale of the hack! $1 billion worth of cryptocurrencies was stolen purely by cyberattacks in 2018, proving the frequency of bitcoin cybercrime.

Yet, with the accelerating growth of cybercrime grows the awareness of users, forcing the hackers to come up with more and more sophisticated attacks: e.g. from “basic” phishing and pretending to be someone else to actually taking over the accounts. But, as discussed in the first paragraph and in the interview section, there are more possible reasons for the low gains in this attack.

3. Once more, Bitcoin has been put under a veil of negative scam reputation, which has oftentimes been emphasized by the media.

However, according to Danny Scott, CEO at CoinCorner “It’s a shame that people are now associating Bitcoin with this Twitter hack as Bitcoin itself has never been hacked and wasn’t the problem in this scenario. The problem was a centralized service (Twitter) which I feel helps emphasize the benefits of Bitcoin’s decentralized nature and how an attack like this could not occur on Bitcoin.”

4. It becomes obvious that some unified way of dealing with such issues is lacking in the industry.

Blocking users from sending money to crypto wallets doesn’t sound like a sustainable solution. However, what can be done to prevent this? Blocking transactions, set warnings, protect users prone to being victims? Comment your thoughts under this post!

Interview with Debricked co-founder and CEO Daniel Wisenhoff

Why could this cyberattack be considered a failure from a cyber expert point of view? What is Debricked’s opinion on this crime? Find this, and many other details, out in the interview below! In order to dive a little deeper into the observations above from a more Debricked-y point of view and give our readers a better glimpse into the evolution of such cybercrimes as well as their consequences, the Debricked editorial team decided to interview our CEO, Daniel Wisenhoff.

Considering the relatively small gains in proportion to the massive scale of the hack, do you think people are becoming more aware of such crimes? Or is there another reason for this hack being so unsuccessful in terms of the gains?

I think that cyberattacks are becoming more and more frequent and the media is also speaking up about it more often. However, I would say that this attack was quite poorly performed in terms of its effectiveness. The hacker could probably earn much more money by just selling his knowledge of the discovered weaknesses on the black market.

Another alternative would have been to, for example, place a bet on the bitcoin price and make Trump or someone similar write “we are going to ban Bitcoin”. This way the bitcoin price would probably collapse at least for a short period of time. By placing a bet & hedge with e.g. 10x leverage, the people could become extremely rich very quickly. Also, it would be impossible to connect the potential gains/profit to the attack directly as the bet would be done in the general market. No bitcoin address or similar would be necessary. 

What, in your opinion, is the overall direction of security improvement nowadays? 

Generally speaking, in security and software development the trend is to make developer teams more autonomous in terms of design, implementation and maintenance of their code. This moves security closer to the developers and the code, instead of being an afterthought managed by a central security team. Research shows that this is probably the best way of moving forward. 

Would you say that Bitcoin is under a veil of negative scam reputation or are people starting to have a more proper understanding of what it entails? What is the most important thing to know about Bitcoin and what problems can it have?

I personally think that most people confuse the scams and day trading stories (one-day-millionaires) with the purpose of bitcoin as far as it can be defined (since it is decentralized). But the closest we can get is the definition provided by Saifedean Ammous in the book The Bitcoin Standard: The Decentralized Alternative to Central Banking (2018), which states that the Bitcoin’s purpose is to create a store of value and exchange medium that is not controlled or regulated by any government.

Therefore, disabling regimes or ill-managed economies from ruining people’s wealth by excessive inflation/quantitative easing and similar. I can support this idea or cause. With that being said, Bitcoin has a “marketing problem” 🙂

Where do you see the future of social media platforms in response to this incident?

I think that this only shows the fragility of much of our modern technology and it makes me think twice about the incredible power wielded by companies such as Twitter & Facebook to shape our minds, actions and decisions. The book 1984 by George Orwell is close at hand. Especially when you factor in the numerous scandals involving, for example, Cambridge Analytica and the last presidential elections.

I am curious how much “influencing” is being done without our proper knowledge. As you write in your article, I think that decentralized & censor free social media is one  of the “next big things” to shape our digital lives.

What could have been done differently?

From Twitter’s perspective it is a bit scary to see that employees with seemingly lower-level security clearances have access to systems that can enable them to write whatever they want from whoever they want to account. This post could describe my thought:

A Little Reminder on Your Own Safety

Having discussed this incident, we would like to provide our readers with a few tips on how to protect ourselves against social engineering attacks since in the world of exponentially growing cyber risks, we should always stay responsible and monitor our cyber life.

Here are some little tips and tricks:

• Research! → check the credibility of the person, domain links, company’s website, feedback online, contact the person via different sources of media to verify it.
• Wait! → Often cybercriminals want to create an urgent feeling hoping that the victims will feel under pressure and will not be able to disguise the phishing attack. Often, when you simply hover your cursor over the link it will show the actual direction it is about to send you to – that way you can see whether the link is correct. 
• Beware! → If you do not expect any assistance, offers to help most likely are a scam
• Maintain Your Privacy! → Unsolicited requests to provide personal information are an attempt to scam you
• Maintain Device Security! → Secure your email and devices – install and control your anti-virus software, spam filters, consider using a VPN such as NordVpn or ExpressVPN
• Contemplate! → if it sounds too good to be true, it, most likely, is 

To sum up this post, we would like to remind our readers that it is always important to keep in mind the words of Global CISO 2018 Stephane Nappo:

“Technology trust is a good thing, but control is a better one. Cybersecurity is much more than a matter of IT.” 

Stephane Nappo