It was about 4 in the afternoon on Wednesday on the East Coast when chaos struck online. Dozens of the biggest names in America — including Joseph R. Biden Jr., Barack Obama, Kanye West, Bill Gates and Elon Musk — posted similar messages on Twitter: Send Bitcoin and the famous people would send back double your money.Two days later Nathaniel Popper and Kate Conger's Hackers Tell the Story of the Twitter Attack From the Inside was based on interviews with some of the perpetrators:
Mr. O'Connor said other hackers had informed him that Kirk got access to the Twitter credentials when he found a way into Twitter’s internal Slack messaging channel and saw them posted there, along with a service that gave him access to the company’s servers. People investigating the case said that was consistent with what they had learned so far. A Twitter spokesman declined to comment, citing the active investigation.Below the fold, some commentary on this and other stories of the fiasco.
First, this isn't the first illustration that Twitter's security is based on the long outdated idea that anyone inside the firewall is trusted:
In 2017, on his last day of work, an employee shut down President Donald Trump’s account. In 2019, two people were charged with spying for the Saudi government while they were Twitter employees.And even earlier:
In 2013, an attacker took over the Associated Press Twitter account and posted that the White House had been bombed and Barack Obama injured and Wall Street flash-crashed.Seriously, WTF Twitter? Despite these warnings, it appears credentials giving almost unrestricted access to Twitter's systems were posted on their Slack system! This is the enterprise version of the user's password on a PostIt stuck to their monitor.
Any company that took security seriously would have implemented token-based two-factor authentication for access to all internal systems, as for example Google has done since 2017:
Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.So even long before 2017 no-one could have gained access to Google's systems by phishing an employee. Twitter's board should fire Jack Dorsey for the fact that, after at least seven years of insider attacks, their systems were still vulnerable.
A Google spokesperson said Security Keys now form the basis of all account access at Google.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” the spokesperson said. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”
prior to 2017 Google employees also relied on one-time codes generated by a mobile app — Google Authenticator.
Bruce Schneier's The Twitter Hacks Have to Stop points out the bigger picture (my emphasis):
The hacker used that access to send tweets from a variety of popular and trusted accounts, including those of Joe Biden, Bill Gates, and Elon Musk, as part of a mundane scam—stealing bitcoin—but it’s easy to envision more nefarious scenarios. Imagine a government using this sort of attack against another government, coordinating a series of fake tweets from hundreds of politicians and other public figures the day before a major election, to affect the outcome. Or to escalate an international dispute. Done well, it would be devastating.Schneier has two suggestions for action:
Whether the hackers had access to Twitter direct messages is not known. These DMs are not end-to-end encrypted, meaning that they are unencrypted inside Twitter’s network and could have been available to the hackers. Those messages—between world leaders, industry CEOs, reporters and their sources, heath [sic] organizations—are much more valuable than bitcoin. (If I were a national-intelligence agency, I might even use a bitcoin scam to mask my real intelligence-gathering purpose.) Back in 2018, Twitter said it was exploring encrypting those messages, but it hasn’t yet.
Internet communications platforms—such as Facebook, Twitter, and YouTube—are crucial in today’s society. They’re how we communicate with one another. They’re how our elected leaders communicate with us. They are essential infrastructure. Yet they are run by for-profit companies with little government oversight. This is simply no longer sustainable. Twitter and companies like it are essential to our national dialogue, to our economy, and to our democracy. We need to start treating them that way, and that means both requiring them to do a better job on security and breaking them up.Treating these companies as utilities and regulating them:
There are many security technologies companies like Twitter can implement to better protect themselves and their users; that’s not the issue. The problem is economic, and fixing it requires doing two things. One is regulating these companies, and requiring them to spend more money on security. The second is reducing their monopoly power.
The security regulations for banks are complex and detailed. If a low-level banking employee were caught messing around with people’s accounts, or if she mistakenly gave her log-in credentials to someone else, the bank would be severely fined. Depending on the details of the incident, senior banking executives could be held personally liable. The threat of these actions helps keep our money safe. Yes, it costs banks money; sometimes it severely cuts into their profits. But the banks have no choice.Using anti-trust enforcement:
The opposite is true for these tech giants. They get to decide what level of security you have on your accounts, and you have no say in the matter. If you are offered security and privacy options, it’s because they decided you can have them. There is no regulation. There is no accountability. There isn’t even any transparency. Do you know how secure your data is on Facebook, or in Apple’s iCloud, or anywhere? You don’t. No one except those companies do. Yet they’re crucial to the country’s national security. And they’re the rare consumer product or service allowed to operate without significant government oversight.
In addition to security measures, the other solution is to break up the tech monopolies. Companies like Facebook and Twitter have so much power because they are so large, and they face no real competition. This is a national-security risk as well as a personal-security risk. Were there 100 different Twitter-like companies, and enough compatibility so that all their feeds could merge into one interface, this attack wouldn’t have been such a big deal. More important, the risk of a similar but more politically targeted attack wouldn’t be so great. If there were competition, different platforms would offer different security options, as well as different posting rules, different authentication guidelines—different everything. Competition is how our economy works; it’s how we spur innovation. Monopolies have more power to do what they want in the quest for profits, even if it harms people along the way.
David Gerard's Twitter Got Lucky With the Great Bitcoin Heist (backstory here) looks at the cryptocurrency scam that the attackers ran:
All scams are old scams. The words “double your money” are perfectly designed to catch the eye of the gullible. These days, money moves at the speed of light. So the scams work as a widely spammed numbers game: If you come up with something that looks like an obvious scam, only the gullible respond.He also points out how lax Twitter has been at preventing scams:
Bitcoin was designed to be unstoppable electronic money, with no central controller. Nobody can stop you sending your bitcoins anywhere you want to, and transactions are irreversible by design—a feature that was argued to be one of Bitcoin’s advantages.
Bitcoin doublers have been around since bitcoins could first be exchanged for real money—and earlier versions of the doubling scam ran in online games, such as “ISK doublers” in Eve Online or “coin doublers” in RuneScape. Send in a small amount of bitcoins, and you’ll get double the coins back! Send a larger amount straight after, and you won’t.
No reason is given for why anyone would just double your money. You’d think people would catch on, but, years later, this scam keeps popping up and finding suckers.
After the scam runs for the first time, there’s often a second layer: The doubler never sends back coins. But the doubling site is publicized with a “warning” about the scam. Others think: “If I only send coins once, the site will never see me as a repeat user!” They send in a small amount of coins—and never get anything back, even once. Like all the best scams, it’s a scam that relies on the sucker thinking they’re the scammer.
The social media platform has let coin doubling scams for Ethereum, another prominent cryptocurrency, run rampant for the past few years. Tweet with an avatar and a display name imitating some famous person, saying you’ll double people’s ether. Add some replies thanking the famous person for the money. These could pull in up to $5,000 a day in ether. Ethereum’s creator, Vitalik Buterin, eventually added “Not giving away ETH” to his Twitter display name for a time.Overall, this is a depressing situation. There is the potential for a truly catastrophic Twitter hack. Twitter has demonstrated that they don't care enough about security to implement basic precautions. There's no incentive for them to change this attitude, because neither regulation nor anti-trust willbe applied to them. All we can do is to wait for the explosion that is bound to come.
Elon Musk has long been another favorite target—to the point where Twitter would stop users from changing their display name to “Elon Musk.” One 2018 Musk scam pulled in $180,000 in bitcoins.