Cyber Jack | enterprisesecuritytech.com »
On Wednesday, July 15, multiple verified, high-profile Twitter accounts were hacked. Twitter handles belonging to Elon Musk, Barack Obama, Joe Biden, Kim Kardashian, Jeff Bezos and more tweeted a message asking for Bitcoin to a specific wallet, and in return donors would receive the double amount they put up. This was an obvious scam, yet the hackers still walked away with upwards of $118k. Reports are still surfacing on who exactly was behind it and how it was conducted.
We collected expert insights from top security executives to weigh-in on this attack, why it was important, and how we can learn from it.
EXPERTS COMMENTS
Saryu Nayyar, CEO, Gurucul
“There are two aspects to this attack, and both relied upon social engineering. The initial compromise at Twitter targeted personnel with privileged access, which let the attacker gain access to their real targets – access to high profile verified accounts. That let them conduct the second phase, where they leveraged the high-profile accounts to try and social engineer a bitcoin theft from the target account’s followers. It is a complex multistage attack that shows that people are often the weakest link in our security stack.
“Tools such as advanced security and risk analytics could have identified the unauthorized access at Twitter, based on the anomalous behavior. The VIP followers who were the ultimate target are more difficult to protect. They need to rely on their own security education and common sense to recognize a basic ‘too good to be true’ offer. The general public has an inadequate knowledge of even basic personal cybersecurity, which is something that needs to be addressed on a large scale.”
Raj Samani, McAfee fellow, Chief Scientist
“The recent Twitter incident has opened up questions about our dependency on social channels as a vehicle for authoritative sources to provide up-to-date information/advice. Whilst the messages clearly defrauded a number of victims, the incident does emphasize the role administrative users have within organizations and the need to implement measures to limit and monitor any changes implemented. Moreover, the rhetoric to pour scorn on victim companies is particularly unhelpful, since transparency on the methods used should, we hope, provide a guide to other companies to ensure they do not fall prey to the same approach.”
Will LaSala, Director of Security Solutions, Security Evangelist, OneSpan
“The latest Twitter breach goes to show that all users can be hacked. Regardless of whether or not Twitter accounts have the coveted blue check mark, all users should enable multi-factor authentication (MFA). We’ve recently seen the FBI issue a warning to consumers about the increased threats facing mobile apps during the pandemic, specifically in the banking industry, and it is no surprise that they too are recommending that consumers enable MFA on all mobile apps and online accounts where it is available. But consumers should beware that not all MFA is created equal, and when possible, they should enable PUSH multi-factor authentication while disabling SMS-based MFA.
Meanwhile, app developers should take steps to ensure the security of their mobile apps, even when those apps are being used in unsecured environments such as jailbroken or rooted phones. Mobile app developers can do this by incorporating in-app protection such as app shielding with runtime protection and risk analytics to catch compromises like mobile malware attacks and account takeovers.”
Chris Hauk, consumer privacy champion, Pixel Privacy
“Early reports indicate the Twitter Bitcoin hack was enabled by “a coordinated social engineering attack” that targeted Twitter employees. This underscores how easy it is to fall for a social engineering attack, even if you’re an employee of a social network and who should be more security conscious than your average office worker.
The ability for a hacker to gain the ability to post on multiple Twitter accounts is quite scary, and Twitter should consider itself lucky that the hacker’s aim was financial and not simply a malicious attack looking to cause havoc on the Twittersphere.
This will most likely lead to a bug overhaul of Twitter’s internal security systems, or at the least increased education for employees on social engineering attacks.”
Lavi Lazarovitz, Head of Security Research, CyberArk
“Whether it was social engineering in its classic form or an active malicious insider, the root cause lies in the access to the administrator tool. In the exposure of the tool to the network, in the privileged access to the system and in how users and employees authenticate to the system.”
Mounir Hahad, head of Juniper Threat Lab, Juniper Networks
“This is a very serious hack that could have resulted in a lot of damage in financial markets should a tweet have been attributed to a personality with influence like POTUS, the treasury secretary or the chairman of the Federal Reserve Bank. In a very short period of time, one of the bitcoin wallets saw more than 300 contributions, some at around $5,000, totaling over $118,000 in received funds.
“This was obviously a carefully coordinated attack that required a non-trivial amount of preparation. Given the scope of the hack, it is unlikely the accounts were compromised via typical credentials phishing. Unless Twitter identifies the root cause and patches it, we could see similar attacks in the near future.”
Chloé Messdaghi, VP of Strategy, Point3 Security
“If these hacks weren’t via third party, that’s a whole different ballpark. This might mean it happened to a Twitter employee – perhaps someone gained access through an employee’s account. In this instance, organizations should be reminded to make sure their team members know how to secure themselves. They need to be trained and understand why it’s important to be trained to stay safe for everyday usage for not only their own privacy rights, but for the company as well.
When it comes to security response plans, I know that IBM’s recent study found that 74% of organizations report their plans are either ad-hoc, inconsistent, or completely non-existent, and only 1/3 of organizations had some sort of play book in place for an attack – which is so scary. As companies, we’re literally failing our customers. These numbers say that we’re failing our customers. Companies put so much money and time into marketing, sales, etc., and we totally forget about security. A data breach costs a company on avg $8.19 million in the U.S.
Whatever the source of the hack, this news should be a reminder to have a game plan in place. Twitter should have a game plan in place. Companies should revisit their security game plans, reinforce security training, and make sure that every single team member knows that they each hold a key that can bring down the entire company.”
Avi Shua, CEO and Co-Founder, Orca Security
“This widespread breach highlights the insider-risk. This is a major risk with any company, especially large as Twitter – that rely on a large workforce of employees to support and moderate the platform. The most concerning part is the fact the attackers managed to utilize this access to gain control of so many key accounts, suggesting that it is possible for the Twitter systems give too much access to too many employees without requiring multiple approvals for key changes.
I believe that such cases are a wake-up signal for Twitter and similar companies – while they are B2C companies that aren’t vetted for their security before people register, they’ve reached a level of importance that makes it absolutely necessary.”
Colin Bastable, CEO, Lucy Security
“It appears to be a highly targeted attack on a Golden Key Holder – a highly authorized Admin with access to the Twitter Authenticated “Blue Check Mark” users via the User Admin console. Many of these Twitter accounts use third party solutions to manage, schedule and push out tweets – we believe that a spoof email pretending to be from one of these third parties could have been used to spearphish the Admin, or perhaps that Admin opened a spoof internal Twitter email with a payload designed to harvest his credentials.
I think the enablers for this attack were one), work from home (#wfh). People’s behaviors change when their work environments change, and this has made the “mark” (victim) more susceptible to a targeted spearphishing attack. Twitter encourages its staff to work remotely. Two), Twitter’s process for putting its thumb on the scales of users it wishes to censor (aka shadow-banning). Apparently it is manual, and the mark was one of those who has/had the ability to backdoor into accounts. That’s a big security failure. And three), third-party scheduler apps may have provided the route to the mark.
I don’t think the public associates Jack Dorsey with Square to the extent that he is seen as “the man in black at Twitter.” But, given that he appears to have strong top-down control over both businesses, and given Square’s financial role, I’d say that regulators will want to take a hard look at governance. So it has the potential to cause problems as this unravels. So far, we don’t know what we don’t know about the Twitter hack; if there’s more info to come, it may well be a big issue.”
The wider question is what else has been accessed? Is there more info to be released, like DMs? It is highly unlikely that Biden or Obama run their Twitter accounts – they have operatives to do that, so probably not much private gold to be mined at that level. For sure, the world waits to see if The Donald’s account was hacked.”
External Link: Expert Commentary: The Twitter Hack That Shook The World