I can't believe I'm the first person to comment on this topic.
Twitter has offered its initial analysis of the Wednesday mass hijacking of prominent twits' accounts – and suggested it all kicked off after its staff fell for social engineering. Judging from leaked screenshots of Twitter's internal systems circulating online and seen by El Reg, it appears one or more miscreants were able to …
This post has been deleted by its author
I can't believe you came out of hiding after best part of a year – having posted only two things in the last nearly four years – just to post that. I guess maybe you're usually AC. Also, you weren't the first. Just that someone else got cold feet and deleted it. But maybe that was you too. In summary: what?
... and nothing of any value was lost.
Unless you were one of the simps transferring your $1000 BTC hoping a Billionaire will double it for you for shits n giggles.
I suppose in theory the BTC isn't actually lost, to quote Gekko "Money itself isn't lost or made, it's simply transferred from one perception to another". That's $100,000 in BTC definitely transferred in someones perception.
Assume most Twitter Admins working from home, so remote access a given. Plus probably running some BOYD build on an average joe wifi-router + ISP build which would be an easier target? Can't see Twitter being the sort of company that goes in for locked down corporate builds for it's employees?
Agreed, but a) VPN's have holes (several high profile solutions have had exploits exposed recently). and b) if you hack the machine that has the VPN connection... Especially if that VPN is split tunneled...
The ideal of course is two workstations - one locked down tight for Admin tasks - but you send the people home, do you send them home with two laptops, again one locked down in such as way as it can only remote to the Admin box in the office? But then that's on the same wifi as your family kit, sky+, Alexa, ... So that should be on another network (4G maybe)... All nice, but this was short notice, so what setup did they have...
Also, it looks like they had access to a user admin panel (but perhaps not much else) so would all these security layers be in place, for a user support body...
"Assume most Twitter Admins working from home, so remote access a given."
And IIRC, wasn't Twitter one of the first big social media companies to announce the work from home will be a permanent feature of their work practices now? I'd like to think this means they take security very seriously and that maybe Twitter is a mature and grown-up company these days rather than the immature start-up run by recent university graduates with a "good idea" and the gift of the gab where VCs are concerned, running the operation on a wing and a prayer.
I see, there was "a coordinated social engineering attack", or in layman's terms: "some of our staff fell for phishing"
or should that be "some of our soon to be ex-staff fell for phishing"
It does make you wonder how sophisticated it was, how they are going to prevent this in the future, and of course how many heads will roll.
Someone recently asked me whether I was on Twitter. The answer was "no", and that doesn't look like it is going to change any time soon, not just because of privacy concerns, but I also have the El Reg Commentard section to vent my more unhinged opinions
"I would like to offer my deep and sincere apologies to the US and the world for my mishandling of the COVID-19 crisis, my deplorable statesmanship, and my overall boorishness. I have brought shame onto the office of the Presidency and the nation of the United States."
(Can't be arsed to tell whether that exceeds the 288 character limit.)
So once again greed triumphs over common sense. I these people who paid Bitcoins if they went on the sucker list before they will be now. In recent news most of these celebrates (also known as rich people) have expressed interest in giving back something which makes this more plausible which goes back to greed.
I sympathies those of you who are having problems with twitter. In many ways they seem to have done it to them self's despite leaving the reservations (Facebook/Google) but they are a cooperate organization their to make money.
If you remember, he was banned a while back by a Twitter staff member on his last day.
I would guess that to prevent a re-occurrence of that, they may have put some kind of special handling in for his account (and presumably the Whitehouse account too).
Although, given the messages were basically "I'm feeling generous and will double your money", perhaps they thought no-one would believe it of Trump and his friends?
Sounds like a well executed plan, and scary if the numbers are accurate as to how many people fell for it.
What got me is the request is so obviously a scam "send me money and I'll send you twice back", most people should have thought that was too good to be true. I would have thought they would have had a better conversion rate if they had said "Donate 1 bitcoin to this address and I'll match your donation to help COVID", that I think would have got past more peoples mental barriers.
"Sounds like a well executed plan, and scary if the numbers are accurate as to how many people fell for it."
It is relatively common practice for scammers to seed the account with money before and during the scam. The more money people see in the pot, the more likely they are to think thatif so many other people are putting money in, it cant possibly be a scam.
Same sort of deal with Beggars seeding a few coins into the begging tray to make it look like other people are giving them money and thus encouraging others to also give.
So the $100k is definitely overstating it, but by how much is anybody's guess.
So Twitter have been subject to a deeply embarrassing attack which will do long-term damage to their business. The same Twitter recently censored tweets from their most high-profile user, claiming that they contained provable falsehoods. Said high-profile user, in his day job as President of the United States, authorized a certain intelligence agency to carry out cyber attacks with little oversight (see story on this very site) some time ago.
I shall have to add some more tinfoil to my hat...
I find it odd that the hackers are apparently boasting about how they did it, I wonder if they are just diverting attention from the source? If a hacker worked for an organization that had this hack waiting for the election then they could have made a little money by selling it to their friends...
.... there's nothing the company can do to mitigate an attack until its happened. Hopefully they'll find this person and throw the book at them. While it might seem amusing to do it from various CEO accounts imagine if it had been from a hospital/government/police/large media provider account saying there'd been a new mass pandemic outbreak/terrorist attack etc.
Indeed. I couldn't care less about some celebutards being hacked, but you would hope that all Twitter admins are forced to only access core systems with keyloggers enabled as the same problem happened in a documentary I saw on TV called Jurassic Park...
"With the keychecks off, the computer didn't file the damn keystrokes ..."
Yep, agreed. Sending out a Bitcoin scam request via a few rich peoples accounts sure seems to have grabbed the attention of everyone but what else might also have happened at the same time. I guess you only have a limited time before these sort of account takeovers get discovered so sending out these lame tweets from celebs accounts does seem like a diversion. I guess we'll never know.
if some unknown "miscreants" have been able to do it, why not any other, with - perhaps - similar or better skills and tools and with entirely different motives. Given how politicians have employed twitter to police the world, I can see a Mr President announcing, out of the blue, that yes, we are launching an all out nuke war against China (or not). I just hope that the Russians in charge of such accounts are not too drunk to do it as a prank.
It’s a pity I don’t teach infosec classes any more, this would make a perfect example to show the senior techies how a breach happens.
However from Twitters response I suspect someone found a weakness in their password reset system and they are putting up a smokescreen whilst they fix it. Either that or their separation of duties system is horrendous.
English is my first language but my sentence structure is odd when I remove the swearing.
There's your primary weak point right there. Without good reason (and having to go via support), it should NOT be possible to directly change an email address used by an account without sending the confirmation link to the original email address.
[and, one might add, disallow password changes for a certain time after email address changes]
The piece about this at Ars techinca says the miscreants gained access by paying some Twitter staff:
Sorry, that's second hand info, the first source to those affirmations are at Motherboard:
Biting the hand that feeds IT © 1998–2020