> We are continuing our forensic review of all of the accounts to confirm all actions that may have been taken.
Is it nonsensical to combine the words "all' and 'may" in that sentence>
Twitter has revealed more about the July 15 attack that saw several prominent accounts hijacked to promote a Bitcoin scam. The Saturday, July 18 update admits “the attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two- …
"This is not a 'must' not a 'might' situation."
That should read
This is not a must but a might situation..
We know what the hackers did, they had inside men ( by intention or by coercion), what we want to know is what they are doing about it and why measures were not already in place to avoid this kind of possibility.
They can't just sit on their asses thinking these kinds of problems will just go away...So there is defiantly a "must do something" element.
I think you're misreading it as meaning 'all actions that (must|may|might)? have been taken by the Twitter admins,' but what was actually meant was 'all actions that may have been taken by the baddies.' So definitely not a 'must' situation, and 'may' is actually much broader for them to consider than just 'have been taken,' and not at all trying to limit their duty; quite the contrary.
Stoopid passive voice. It was somewhat ambiguous.
I would suggest a small number may end up being just 1 but they are trying to avoid all the crap landing in one place at the moment.
Plus it suggests very weak procedures for high value accounts if a single person acting in bad faith can compromise them.
"I would suggest a small number may end up being just 1 but they are trying to avoid all the crap landing in one place at the moment."
If they're trying to avoid the midden hitting the windmill for one specific person, then it suggests to me that it may have been an important person.
Not neccessarily a high up one, but more someone who gets a lot of things done, or as we've seen - has some of the Royal Keys...
From my experience (in Edumacation), it is exactly the "very important people" who would insist that a single helpdesk person should of course be able to imMEdiately set a new password, without callback or other further identification, after all they already have the cheek of not giving out the original value of the password.
This post has been deleted by its author
Attackers had access to the internal tools, and could view mobile numbers. Presumably they could update user details like mobile numbers, and since they're using tools for trusted staff, no further authentication was required. So change the mobile number of Elon Musk to your (burner) number, then issue the password reset request. 2FA kicks in and sends 2FA request to mobile number on file, but it now goes to your number, not Elon.
(I'm not saying this is what happened, just one possibility for a poorly designed process/system)
So change the mobile number of Elon Musk to your (burner) number, then issue the password reset request. 2FA kicks in and sends 2FA request to mobile number on file
Thank you for a possible explanation. I can't believe the original article didn't focus more on this bit of the hack 'cause if 2FA is compromised then it's back to the drawing board for basic online security.
At least they seem to understand they fucked up. They're at least not going "we take our customer's privacy so very seriously"
OTOH I abandoned Twitter at the beginning of the month when they randomized their CSS to kill adblockers. I just don't have the patience to deal with the torrent of ads.
"the attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems,"
This is an attack from inside the security model. This is equivalent to an Intel processor side channel attack.
*Some* employees will always have access to tools which permit account access, at the very least enabling a credential reset. *Some* can modify system code! If those employees go rogue, or stupid, then it's game over. There's no mystery to that.
This post has been deleted by its author
That would not be the first high-profile system like that, but in the end even if you have the strongest imaginable authentication process, if your system admins themselves only need login+password and can log in from anywhere in the world, your entire security model is worthless.
Or their support people have a second and possibly even a third method to get access to vital systems (eggs, basket, etc), that happens to have an unpatched vulnerability.
I doubt these were system admins, just 1st line support. They probably pretended to be their IT and got them to let them remotely login to their computers to fix something, including inputting any 2FA required.
There's no easy solution, more training on phishing calls, including internal phishing attempts to catch those who fall for them. Maybe a change in process so it requires more than one person to fall victim to make changes.
Good in depth blog over on Krebs on Security on this. Seems that "SIM Swapping" is a thing - basically persuade/bribe some mobile phone support/sales body to point a mobile number to a new SIM (As you would if you lost your phone, switched provider etc).
So if you're "forgot password/2FA" process involves reset via SMS... Social Engineering to get e-mail/twitter handle and mobile and SIM Swap and ...
Sim swapping isn't about tools - it is identifying the mobile telco provider and phone number that a target uses, then getting the telco to "recover" the phone number into a new sim.
This can be via social engineering the telco or just finding and paying off an employee with appropriate capability like a local store manager.
Brian's piece fails to address something extra: the hackers bribed their way into Twitter's infrastructure. Motherboard was in touch with a couple of folks involved in the hacking and they acknowledged paying some staff to get access to the necessary systems.
No SIM swapping happened, at least in that version of the story.
Not just one but apparently several Twitter employees were socially-engineered to share or compromise their admin credentials which have access to super high-profile accounts?
Is this some kind of bad joke?
Maybe it's karmic justice for being one of the top 3 enablers of the current POTUSCLOWN.
social media is highly overrated, and the world really isn't how it's portrayed there.
I'd like to think that this could be a wakeup call for alleged 'twitter addicts' that (straw man) get all of their news, social interaction, and other information from twitter. If such people really exist, yeah...
as for me - yet another reason NOT to use Tw[a,i]tter.
People have had years to "wakeup", yet they seem to be getting stupider and stupider about such things.
Education and aggressive policing of the massive online disinformation programs that are going on these days would be helpful.
As would actual criminal penalties against any business that causes damage to customers or the community, either willfully or unknowingly. If you own a building that flouts safety regulations and which blows up and injures people living next door, the same principle applies.
Unfortunately in the US, Profit is King, so there is rarely any political will to write and enforce such cyber-laws. Especially since technology-ignorant politicians can't even imagine what the potential problems are until they have already left a trail of destruction.
"it's just another hacking"
Like any other security...
"it's just an illusion of security "
From this point of view, why even bother with all security....
2FA is a security layer, it may not be perfect, but it make harder to compromise the account, the goal being to discourage the haxor... The more layer you a have, the more you will stay "undisturbed,"
I'm not a fan of 2FA either, especially using a app on a smartphone where you have no control and can't possibly known how many time a day it get access by unknown people... A system used by Localbitcoins the "printed paper codes" simple and "imo" more secure.
OK, so they broke the 2FA of some employees to get into the tools. But why is there a tool to do a password reset on an account that lets the attacker get straight in? Doesn't this imply that there's a tool for twitter admins that allows them to know the password being set? Even if there is such a tool (and there possibly shouldn't be), why is it available to anyone but a select few admins?
Maybe it is, in which case, why aren't these admins highly trained?
And doesn't this smack of the hackers gaining useful inside knowledge, like which admins to target?
I don't think twitter are being as open as they could be.
Being able to initiate a password reset is not the same as revealing the password in plaintext on someone's monitor.
Initiating a password reset shouldn't be an inherent risk for an admin to use unless they control the account that the reset request is being sent to. (Or they are using an idiotically insecure channel like SMS to send the unencrypted password reset request)
On the other hand, if a user asks an admin to both reset a password and disable 2FA simultaneously, that should probably require A) some additional info from the user, and B) get a supervisor approval of some kind before being allowed, and probably the account in question should be closely monitored for a while, too.
As for Twitter not being open, I think it's clear that they are not, despite their claims. If they were actually being open, they would have defined what this "small number" of admins actually means, what positions they held, and more details about how they were pwned.
getting a Yubikey for a while.
Until I realized how much it would suck if it was lost or stolen
Which is why I have several - one kept in the safe at home and one carried on me. The one in the safe is configured to have the same access as the live one..
So Simon whatever, you have assumed 2FA failed. How do you know that? The attackers got access to the admin portal/tools but do these same tools allow the admin to clear 2FA and allow a fresh login?
Bit more depth on your article would go good. A little more research perhaps?
"So Simon whatever, you have assumed 2FA failed. How do you know that?"
Twitter stated that "“the attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections.” Simon Sharwood quoted that in his second paragraph. Did you forget reading that?
"Did you forget reading that?" - Not at all.
They got access to the admin tools - there is (along with the option to change the users email address), an option to reset/remove the 2FA in the event that the users loses their phone. Means they log in again with the new email, no 2FA requested and bingo, off they go.
First, 2FA failed to prevent the attackers accessing Twitter's internal systems, as Twitter themselves said, "including getting through our two-factor protections”. That's what Simon Sharwood referred to, yet you went into the attack saying "So Simon whatever, you have assumed 2FA failed. How do you know that?"
Second, you yourself have gone on to explain how you think users who thought themselves protected by 2FA were pwned nonetheless, ie that they had 2FA on their accounts but 2FA failed to protect them.
Anyone who got scammed was a fool in this instance.
“Give me some money and I will double it because I am a nice guy“
Right a 6 year old would question that proposal.
Twitter is such a toxic place so glad I avoid FB & T, LinkedIn is fast coming into 3rd place for creating a toxic environment.
To all the “social media” fools lookup there is an amazing world just 3” above your screen.