The Twitter Hack and Insider Threats
Last week, Twitter made national news when unusual tweets were posted from high profile accounts. Had it been hacked? Accounts from Joe Biden, Elon Musk, Bill Gates, Apple and others tweeted a link to a bitcoin address, asking for donations they claimed they would match for a limited time. They were the kind of messages that a cyber-aware person would recognize as a scam.
The widespread nature of the hacks and subsequent tweets, all occurring in the same day, seemed to suggest one thing: Twitter itself had been compromised. The company announced that they believed they detected a “coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
Let’s break down two concepts: social engineering and insider threats. Social engineering is the act of using a pretext, a fake story, to gain access or information. The targets are people, not computers. For example, if I can trick you into giving me your password, that’s easier and faster than attempting to hack a software platform. An insider threat is someone associated with a company (such as an employee) who intends to harm the company by disrupting operations, stealing money or data, etc.
Joseph Cox, a cybersecurity journalist for Vice, published a piece on 15 July saying that some of the hackers paid a Twitter employee to do all the work for them. He also referenced screenshots of the internal Twitter tool, Binance, that is used to administer accounts and which the insider or hacker apparently used to “take over” the high profile accounts.
What’s interesting is that two former employees allege that at least 1,000 employees and contractors have access to this internal tool per Business Insider. Is this a big deal? It depends on what the tool can do. In this case, it seems that the tool allows an employee to change the email account associated with a Twitter handle, effectively giving control of the account to someone else, which may have been the way hackers got a hold of the accounts. With this feature alone, the tool should be limited to those with privileged access—not run-of-the-mill customer support.
As we say in our user awareness training: as individuals, we have no control over how a company secures (or doesn’t secure) our information. This level of accessibility by a large employee/contractor base violates one of the security principles of software engineering: least privilege. One hopes that companies will background check employees who will have privileged access, limit privileged access to only those who truly need the access, and also log and audit privileged functions to make sure they are not being misused. (Auditing would also help track down insider threats after the fact.)
When we discuss security measures such as those above, they’re well known. In fact, they’re part of the security controls in the NIST Cybersecurity Framework.
Despite this less than rosy outlook on our ability to control how well or poorly a company secures our information, we can learn from these security incidents and be more cognizant of social engineering and insider threats in our own work spaces. Emails and messages that come out-of-the-blue, seem unusual, or involve money/payment/sensitive info should be scrutinized and verified first. We can watch for fellow employees who seem to want more access or information than needed to do their job, who skirt policies and procedures, who are suddenly affluent, who purposely work odd hours to avoid others or who never take a day off–they just might be an insider threat.
If you need help with user security awareness in your organization, contact us.