Flying blind
Quick update to last week: the European Court of Justice has ruled in favor of Max Schrems a second time and struck down Privacy Shield, the legal framework that allowed data transfers from the EU to the US (and other third countries); businesses can still use Standard Contractual Clauses, subject to some conditions. TL;DR: Sucks even more to be the UK, caught in the middle between the EU and US demands regarding data flows. On to this week...
This week's Twitter hack is scary. Not, obviously, because it was a hack; by this time we ought to be too used to systems being penetrated by attackers to panic. We know technology is insecure. That's not news.
The big fear should be the unused potential.
Twitter's influence has always been disproportionate to its size. By Big Social Media standards, Twitter is small - a mere snip at 330 million users, barely bigger than Pinterest. TikTok has 800 million, Instagram has 1 billion, YouTube 2 billion, and Facebook 2.5 billion. But Twitter is addictively home to academics, politicians, and entertainers - and journalists, who monitor Twitter constantly for developments to report on. A lot of people feel unable to mention Twitter these days without stressing how much of a sinkhole they think it is (the equivalent of, in decades past, boasting how little TV you watched), but for public information in the West Twitter is a nerve center. We talk a lot about how Facebook got Trump elected, but it was Twitter that got him those acres of free TV and print coverage.
I missed most of the outage. According to Vice, on Wednesday similarly-worded tweets directing followers to send money in the form of bitcoin began appearing in the feeds coming from the high-profile, high-follower accounts belonging to Joe Biden, Elon Musk, Uber, Apple, Bill Gates, and others. Twitter had to shut down a fair bit of the service for a while and block verified users - high-profile public figures that Twitter deems important enough to make sure they're not fakes - from posting. The tweets have been removed, and some people who - presumably trying to follow standard practice in a data breach - tried to change their passwords got locked out - and some people must have sent money, since Vice reported the Bitcoin wallet in question had collected $100,000. But overall not much harm was done.
This time.
Most people, when they think about their social media account or email being hacked, think first of the risk that their messages will be read. This is always a risk, and it's a reason not to post your most sensitive secrets to technology and services you don't control. But the even bigger problem many people overlook is exactly what the attackers did here: spoofed messages that fool friends and contacts - in this case, the wider public - into thinking they're genuine. This is not a new problem; hackers have sought to take advantage of trust relationships to mount attacks ever since Kevin Mitnick dubbed the practice "social engineering" circa 1990.
In his detailed preliminary study of the attack, Brian Krebs suggests the attack likely came from people who've "typically specialized in hijacking social media accounts via SIM swapping". Whoever did it and whatever route they took, it seems clear they gained access to Twitter's admin tools, which enabled them to change the email address associated with accounts and either turn off or capture the two-factor authentication that might alert the actual owners. (And if, like many people, you operate Twitter, email, and 2FA on your phone, you actually don't *have* two factors, you have one single point of failure - your phone. Do not do this if you can avoid it.)
In the process of trying to manage the breach, Eric Geller reports at Politico, Twitter silenced accounts belonging to numerous politicians including US president Donald Trump and the US National Weather Service tornado alerts, among many others that routinely post public information, in some cases for more than 24 hours. You can argue that some of these aren't much of a loss, but the underlying problem is a critical one, in that organizations and individuals of all stripes use Twitter as an official outlet for public information. Forget money: deployed with greater subtlety at the right time, such an attack could change the outcome of elections by announcing false information about polling places (Geller's suggestion), or kill people simply by suppressing critical public safety warnings.
What governments and others don't appear to have realized is that in relying on Twitter as a conduit to the public they are effectively outsourcing their security to it without being in a position to audit or set standards beyond those that apply to any public company. Twitter, on the other hand, should have had more sense: if it created special security arrangements for Trump's account, as the New York Times says it did, why didn't it occur to the company to come up with a workable system for all its accounts? How could it not have noticed the need? The recurring election problems around the world weren't enough of a clue?
Compared to what the attackers *could* have wanted, stealing some money is trivial. Twitter, like others before it, will have to rethink its security to match its impact.
Illustrations:
Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.