The Twitter breach and lesson to take away from it
On July 15th multiple celebrity Twitter accounts expressed a sudden burst of generosity, and offered to "give back" to the community by stating they will double every amount of bitcoin sent to them. That was obviously a scam and indeed a sophisticated one.
Oversimplifying it, the scam involved 2 main steps. First the hacker managed to gain access to one of Twitter's internal Slack workspaces, in which he managed to find an internal support utility that allows for full control on any Twitter account, as well as credentials for the tool.
But that was not enough. The tool required 2FA and the hacker managed to social engineer his way in using a phone spear phishing attack. The hacker went on and sold access to celebrity Twitter accounts, on-demand, after proving the ability to control any account using the utility.
Step 2 was monetization. Fake messages were sent out in the name of the chosen celebrities. The message sent was effectively identical and sent simultaneously from all the compromised accounts and suggested the celebrity will double any sum sent to them, and added a Bitcoin address. This is it.
So why did I decide to dedicate a blog post to this attack?
One reason; everything about this attack represents why we founded Obsecure. Not necessarily to protect Twitter’s internal network and tools but to change the paradigm of how we trust actors in digital systems.
The way the hackers were able to get access to this very sensitive utility demonstrates why the current paradigm is broken. Indeed, these are sophisticated hackers but we shouldn’t give them the credit. We should look at what we’re doing wrong. Specifically, the reliance on authentication and implicit trust.
By implicit trust I mean authenticating people using passwords, tokens, devices, codes and behaviors to grant them access to digital applications and systems. And worse than that, assuming that just because someone passes the authentication challenges, the actions they take are authentic.
At Obsecure, we developed a technology that “witnesses” people, not digital users, as they perform their digital activity. This means that the only way to perform a digital action, such as sending a message on a messaging platform or tweeting on behalf of a celebrity, is by the authorized person presenting their physical selves while typing the message. A similar approach to how a notary notarizes a document - by checking the identity of the signer and witnessing the act of signing.
To conclude, we continue to see sophisticated attacks whereby credentials are stolen, in one way or the other, to create personal or business damage such as a PR and financial headache to one of the best known digital brands out there. This is far from being unavoidable. Notary-grade activity signing using a physical biometric-based identity key can put an end to such scams.