I think people are still severely under-estimating how dangerous this was.
Back in 2013 when The Associated Press was hacked with a tweet of "Breaking: Two Explosions in the White House and Barack Obama is injured" and erased $136 billion in equity market value:
It's almost as if web services that let people post whatever they want at any time, vulnerable to whatever security flaws may be present, shouldn't be used as a reliable source for up-to-the-minute information about literally anything important at all.
What you're saying makes some sense - a television broadcast, say, requires effort from a lot of people to produce - and, previously, expensive special equipment to broadcast, though now TV content is often streamed over the web - so it has a level of credibility, the TV news at least can't be spoofed by one person in their bedroom on the other side of the world. (Note that deepfakes may be changing this).
But the world we live in is full of "web services that let people post whatever they want at any time". News from Twitter may be weird but many people want to get their news from the BBC website, or the New York Times, or Reuters or whatever. Or their own government's websites. Just web services that people post from - presumably with levels of editing and checking but all presumably with security flaws that could bypass them.
It's not clear exactly what you're asking for. A technological solution involving careful checking of cryptographic signatures? Or some sort of super-expensive-to-spoof source of all important news?
It shouldn't be, but the bleeding edge of markets have always relied on having the latest data from anywhere that can indicate a shift and I don't expect it to change anytime soon.
Nay, Sir, our brave corporations that regularly sell themselves out to low-cost labour markets will surely defend democracy here and around the world when we call upon them!
Remedy is painfully obvious: make an example of Twitter and pass laws that holds platform operators liable. That should fix all sorts of security problems.
So true. it's a toilet. A few months back I told myself no more, I resigned my account and haven't missed it at all. massive time sink, and utterly pointless. It isn't a conversation, it's yelling at a brick wall, then yelling louder when you don't get an answer.
Financial markets do. Where acting faster than your competition is essential you don't have a lot of choice.
As for the blackmail and war starting you probably couldn't do much with public tweets (nobody is going to go to war over a tweet without fact checking it) but access to private messages is an entirely different story.
People keep saying it could have started a war. Excuse me for being naive but come on—really? This is total sensationalism. What party wouldn’t verify something on twitter through diplomatic channels before going to war?
Wars start from smaller conflicts, which come about through escalation of smaller conflicts, lies, or misunderstandings. I think all that is necessary to start a war is a geopolitical event of sufficient severity to provoke a retaliation; once the first retaliation happens, there is high risk of further escalation.
So the question is whether a deception on Twitter could trigger a real-world event significant enough to provoke a retaliation. It might be hard to do that with a single message, but they had access to multiple accounts. These tweets were stupidly obvious scams. You could create a huge amount of panic with a series of posts from different influential accounts if they were designed to be believable.
Exactly! Nothing major could have come out of this.
If you disagree, please let me try to convince you;
Tweets were about bitcoin, therefore broad public was not the target of the attack.
Hence Twitter just prevented verified accounts from posting and deleted some messages. Had president's account been hijacked and threats of imminent nuclear strike etc. were thrown around, DoD would have been quick to contact to Twitter and they would have been disabled the whole account, put notifications about hijack for everyone to see (like these COVID notifications) or maybe even take the whole platform offline until they fix it.
You would click a link to go to the said tweet, but you'd only see president's account is not there, and there's a huge warning saying it has been hijacked, and devs are working to get it back. That's it.
Now please try to convince me otherwise, I'd love to be challenged on this.
This hack simply proved that a lot bigger things are possible. They could have (maybe they did) read private messages which could simply be used for blackmail. A top defense official getting blackmailed is pretty easy step to escalation to broken diplomacy.
Get Trump's account, and tweet something like, "I've ordered a NUCLEAR STRIKE on China! The missiles are already in the air. The DEEP STATE is trying to take me out. They will try to silence me and delete these tweets and use deep fakes to say this was a hoax! The storm is here, Q is real, it's time to take up arms and kill democrats."
Then continue tweeting escalating things over the next half hour (since apparently the hackers couldn't be stopped for a while).
War is perhaps an exaggeration, but if its wrong its wrong quantitatively, not qualitatively. In other words, lives unquestionably hung in the balance.
I dont even have a twitter, facebook, instagram, or... anything i think. just you people : )
To me, this means that too much trust is placed in social media, rather than we need to police/secure social media more. Social engineering will always be successful to hack into accounts, and hackers are always 1-step ahead of whatever security measures are in place. It is the trust that our society has placed in social media for news/announcements/politics that is the issue.
That market value was recovered in 5 minutes. It sucks for anyone with stop orders, or anyone who got a margin call; but to say it could start wars is really not giving any credit to the humans in the loop.
Given that Donald Trump basically does policy-making in the open on Twitter these days and foreign countries now treat his account that way, there's an argument to be made that a false tweet on his account could at least push us in the direction of a war.
Thankfully, his account is under special 'lock and key' protection, so a regular CS rep can't hijack it.
I believe they are referring to the fact that they could have theoretically tweeted the wrong thing from the wrong account that could have caused a war. It isn't extremely likely but not comically unrealistic. Definitely within the realm of possibility.
Imagine that this tool could give the attackers access to several primary sources (realdonaldtrump, POTUS, whitehouse) along with a couple news outlets such as Fox News. It would be possible to quickly stir up social unrest and start a lot of local skirmishes that'd take some time to deal with.
And, with conspiracy theorists, imagine the consequences of Trump's account tweeting a distress message that he was attacked and replaced by a clone controlled by QAnon.
In the aggregate sense, it eventually netted out. But a lot of people who sold when it looked like prices were collapsing sure got a pretty decent chunk of their bank accounts "erased".
For a market to move, people need to buy and sell. So while value might not be erased on a global scale if the market recovers to the original position, lots of people will lose (and gain) large amounts of money.
What you call value is really speculations. There is really no association between the value generated by corporations and what the traders think they'll make off trading its stock.
I really think that world leaders twitter accounts should be on completely separate systems from the twitter world. Like a twitter.gov service. It should be insanely locked down, and twitter employees don't have access to it unless they are certified and thoroughly trained. It's just become that important to the stock market and world policy.
To be honest, I think that would indicate a dysfunction of equity markets, not necessarily a problem of Twitter. I would like Twitter to be not that important. For politics and other topics.
> This twitter hack could have literally destroyed economies, started a war [...etc.]
Woah, slow your roll man, it takes a lot to start a war. And temporary glitches in the market are just that-- temporary glitches. If someone loses their shirt over that they deserve it.
It's not hackers which are the true danger, "legit" people abusing media (whatever it may be) are the threat, a good example would be the Stable Genius.
I don't want to be glib about this, but I will say that it takes a lot to stop a war once it starts, but starting it.. humans have not been known to be most rational actors[1].
The only people who lost money during the bid dry-up during that uncertainty were the people greedy enough to sell. I have no sympathy for people who try to time the market on bad news. Fake headlines is part of the bargain.
To be clear, that value wasn’t erased. The market makers just lowered their willing bid during the uncertainty.
This. It almost seems like a proof of concept for someone selling services to a bigger player, using the Bitcoin angle as a smokescreen.
Something like this right before the election or after could wreak havoc if targeted to the right accounts. I imagine certain state sponsors would pay handsomely for that.
That was my thought as well. A big stunt to show they can take over some of the largest names on Twitter/world as a proof of concept. Think of what they can do if they fan this out at scale to millions of normal accounts.
One way to look at this problem is to ask "how to secure Twitter". Another way to look at this problem is to ask whether people should trust Twitter as an official source of information.
I think there is a big organisational difference between the AP and Twitter, but that's just me. Twitter does not employ journalists. Twitter is not the press.
People who have been interviewed by journalists know they regularly get things wrong, like a game of Telephone Whispers. Journalists are not experts in the topic and get things wrong even when they don't mean to - it might be as simple as mishearing the interviewed person, or rounding up a number that they shouldn't. Sometimes it's far more egregious.
At least when Twitter is secure, you see the exact words that were typed, and not through the filter of a reporter who may have misread.
I've personally been misquoted in media interviews. Not a major thing, but I could now use that newspaper article to claim I've done more than I really have, because hey, the newspapers said I did! It must be true!
(I didn't downvote you though, I think the downvotes are unfair.)
Or maybe it could be seen as a helpful reminder for idiots to not act based on a single source. If some guy on the stock market sells millions of dollar's worth of stock based on a single Tweet, they deserve the consequences.
Or used a more believable scam? They took over coinbase’s Twitter. They could have announced some new trading system and to reserve your spot in the line for the beta deposit $100 worth of bitcoin to this address.
Well, it was just a Bitcoin scam... it had the potential to be huge like the AP hack but the hackers didn't use the exploit to its full potential. Why, I have no idea. Imagine if a raft of prominent blue ticked accounts started tweeting about a disaster. The market would have tanked.
Agreed. This was most likely a "shot across the bow" by a state actor. I have no proof of this. But it's highly public nature would seem to argue against a black-hat commercial interest (e.g. proof of potential to a possible buyer) as it would/will draw too much scrutiny. Also, the crystal clear implication that the damage done could have been far worse, would seem to indicate someone was sending a message. From whom and to whom can only be the subject of speculation, but again, whoever did this must have known that the it would be interpreted as an attack from China to the USA. So either they didn't care because making that obvious was the whole point (ergo, attacker probably China), or the misdirection was the whole point (ergo, attacker probably a power that would stand to benefit from increased tension between USA and China).
>Agreed. This was most likely a "shot across the bow" by a state actor.
The hack would have been a powerful weapon if used in a more strategic way. A "shot across the bow" as a tactic is useless when the weapon can only be used a single time and never again. The code will be patched now.
>Also, the crystal clear implication that the damage done could have been far worse, would seem to indicate someone was sending a message.
That's hindsight knowledge. To me it looks more like an un-sophisticated actor that stumbled over a critical vulnerability and had to use it haphazardly before it somehow becomes obsolete with code update.
>From whom and to whom can only be the subject of speculation, but again, whoever did this must have known that the it would be interpreted as an attack from China to the USA. So either they didn't care because making that obvious was the whole point (ergo, attacker probably China), or the misdirection was the whole point (ergo, attacker probably a power that would stand to benefit from increased tension between USA and China).
Actually I don't see much speculation that China is behind the hack other than from the people who are quick to blame China anyway. The sloppy execution actually speaks against a nation-state actor. The loss of trust in Twitter only plays into Trump's hand regarding his personal feud with the platform.
> Also, it seems clear that this Twitter hack could have let the attackers view the direct messages of anyone on Twitter, information that is difficult to put a price on but which nevertheless would be of great interest to a variety of parties, from nation states to corporate spies and blackmailers.
My understanding is the hackers used the admin panel to change the email addresses of the accounts, which means they could reset passwords and perform full account takeover [what about 2fa?]. That means they could login as the user, and so it means they could read the user's direct messages. (Ironically, Twitter's solution of disabling posts from blue checkmarks would not have stopped exfiltration of direct messages while an account was compromised.)
>> Also, it seems clear that this Twitter hack could have let the attackers view the direct messages of anyone on Twitter, information that is difficult to put a price on but which nevertheless would be of great interest to a variety of parties, from nation states to corporate spies and blackmailers.
It is not as much money as pundits probably think it is worth. And also, trying to negotiate a blackmail is time consuming and opens the risk of being caught especially if it a high profile target, with no guarantee of being paid. Do you really think someone like elon musk will pay a bitcoin ransom assuming there is anything incriminating? Paying off a blackmailer is an admission of guilt and does no good if the info is released anyway.
It also depends on how sophisticated the thief was. Did he have everything automated to dump anything everything from the inboxes while automating the posting of the spam tweets, or was he frantically doing all his postings by hand before twitter could shut it down. If the thief is not sophisticated his main priority would probably be making as much money as possible with the posts and ignore the private messages
> Do you really think someone like elon musk will pay a bitcoin ransom assuming there is anything incriminating?
Maybe? I mean I certainly don't dismiss the idea out of hand. The one strong counter-argument I can think of is that very few things would actually embarrass Musk at this point.
The thief did not appear to be too sophisticated. Obviously sophisticated enough to pull off the twitter hack, but we don't really know how much sophistication that required just yet (the exploit may have been trivial). But, they didn't disseminate this message anywhere other than twitter? That seems very shortsighted.
They used different approaches on different twitter accounts, some suggested a coin return, others suggested a charitable donation match, etc. But, they all used the same bitcoin address. If they were sophisticated, they would have used a different bitcoin address for each to evaluate the more profitable messages for a future scam.
My guess was frantic copy pasta. Since the reset password emails went to both him and the OG twitter user. Plus wouldn’t you need an API key per user and set that all up? I think that takes more time than spamming a tweet.
True. Considering the level of access the hackers have gained, a case can be made that the attackers themselves fabricated the content in these user accounts.
If you're already logged in to a Twitter account you can deactivate 2FA by disabling the account (aka deleting with a 30 day window) and then re-enabling the account.
> Ironically, Twitter's solution of disabling posts from blue checkmarks would not have stopped exfiltration of direct messages while an account was compromised.
Sure helps keep down on the public effect though... feels mostly like a PR move.
Yep or else none of this could happen. I work at a company that we need at least two methods to authenticate you to remove MFA through the admin console so this wouldn’t have happened.
I'm curious about this, too. I have to believe, though, that if some bumbling sim swappers were able to get in, then it doesn't require a leap to assume sophisticated state-level actors have similar access. Granted this attack leaves a swath of evidence, but with access to internal tooling, it really is just a factor of how much information is accessible via those tools (and others like them).
I'm sure it's been said before, but I just continue to be surprised that the admin panel used to carry out this attack wasn't locked behind a VPN.
I've worked for multiple fully-remote companies that were easily able to protect tools like this from the outside world.
The company I currently work for (fully remote) has tons of internal services that our engineers (who we trust) can access as needed in order to debug problems and help our clients. None of it is accessible from the Internet.
Internal networks only accessible via VPN is considered an anti-pattern now in terms of security. It puts authorization firmly on the VPN. If the account with VPN access is compromised, then the attacker has full access to these sensitive systems.
This hack probably underscores the importance of zero trust. Although if the system is compromised from within (like this hack is) then there is not much you can do.
I would be curious as to who is citing that using a vpn is some "anti-pattern", to what? Not protecting your network accessible assets?
If you have the means, certainly use a corporate/smb/personal vpn. It is one layer in a multitude of layers you should be using to protect your network.
Its not as if once you achieve vpn access you have no other authz gates to internal applications. Its a "great filter" to help narrow the possible avenues of attack and it works. If your inner layer of authz fails its not the vpn's fault.
Whats your alternative? Just make every application and network endpoint publicly accessibly on the internet?
Does it though? Using a VPN for access to internal infrastructure doesn't mean said internal infrastructure is insecure or authless itself. As in, defense in layers.
The rhetoric of this statement is far more of an "anti-pattern" than VPN will ever be. If VPN is your only line of defense, then it's not secure at all - not because of VPN, but because of poor security practices in general.
VPN and IP restrictions in general is a very good tool to limit the attack surface. That does not mean that Karen from accounting should be able to log into the production environment servers.
> Internal networks only accessible via VPN is considered an anti-pattern now in terms of security. It puts authorization firmly on the VPN.
How do you jump from "VPN is not authorization" to "VPN is an anti-patern"? It's at a completely different layer than authorization ffs! You don't give up on seat-belts because they don't stop bullets coming through the windshield.
Who says its an antipattern? VPN Authentication is additional to authentication on internal systems. VPN is a requirement in most security frameworks like NIST.
> Internal networks only accessible via VPN is considered an anti-pattern now in terms of security.
I could be wrong, but I think they mean that access to the internal site should have been behind VPN (whether at the IP network level or via an HTTP proxy) even when accessed over the internal network. That is, the internal network should not be trusted any more than the network at the cafe down the street.
Using VPN as a layer of security is basically like 2FA, where the second factor are credentials to enter the VPN. Wouldn't it be easier to just have any other additional factor, like a physical security key, or some (additional) authenticator mobile app?
Entering a VPN is usually multi factor by default, because you need both a certificate and a login. Also, there's often a token as a third factor. So you're adding many more levels of security that way.
This could be even some malcious browser extension running on one highly privileged employee computer.
Security is arms race and tradeoffs game, even computers never connected to the Internet are at risk (see Stuxnet story)
Web authentication technology (eg U2F) is much more advanced and safe than VPN authentication technology (key files or strings sitting unencrypted on disk).
Additionally, TLS1.3 is better than most VPNs from a cryptographic standpoint.
Social media was praised so much for its contribution to conflicts outside western world, like middle east and North Africa. In the beginning of Syrian civil war for example; Twitter was the place where propaganda was streamed and extremists from all over the world would leave homes to join other extremists behading heads somewhere.
Now, we see the potential of social media to be a tool for coordinated attacks against the western world. Just imagine this attack during the protests last month in the same narrative that started civil wars in other parts of the world. When tens of people start shooting and killing eachother, nobody would discuss what triggered the chain of events.
This is a simple test that reveals how fragile is society in contrast to how much attention they pay
to Twitter. The worst, the value we get from social media is also unclear. Low quality, unreliable bits of information turned millions to pigeons jumping from there to there and those who own the seeds can control the mass.
The less conspiratorial take on this is that social media simply exacerbates and foments conflict, period. Maybe some of these involved significant coordinated propaganda efforts, but I doubt they all did. The mistake the western world made was thinking that this social media generated conflict was a result of some coherent "positive" motivation, when perhaps it was simply blind social media outrage that coincided with revolutions in places we thought were bad somehow.
It exacerbated it first in the middle east, maybe because those societies were close to conflict to start with, but the western world doesn't seem that far behind.
I found it very interesting how Facebook et al got so much flak right after the 2016 U.S. presidential election. It was as if the DoD finally realized their little weapon could be turned against them and took action to reassert dominance.
I don’t really think he should be naming who his unnamed sources “think” is behind an attack on this scale, especially with full name, city of origin, Instagram, suggested current location, age, etc. It feels a very, very small step away from doxxing to me.
Added to which he has somebody in the comments essentially calling for the death penalty over this. If he has this personal information and evidence, pass it to the relevant authorities and don’t sensationalise it on a blog. Technical details fine, but people’s personal information feels like it’s crossing a line on something like this.
> Researching and publicly broadcasting private or identifying information (especially personally identifying information) about an individual or organization.
It's not one step away from doxxing at all -- in this case Lucky225 is not an unnamed source, that is actually his real legal name per his twitter [1] and the FCC database entry for his ham radio license (not linking that)
Well, I think they meant doxxing Joe, but also seems to be doxxing Lucky225 as you noted.
Once you look at Lucky225's Ham then you get an address. Of course, what is somewhat interesting is their listed address actually is located at Colorado's Division of Central Services building, which very interestingly is a way to obtain a confidential mail forwarding address. It says it is only to be used by victims of stalking/violence/harassment but who knows how well that is enforced: https://www.colorado.gov/pacific/dcs/acp-faq
Either way, I think SexyCyborg (well-known Maker) is quite right to call out HAM license as a vector for getting doxxed.
I lost a lot of respect for krebs a while ago when he doxxed a minor. I haven't followed him much since, so I don't know how repeatedly he has offended, but this doesn't surprise me.
100% right. Krebs is useful but an attention whore and an asshole to boot. He couldn't resist the temptation. All he should have done is share his findings with investigators but hey: clicks and the mortgage > ethics.
> Added to which he has somebody in the comments essentially calling for the death penalty over this
Don't feed the trolls. If anything we've seen a lot of praise for this person. That has probably been the most responsible hack when you think about it.
On the off-chance that you're serious - doxxing someone who is suspected to be linked to a crime is staggeringly irresponsible, because you are then effectively convicting them in the court of public opinion. If they are innocent, but you have not only levelled accusations at them, but provided ways to access them, then you are partially responsible for what others choose to do with that information.
Maybe because the person he is pointing to may herself become a target of attacks/harassment other. If he (or she) is really the perpetrator, he should ideally be arrested and convicted. But it may also not be him.
I never understood the whole doxing thing... the actions you take in this world are real. You can't take them back. You don't get to be anonymous just because you wish to be or because you frequent hacker sub-cults where doxing is some holy transgression. Bad op sec is bad op sec. Nothing more, nothing less.
If Krebs got it wrong, well, he can suffer the consequences of that, too.
>If Krebs got it wrong, well, he can suffer the consequences of that, too.
And, if he got it wrong, the innocent person he doxxed has to suffer the (potentially much more harsh) consequences of someone else's irresponsible actions. While Krebs begins working on his next story, and if we're lucky, posts an "oopsie" comment.
The problem is that the named person will also suffer if Krebs got it wrong. Furthermore it isn't uncommon these days for people to overreact and mob up against the person. We have a justice system to deal with this. We shouldn't have thousands of random people on the internet punishing them based on loose evidence.
Like a lot of terms doxing can mean different things. Sometimes it means holding people accountable and sometimes it means releasing the home address and workplace of a person misidentified as a wrongdoer by an internet mob.
A recent example was the biker misidentified as a man who assaulted a child putting up posters.
The actions you take in this world are real yes, but the scale at which the internet enables retribution is unprecedented. If you punch someone in the street maybe three people will beat you up. If you punch someone online, tens of thousands of people might pile on and start kicking.
But the risk to the target outweighs the potential benefit to the doxxer. Consequences can be unequal. And if the doxee ends up being the perpetrator, then the bad things were already on their way via the legal system.
The among taken in this scam is chump change compared to the YouTube scammers. YouTube is a vastly bigger website than twitter and way slower to respond to accounts begin stolen by scammers. I remember seeing an Ripple giveaway scam that in a single day made 100k with just a single account ,. And fake bill gates one made 40k. the list goes on and on. My guess is the total taken is in the $3-5 million range from youtube alone.
And you don't even need to steal an account. When the Playstation 5 launch event was happening I searched for it on Youtube, clicked the top result and it turned out to be a scammer restreaming the real live event with graphics added saying Sony would double your BTC - just send to this address ___.
Youtube served me the Bill Gates bitcoin scam on Monday, 2 days before the Twitter hack, as opening ad for a video from their recommendation algorithm. The ad's site clearly perpetuated the scam for at least a couple days before changing the website to an innocent iframe link to Bill's foundation page.
The first one I saw was a Rip of a SpaceX livestream. I watched it for a bit then noticed all the BitCoin references and got confused then realized it was a scam account. How they get promoted basically to the front page is the issue.
Funny that Krebs refers to Lucky225 as a longtime friend of Adrian Lamo.
I thought it was very well-known that Lucky225 made that story up as a cover to hide the fact that he gained control of Adrian Lamo’s @6 Twitter via a SIM swap hack himself, and also took control of Lamo’s Facebook in order to hijack ownership of the 2600 Magazine group on Facebook.
It's a very awkward thread where Lucky225 accidentally demonstrates that he has indeed taken over Adrian Lamo's email account. Note this doesn't say anything about whether they were or weren't friends. They definitely had overlapping interests.
The thing I'm most concerned about is that if Brian Krebs is right and they had access to their DM's, that the very obvious crypto scam they ran was just a facade, some kind of distraction because they knew they would have been noticed, but the true goal were the DM's.
Imagine a celebrity saying some 'not so politically correct' things to a friend in private 8 years ago, and now imagine this becoming public while the Twitter cancel culture is in full force. There's a lot of money and power in having that information.
I don't want to argue about what's wrong or not, I just want to point out what I find really concerning about the hack.
Why are you so concerned about some celebs being called out on stuff they said? To me, the most concerning is innocent people having lost money to a scammer, not some celebrity's public image being hurt by something they actually wrote.
Readit News
Back in 2013 when The Associated Press was hacked with a tweet of "Breaking: Two Explosions in the White House and Barack Obama is injured" and erased $136 billion in equity market value:
Archive: http://archive.is/8lCMV
https://www.washingtonpost.com/news/worldviews/wp/2013/04/23...
This twitter hack could have literally destroyed economies, started a war, potential for black mailing politicians and others etc.
This really needs to be looked at with much bigger eyes. This wasn't just a bitcoin scam.
We've entered a world where the lowest common denominator of information is being used as primary source for current events. That's asinine.
But the world we live in is full of "web services that let people post whatever they want at any time". News from Twitter may be weird but many people want to get their news from the BBC website, or the New York Times, or Reuters or whatever. Or their own government's websites. Just web services that people post from - presumably with levels of editing and checking but all presumably with security flaws that could bypass them.
It's not clear exactly what you're asking for. A technological solution involving careful checking of cryptographic signatures? Or some sort of super-expensive-to-spoof source of all important news?
Not.
The platform derives power from the audience. Stop giving it your power.
As for the blackmail and war starting you probably couldn't do much with public tweets (nobody is going to go to war over a tweet without fact checking it) but access to private messages is an entirely different story.
Deleted Comment
Equity destruction: sure. War: no way.
Wars start from smaller conflicts, which come about through escalation of smaller conflicts, lies, or misunderstandings. I think all that is necessary to start a war is a geopolitical event of sufficient severity to provoke a retaliation; once the first retaliation happens, there is high risk of further escalation.
So the question is whether a deception on Twitter could trigger a real-world event significant enough to provoke a retaliation. It might be hard to do that with a single message, but they had access to multiple accounts. These tweets were stupidly obvious scams. You could create a huge amount of panic with a series of posts from different influential accounts if they were designed to be believable.
Let’s not speculate war here. We’re on HN:)
Tweets were about bitcoin, therefore broad public was not the target of the attack.
Hence Twitter just prevented verified accounts from posting and deleted some messages. Had president's account been hijacked and threats of imminent nuclear strike etc. were thrown around, DoD would have been quick to contact to Twitter and they would have been disabled the whole account, put notifications about hijack for everyone to see (like these COVID notifications) or maybe even take the whole platform offline until they fix it.
You would click a link to go to the said tweet, but you'd only see president's account is not there, and there's a huge warning saying it has been hijacked, and devs are working to get it back. That's it.
Now please try to convince me otherwise, I'd love to be challenged on this.
Get Trump's account, and tweet something like, "I've ordered a NUCLEAR STRIKE on China! The missiles are already in the air. The DEEP STATE is trying to take me out. They will try to silence me and delete these tweets and use deep fakes to say this was a hoax! The storm is here, Q is real, it's time to take up arms and kill democrats."
Then continue tweeting escalating things over the next half hour (since apparently the hackers couldn't be stopped for a while).
I dont even have a twitter, facebook, instagram, or... anything i think. just you people : )
Could a Trump tweet (real or fake) cause a pivotal escalation in a series or escalations leading to war? I think probably yes.
Thankfully, his account is under special 'lock and key' protection, so a regular CS rep can't hijack it.
And, with conspiracy theorists, imagine the consequences of Trump's account tweeting a distress message that he was attacked and replaced by a clone controlled by QAnon.
I'm happy whoever did this wanted money.
Seems to me having them there is about 99% downside, 1% upside.
Disclosure: I dislike Twitter on principle.
It's not hackers which are the true danger, "legit" people abusing media (whatever it may be) are the threat, a good example would be the Stable Genius.
1. https://www.history.com/news/6-wars-fought-for-ridiculous-re...
To be clear, that value wasn’t erased. The market makers just lowered their willing bid during the uncertainty.
Something like this right before the election or after could wreak havoc if targeted to the right accounts. I imagine certain state sponsors would pay handsomely for that.
Dead Comment
I think there is a big organisational difference between the AP and Twitter, but that's just me. Twitter does not employ journalists. Twitter is not the press.
At least when Twitter is secure, you see the exact words that were typed, and not through the filter of a reporter who may have misread.
I've personally been misquoted in media interviews. Not a major thing, but I could now use that newspaper article to claim I've done more than I really have, because hey, the newspapers said I did! It must be true!
(I didn't downvote you though, I think the downvotes are unfair.)
No they don't.
Deleted Comment
Deleted Comment
https://www.whitehouse.gov/presidential-actions/presidents-e...
The hack would have been a powerful weapon if used in a more strategic way. A "shot across the bow" as a tactic is useless when the weapon can only be used a single time and never again. The code will be patched now.
>Also, the crystal clear implication that the damage done could have been far worse, would seem to indicate someone was sending a message.
That's hindsight knowledge. To me it looks more like an un-sophisticated actor that stumbled over a critical vulnerability and had to use it haphazardly before it somehow becomes obsolete with code update.
>From whom and to whom can only be the subject of speculation, but again, whoever did this must have known that the it would be interpreted as an attack from China to the USA. So either they didn't care because making that obvious was the whole point (ergo, attacker probably China), or the misdirection was the whole point (ergo, attacker probably a power that would stand to benefit from increased tension between USA and China).
Actually I don't see much speculation that China is behind the hack other than from the people who are quick to blame China anyway. The sloppy execution actually speaks against a nation-state actor. The loss of trust in Twitter only plays into Trump's hand regarding his personal feud with the platform.
> Also, it seems clear that this Twitter hack could have let the attackers view the direct messages of anyone on Twitter, information that is difficult to put a price on but which nevertheless would be of great interest to a variety of parties, from nation states to corporate spies and blackmailers.
My understanding is the hackers used the admin panel to change the email addresses of the accounts, which means they could reset passwords and perform full account takeover [what about 2fa?]. That means they could login as the user, and so it means they could read the user's direct messages. (Ironically, Twitter's solution of disabling posts from blue checkmarks would not have stopped exfiltration of direct messages while an account was compromised.)
It is not as much money as pundits probably think it is worth. And also, trying to negotiate a blackmail is time consuming and opens the risk of being caught especially if it a high profile target, with no guarantee of being paid. Do you really think someone like elon musk will pay a bitcoin ransom assuming there is anything incriminating? Paying off a blackmailer is an admission of guilt and does no good if the info is released anyway.
It also depends on how sophisticated the thief was. Did he have everything automated to dump anything everything from the inboxes while automating the posting of the spam tweets, or was he frantically doing all his postings by hand before twitter could shut it down. If the thief is not sophisticated his main priority would probably be making as much money as possible with the posts and ignore the private messages
A somewhat odd blog post by Jeff Bezos about blackmail from last year is quite interesting in this context. [1]
[1] https://medium.com/@jeffreypbezos/no-thank-you-mr-pecker-146...
Maybe? I mean I certainly don't dismiss the idea out of hand. The one strong counter-argument I can think of is that very few things would actually embarrass Musk at this point.
They used different approaches on different twitter accounts, some suggested a coin return, others suggested a charitable donation match, etc. But, they all used the same bitcoin address. If they were sophisticated, they would have used a different bitcoin address for each to evaluate the more profitable messages for a future scam.
Sure helps keep down on the public effect though... feels mostly like a PR move.
I've worked for multiple fully-remote companies that were easily able to protect tools like this from the outside world.
The company I currently work for (fully remote) has tons of internal services that our engineers (who we trust) can access as needed in order to debug problems and help our clients. None of it is accessible from the Internet.
This hack probably underscores the importance of zero trust. Although if the system is compromised from within (like this hack is) then there is not much you can do.
If you have the means, certainly use a corporate/smb/personal vpn. It is one layer in a multitude of layers you should be using to protect your network.
Its not as if once you achieve vpn access you have no other authz gates to internal applications. Its a "great filter" to help narrow the possible avenues of attack and it works. If your inner layer of authz fails its not the vpn's fault.
Whats your alternative? Just make every application and network endpoint publicly accessibly on the internet?
VPN and IP restrictions in general is a very good tool to limit the attack surface. That does not mean that Karen from accounting should be able to log into the production environment servers.
How do you jump from "VPN is not authorization" to "VPN is an anti-patern"? It's at a completely different layer than authorization ffs! You don't give up on seat-belts because they don't stop bullets coming through the windshield.
"Defense in depth" is not an anti-pattern. Using an VPN as the only layer is, certainly, but that is a straw man.
> If the account with VPN access is compromised, then the attacker has full access to these sensitive systems.
No. Logging in the VPN is one thing, logging into the internal systems requires an extra login
This is not hard
I could be wrong, but I think they mean that access to the internal site should have been behind VPN (whether at the IP network level or via an HTTP proxy) even when accessed over the internal network. That is, the internal network should not be trusted any more than the network at the cafe down the street.
By whom? It's another layer of security, nobody claimed it should be the sole defense.
It's a part of security, along with other multi-faceted authentication routes.
Additionally, TLS1.3 is better than most VPNs from a cryptographic standpoint.
Now, we see the potential of social media to be a tool for coordinated attacks against the western world. Just imagine this attack during the protests last month in the same narrative that started civil wars in other parts of the world. When tens of people start shooting and killing eachother, nobody would discuss what triggered the chain of events.
This is a simple test that reveals how fragile is society in contrast to how much attention they pay to Twitter. The worst, the value we get from social media is also unclear. Low quality, unreliable bits of information turned millions to pigeons jumping from there to there and those who own the seeds can control the mass.
It exacerbated it first in the middle east, maybe because those societies were close to conflict to start with, but the western world doesn't seem that far behind.
Added to which he has somebody in the comments essentially calling for the death penalty over this. If he has this personal information and evidence, pass it to the relevant authorities and don’t sensationalise it on a blog. Technical details fine, but people’s personal information feels like it’s crossing a line on something like this.
What small step is that? Looks like a textbook case of doxxing to me.
https://itwire.com/security/infosec-researchers-slam-ex-wapo...
Yeah this is definitionally doxxing
[1] https://twitter.com/lucky225/status/1258503072323526657
Once you look at Lucky225's Ham then you get an address. Of course, what is somewhat interesting is their listed address actually is located at Colorado's Division of Central Services building, which very interestingly is a way to obtain a confidential mail forwarding address. It says it is only to be used by victims of stalking/violence/harassment but who knows how well that is enforced: https://www.colorado.gov/pacific/dcs/acp-faq
Either way, I think SexyCyborg (well-known Maker) is quite right to call out HAM license as a vector for getting doxxed.
serious media outlets generally don't name suspects untill they are convicted.
This is a rule that we as a society have established after generations of experience with how media works.
Then we get "social media", and all the old rules get thrown out... So, how long will it take to reinvent the same rules for this new platform?
Deleted Comment
Deleted Comment
Don't feed the trolls. If anything we've seen a lot of praise for this person. That has probably been the most responsible hack when you think about it.
Zero tolerance policies don't make any sense to me.
After the Boston marathon bombing, Redditors thought they found one of the responsible terrorist. He wasn't.
I'm not sure I understand your comment actually.
See https://en.wikipedia.org/wiki/Sunil_Tripathi for an example that should make your blood boil
If Krebs got it wrong, well, he can suffer the consequences of that, too.
And, if he got it wrong, the innocent person he doxxed has to suffer the (potentially much more harsh) consequences of someone else's irresponsible actions. While Krebs begins working on his next story, and if we're lucky, posts an "oopsie" comment.
How can you justify that as okay?
A recent example was the biker misidentified as a man who assaulted a child putting up posters.
https://www.bbc.com/news/technology-52978880
Alphabet Inc should be held liable.
The first one I saw was a Rip of a SpaceX livestream. I watched it for a bit then noticed all the BitCoin references and got confused then realized it was a scam account. How they get promoted basically to the front page is the issue.
Dead Comment
Deleted Comment
I thought it was very well-known that Lucky225 made that story up as a cover to hide the fact that he gained control of Adrian Lamo’s @6 Twitter via a SIM swap hack himself, and also took control of Lamo’s Facebook in order to hijack ownership of the 2600 Magazine group on Facebook.
It's a very awkward thread where Lucky225 accidentally demonstrates that he has indeed taken over Adrian Lamo's email account. Note this doesn't say anything about whether they were or weren't friends. They definitely had overlapping interests.
Imagine a celebrity saying some 'not so politically correct' things to a friend in private 8 years ago, and now imagine this becoming public while the Twitter cancel culture is in full force. There's a lot of money and power in having that information.
I don't want to argue about what's wrong or not, I just want to point out what I find really concerning about the hack.