With prominent figures including Biden, Musk, Obama, Kanye West and Bill Gates Twitter accounts recently being hacked, will Twitter move to physical tokens for security?

Certainly, to make sure their network perimeters are secure against remote attacks, most companies are putting a lot of effort towards security. But they just aren’t paying enough attention to threats that might come from within their own organisations.

The impact malicious (duped insider and poor privileged access) monitoring could have on businesses was evidenced by the attack last month on Twitters high-profiled accounts. It’s the perfect example. And the account compromise raises questions about Twitter’s controls.

What happened in the Twitter hack?

As part of a cryptocurrency scam last month, the Twitter accounts of high-profile business leaders, artists, politicians and popular brands, were sent messages that instructed users to send bitcoins to a particular – address. 

Some of the well- known accounts that suffered this cryptocurrency scam included those of Elon Musk, Bill Gates, Jeff Bezos, Barack Obama, Joe Biden, Kanye West, Kim Kardashian, Mike Bloomberg, Uber, and Apple. As a result of this attack, even Twitters own official support account was included in this scam.

Similarly, campaigns often impersonate celebrities on Twitter but these are done generally using fake accounts. Scam messages are posted on these fake accounts with only a few followers.

But these were different, in this case they messages were posted from accounts that were verified by Twitter. A real identity that has been verified by Twitter has a checkmark next to their name. As a result, of the checkmark certification, it gave the scam more credibility and allowed it to instantly reach hundreds of millions of users. For that attack, attackers earned $120,000 for their dishonest efforts.

Twitter responded;

Firstly, by temporarily- suspending the ability of all verified accounts to post new messages

Secondly, they launched an investigation.

But how could these attackers gain access to so many accounts at once?

Above all, the compromise was successful because one or more Twitter employees had access to an internal tool that’s used to manage user accounts. The company had deleted the tool, posting on Twitter via screenshots that it violated its terms of service. Screenshots of an internal Twitter user administration tool are being shared in the hacking underground.

The internal tool gave Twitter employees the ability to perform a- number of privileged actions such as;

  • suspending accounts
  • blacklisting tweets and even
  • changing the email addresses associated with accounts

A feature the attackers used to take over the high-profile accounts.

Motherboard reported that the hackers had convinced or bribed a Twitter employee to help them hijack accounts. The employee gave the hackers access to the control panel. This was according to leaked screenshots obtained by Motherboard and two of the attackers who took over accounts.  On the other hand, Twitter said the compromise was the result of “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”

The company said via its support account, that they “believe approximately 130 accounts were targeted by the attackers in some way as part of the incident. And continued to say, that “a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts.”

Meanwhile, it’s hard to say what “social engineering” really means to Twitter, since there’s limited information available from the official investigation.

For instance, Twitter could be using the phrase “social engineering” to refer to anything from attackers successfully bribing an employee to a phishing attack that resulted in the theft of employee credentials. Even though both of these are different attack vectors, these scenarios fall in the insider threat category.   Subsequently under unwitting insider vs malicious insider. The preventive measures for these are different.

Protecting against unwitting insiders

To clarify, unwitting insider usually means an employee has unintentionally provided access to an attacker due to either a lack of training or lapse in judgement.

An employee can open the door to a restricted area.

 For example:

  • to help someone carrying a large package without checking if they have an access card or company ID
  • plugging an USB stick they found either on the floor or that was mailed to them into their work computer to check what’s on it
  • transferring money to a third-party after receiving a spoofed email from their manager. They transferred without first confirming by phone call
  • clicking a link within a phishing email and then putting their username and password details on a phishing site.

If Twitter accounts were broken into due to an unwitting insider, a few questions arise:

  • Did Twitter employees have two-factor authentication (2FA) on their accounts? If they did have 2FA were the attackers able to bypass it?
  • Did the support panel require a VPN connection on to Twitters secure network or was it openly accessible from the internet?
  • And if it was accessible from the internet, were there geographical location of the employee’s device checks in place or was that device used to access the tool in the past?

Certainly, and often unknown, 2FA that use codes relying on one-time delivery can be bypassed. These codes are sent by text messages or generated by mobile apps. And are just like passwords, they can be phished, too, and some open-source frameworks automate this.

An alternative to 2FA with one-time delivery, are hardware authentication tokens (USB keys). USB keys are plugged into computers in order to receive the authentication codes as they directly communicate with websites via the browser.

Tokens are a more expensive exercise especially if we’re looking at getting it for all employees. Companies at the very least could chose to make it a policy for the highly privileged accounts, if the cost are too high. Those employees with admin access such as managers or administrators would be ideal candidates. But on the Twitters website it supports all three types of 2FA, without clarifying which 2FA option they get their employees to use.

Rachel Tobac, the CEO of security consultancy SocialProof Security and also winner of social engineering contests in the past, says

Most importantly, ”when it comes to the phishing aspect of it, [organisations] should make sure that the credentials used to log into their admin panels are secured by multi factor authentication hopefully with some sort of tokenised hardware authentication maybe something like a YubiKey for instance.

She goes on to say that as a result of using Yubikey, “a social engineering attack would be really hard to do because you’d have to do the attacking in person, which attackers tend to avoid. For example, using Yubikey on your bank account means it cannot be phished.”  

According to Tobac Social engineering prevention training is the key. Prevention training should increase alongside the uptake of technical controls such as:

  • limiting privileged access
  • 2FA
  • insider threat detection software

Most importantly, during the current global working from home conditions, forced on us due to Covid-19, relying just on the 2FA for secured access falls short.

For example, employees are using their own personal computers located in un-secure home networks, in order to get the job done. So many therefore are more exposed to:

  1. malware attacks that exploit vulnerabilities in outdated software
  2. phishing campaigns that could result in a full system compromise

As a result of these working from home risks companies can look into web-based secure access gateways that:

  1. follow the zero-trust networking concepts 
  2. ensure that users are granted access based not only on their location, but the identity of their devices and their security state.

Secure gateway access means that before granting access, a variety of information obtained through the user’s browse or lightweight agent is collected and analysed. These include OS and software versions, running processes, basic malware scan results and much more information.

But by themselves and in and of themselves it’s not enough. To be truly effective, they need to have another security layer that works hand in hand with secure gateway access, called access policies. These are role-based access controls and access policies that follow least-privilege principles.

Most importantly, every employee need only the minimum access privileges to perform their job, inside an application or system. Controlling the employee access:

  1. protects the business against malicious insiders who being disgruntled might decide to abuse their access
  2. have taken a bribe
  3. they were promised better employment by a competitor

However, when we go back to Twitter we don’t know the role of the employee whose account was misused. With limited information, we’re really in the dark about if the administration tool was overly permissive to begin with or if the employee was given too much access for their particular role?

After the Donald Trump the US presidents account was temporarily deactivated in November 2017 by a Twitter support technician on his last day of work, he wasn’t affected in this attack. Apparently he has special controls in place since this happened. Will all high-profile Twitter account holders want these special controls on their accounts?

Twitter can and does enforce additional controls or additional levels of approval for certain high-profile accounts, it seems. 

Some other changes could occur in the company. For instance, they could implement a system where manual changes to an account’s email address would require a second person approval. Secondly, they could implement an automatic alert if someone were to try and modify 130 verified accounts at one time or in a short period of time. 

Twitter said in response to the incident, “we have also been taking aggressive steps to secure our systems while our investigations are ongoing. “We’re still in the process of assessing longer-term steps that we may take and will share more details as soon as we can.”

Tackling malicious insiders

Whereas tackling malicious insiders is more of a complex issue than unwitting insiders. It’s where multi-factor authentication and device verification won’t help against a disgruntled employee who will have no problem overcoming any restrictions. Protecting against the problem of a malicious insider requires a layered approach that incorporate prevention capabilities with detection and response.

Mark Harris, senior research director at Gartner in the UK, says “You can’t rely on a single solution… You have to look at multiple different approaches and it really very much depends on what the internal system is and what the application is. You have to look at it not just once but have an adaptive response which means continuously monitoring what the threats are, what systems you’re using and adapt your controls as a result.”

David Kennedy, founder of security consulting firm Trusted Sec and creator of the open-source Social-Engineer Toolkit (SET), suggests that organisations consider threat modelling.

For instance,

what happens when an administrator is comprised?

what controls they can put in place to detect that or to prevent it from having a big impact on their systems?

But insider threats work differently. You have someone who’s supposed to be working on behalf of your organisation who have gone rogue. So, it’s hard to fix and difficult to monitor.  Threat modelling considers all the possible scenarios.

Kennedy says, what you’re looking at and how you adjust your controls based off that:

  1. role-based access controls
  2. potentially a second level of verification –
  3. acting on a large number of accounts or specific individual accounts could require an approval process

To complement preventative controls another approach is looking at baseline workflows and employee behaviour. To detect any anomalies and deviations from a workflow baseline you can use security analytics and user behaviour analytics.

Showing some promise in the area of security is the much hyped about machine learning technology but according to Harris they can sometimes generate a lot of false positives. So, it means more investigation work for security teams.

Dan Panesar, director for UK and Ireland at Securonix, says organisations should be proactive in using security analytics and user behaviour analytics to spot anomalies and by anomalies, I mean behaviour that’s out of the normal.”

Most importantly, by switching to a higher on the security maturity curve where organisations proactively search for threats inside, so you have more chance of spotting the unusual. This is from the usual approach where they buy and implement specific products or technologies to tackle security.

What does the normal look like? In the case of Twitter the security maturity curve could have been used to spot the unusual.

For example:  

  1. How often are email changes being performed on accounts?
  2. How often are support technicians accessing VIP accounts?

For the high-profile Twitter accounts, any changes would have looked suspicious in the event of multiple accounts having email administration changes made in quick succession.

Panesar says, “That is where definitely machine learning and the security analytics piece really starts to build a very significant investment case compared to what can happen from a reputational, financial impact and regulatory perspective.”

Most importantly, according to Harris, is the other aspect of logging all changes inside applications and systems. If the employees are aware that everything is being tracked and audited and provides a trail of evidence if something were to happen. This can be an enormous discouragement to malicious insiders. As they know they’re going to get caught.

Harris says, it’s important to “Not sit still. “There are a whole bunch of technologies and approaches that are the right thing” He says “But to me, it’s a case of not relying on one single technology and continuously looking at other controls that you need to put in place, as well as auditing.”

In short, we may never know whether the Twitter VIP account hack was due to an unwitting insiders or malicious insider attacker. We can only hope Twitter will implement the right security in the future and learn from this incident. For any organisation, we need to think carefully about our own protections and consider the security maturity curve.