What the Twitter Hack Proves About Private Communications (Not Another Bitcoin Article)
1-October | Written by Jean Loup P. G. Le Roux
As a cybersecurity professional, it’s hard to look at the recent Twitter hack and not feel somewhat disheartened. Because a company as big as Twitter, with as robust a security team as it has, shouldn’t have been compromised so easily, right? Of course, I know it’s not as simple as that.
There’s a common turn of phrase that goes something like, “the moment anything is shared online, it’s no longer private”. No matter where it’s shared or the controls in place. While that’s quite a pessimistic stance in modern days, it does unfortunately hold some truth to it. So, does this mean all the careful analysis, planning and preparation we do to try and mitigate online threats is an exercise in futility?
No. It means that there’s still a lot of work to do. The Twitter hack proves how far we still have to go in terms of making data security a top priority at organizations both small and large. A good portion of this attack was actually preventable, had Twitter put methodical security controls in place to ensure that people’s data stays truly private and out of reach (something other leading tech firms do already, more on that later).
What Happened?
Back in July 2020, Twitter announced that 130 accounts had been targeted by hackers, of which 45 were tweeted from, 36 had their direct messages (DMs) accessed, and the data of 7 accounts were downloaded.
The attackers managed this with a phone spear-phishing attack, through which they used employees to gain access to Twitter’s internal systems. They then used the information they gained using those employees’ accounts to target even more employees, who then gave them access to the internal account management tools they needed to take control of those 130 accounts.
We unknowingly give social media platforms a lot of power, and that is part of the problem. In the case of Twitter, that power coupled with the fact that a lot of influential figures actively use the platform essentially created the basis for a perfect storm.
A Cautionary Tale
Social engineering and insider threats have always been very high on my radar. Honestly, it’s almost baffling that the team at Twitter didn’t have more stringent provisions in place, considering how much sensitive data employees had access to.
According to an investigative report by Reuters, more than 1000 Twitter employees could have given those hackers the same access. That’s at least 1000 employees who can change user account settings and are privy to everyone’s personal messages - not exactly holding the keys to the kingdom, but close. You don’t want adversaries reading every private message you send, and you certainly don’t want Twitter employees to be able to, so why can they?
This isn’t the first time social media platforms’ employee privileged access has been misused to abuse user data either. Facebook has fired employees before for abusing their access to user data to stalk people online, and multiple Snapchat employees were reported to have used its internal tool, SnapLion, to spy on users and get information like their location, e-contact info, and saved snaps - despite the company claims of having strict access controls.
Social media companies would argue that access to user data is necessary, usually citing an arbitrary list of reasons in an effort to validate their case. In reality, we all know why these companies want access to our data - even if they refuse to openly admit it. The truth is, big data makes the world go round and we are the fuel.
What Twitter Did Right
To give credit where it’s due, Twitter has handled this entire situation better than many other social platforms have handled similar privacy debacles in the recent past. Their incident response team instantly announced the incident, kept users up to date, and then released an official statement outlining the entire event as well as what they were doing about it. It’s not perfect, of course, but being honest and open about the incident scored them a lot of points, at least in my book.
What Does This Tell Us?
There are a couple of takeaways from the Twitter hack that are important to look at in terms of future-proofing.
Is the Least Privilege Rule Enough?
To really answer this question, I would need to know how strict Twitter’s least privilege policies were and how good their implementation is in the field. Unfortunately, I’m not privy to that knowledge right now (to Twitter’s detriment!), so the best I can do at this point is to take a look at their official statement, which said,
“To run our business, we have teams around the world that help with account support… Access to these tools is strictly limited and is only granted for valid business reasons. We have zero tolerance for misuse of credentials or tools, actively monitor for misuse, regularly audit permissions, and take immediate action if anyone accesses account information without a valid business reason.”.
The problem here is that we have to take their statement at face value since we have nothing else to go on. But clearly, as is the case with Snapchat, their efforts to control privileged accounts simply weren’t good enough. Accountability is a big part of my security headache with these types of companies (and with cloud companies in general, unfortunately). In cybersecurity, we always talk about the importance of having multiple checks and balances in place to prevent fraudulent behaviour and other threats to the ecosystem. Social media companies are expecting that we should take their word for it, however, which provides a very LOW level of assurance.
Independently audited standards may be the thing that comes to the rescue here (think ISO 27701 for privacy management for example). If an accredited third-party audit concludes you’re following an international security standard, then it’s a HIGHER level of assurance and it will likely suffice for the average Internet user. Sure, it’s far from perfect, but it’s definitely a promising sign, because it shows you’re committed to continuous improvement, instead of you just telling people you are.
End-to-end Encryption Should be Non-Negotiable
I can’t think of any valid business reasons why Twitter DMs aren’t end-to-end encrypted. Keeping them stored for hypothetical law enforcement reasons, while valid from a legal and regulatory perspective, just isn’t a good enough excuse in 2020. They can be too easily accessed by Twitter employees who each have their own beliefs, political leanings, and agendas. But I think what makes this whole Twitter hack debacle even more ridiculous is the fact that CEO Jack Dorsey himself has been promising to implement end-to-end encryption for at least two years.
Signal, a trending mobile application from Open Whisper Systems has become the gold standard of privacy-first messaging platforms today, thanks to their strong focus on encryption and on giving users back control over their privacy (as well as proper security documenting and independent auditing of their code). Twitter could certainly take a page out of that book. Even Facebook, a platform that we all know isn’t exactly a shining beacon for privacy or data protection - so much so that the Irish DPC has gotten involved - has made encryption a priority.
The social giant implemented permanent end-to-end encryption on WhatsApp and Facebook Messenger (although user opt-in is required). There are also plans to add end-to-end encryption to Instagram DMs as well, which should be done ASAP in my opinion.
No doubt, this solution isn’t without its flaws too. For instance, messages can still be read before encryption or after decryption. But at least this shifts the potential blame away from the company and puts the onus on the individual to protect their own device and data.
Conclusion
Hopefully, this will stand as a warning to all major companies that handle any form of user data to take a good look at their internal data protection measures. Those in cybersecurity circles have been clamouring for companies to take internal threats more seriously for years (think about Desjardins recently here in Quebec), and many have been asking companies like Twitter to implement true end-to-end encryption as well.