Wait, Twitter Got Hacked?!

Computers are complex, complicated, magnificent, sensitive bundles of delicate components that are far from perfect. Us computer security experts do everything in our power to secure these titans who hold our data from prying eyes or malicious actors. We install firewalls to filter the traffic in and out of networks. We install and upkeep antivirus software to prevent bad bugs from infecting our files and running a muck on our systems. We update, patch, maintain, document, develop, and code till there are no holes left to plug. This is of course an impossible and futile effort if we were in search of perfection. Since business drivers of technology demand that money needs to be made, new and different technologies are constantly being developed and implemented. These new technologies add new challenges for us information security folk all the time. Due to these new technologies we spend a lot of time developing solutions to secure these new ventures. At the end of the day computers are natively insanely insecure and require a lot of technological upkeep to make them as secure and protected as possible. What a lot of people don't understand is that despite everything I just said, the technology itself isn't the weakest link in the chain. Technology fails all the time but at the end of the day, it's much more likely that the human element is what will break the link between a secure system and a hacked one.

So you probably saw in the news that Twitter got hacked. You can find news sources on it below for reference:

Washington Post

CNN

BBC

There is a lot of information to what happened and still some speculation but the main component of this hack was a human element. The reports from Twitter itself state that they detected a social engineering attack that targeted specific employees with access to high level systems. Here is the full report from Twitter if you would like to read it.

Source: Twitter

Okay, question of the day is: what does that mean?

I really don't want to speculate on the exact details of the "how" of the incident but we can make some assumptions based on the information we have. Let's break it down.

They were targeted. Hackers, especially organized ones will always be trying to get into the most high value targets they can find. Most of the attacks you see on the internet are conducted by what we in the biz call Script kiddies. These hackers aren't your super high level attacker. Honestly, they probably just know enough to do some damage but not enough to know what they are doing. Often times they will find a way to download a hacking tool and point it at a website or system and hope for the best. Most of the time the most damage they can do is conduct a Denial of Service attack (or DOS) of some kind. These kind of hackers are the equivalent of a child finding their parents gun in the house and playing with it. They may know it's bad and they definitely aren't trained but they got a hold of it none the less. Despite the potentially horrific damage that could be done, they won't be starting a war with a hand gun. The real baddies are what we call Advanced Persistent Threats (or APT). These can be anywhere from single educated entity, a group of patient hackers, or state sponsored government groups. These groups potentially have a lot of training and generally know what they are doing. They take their time and choose their targets carefully. They execute plans using advanced methodologies for persistently attacking a big target. They scan and probe and do mountains research in preparation before starting an attack. To keep using the hand gun analogy, APTs are the equivalent of the navy seals or organized bank robbers. In the instance of the Twitter hack, it was more than likely an APT.

Social Engineering Attack. This is the fun one where computer science and psychology mix. You have likely heard this term before and probably have a pretty good idea of what it means. For those who don't, it is essentially when someone manipulates you into doing something or giving them some some type of information. A really popular example of this is phishing emails, which are messages which attempt to trick you into clicking on a link that leads to malicious website or installs something nasty on your computer. Another popular example of this is calling you and claiming to be from your bank. They feed you information that convinces you that they are who they say they are so you believe them and give up your information. Even a little bit of information could assist an attacker in gaining the information they need.

Let's try and dive in a bit here and explore what an attack like this would look like if I were an APT. Let's say I was a hacker and I wanted to hack into a companies infrastructure and steal data from it. I'm not going to try and get through their firewall or guess passwords for years cause that will likely get noticed immediately or take too long to be effective. I'm also not likely going to probe a company for vulnerabilities since more likely than not, they are pretty secure and again they would eventually notice and take action against me. Let's refer back up to what we were discussing before. What is the weakest link in their computer system? That's right, it's you. I'm going to start with you. I know you work for the company cause you're on Linkedin. You also linked your Twitter handle and Facebook. Great! You are pretty active on all those sites so it's pretty easy to gather information on you. You even linked your Instagram which holds a ton of location data. Awesome Sauce! I can now learn where you work, where about you live, who your contacts are, political views (most likely), music taste, movies and shows you like, marital status, kids names if you have any, etc. Basically, from your social media alone I am able to know almost everything I need to start my attack. This phase is called the reconnaissance phase of a hack. From here I am able to carefully plan out my attack.

I know from my research that you are a huge Harry Potter fan. Who isn't?! But I can see that you post a lot about the British teenage wizards so I know you are a super fan. I also know from my research that you subscribe to a site that discusses theories and topics from the books. It's a pretty tight knit community so you have likely placed a lot of trust into them. So what can I do with this? I also subscribe. I take my time and learn about them. I spend time figuring out how they market and how they craft their posts and emails, especially the ones they send to their subscribers. Oh boy things are falling into place now! With a bit of work and Photoshop skills, I carefully craft a simple email with a post about an upcoming book detail that looks and feels like it came from this community. If I'm really clever I might take a post I know they sent out and recreate it with my own links and send that to you hoping you'll think it's an error that you got two. I'm now manipulating you using your known interests and piggybacking off your trust in this site. Chances are you click the link cause it doesn't tickle your suspicion like a normal spam message would. Abracadabra, you've now been hacked.

There are a few things I could do from this point. I could install a small "keylogger" on your computer which records everything you type then sends it to me. Most people have the same passwords for lots of different things so I could just wait till you type in your password for any site and try it on other sites you use to gain access. But I also know from my research that you work from home on occasion. All I have to do is wait till you work on this computer or log into your company email. Uh oh. I now have access to your work username and password and thus, I now have access to everything you have access to at your company. If you are a high up enough employee, let's say a developer with administrative access at some social media site, I now have all that access and could probably do a lot of damage.

This is of course is an overly simplified version of what might have happened at Twitter, but it's a very real and possible way that a motivated hacker could get the info they want. It may not even be one hacker doing this either, it could be a group of them depending on how much money they could potentially get from this hack. They may not even be targeting just you! They could be doing the same for several people at the same time. All they really need to know is who to target at the company and for it to work just once. This kind of attack is called a "Spear Phishing" attack since it's targeting a single entity instead of using a wide net. If you are high enough up the company, it's sometimes called "Whaling" cause they are going for big pray.

I know I threw a lot at you but I really wanted to dive into this for a few reasons. I know people know what phishing looks like and feels like but I don't think people really understand what it can look like and how intricate it can be if you are a gateway to bigger information. I often hear people saying they have nothing to hide, or say that no one would want to target them. I hate to say it but maybe it's not you that they are after. I know humans like to think in one dimensional and view ourselves as the end goal but that isn't always the case. In fact it's usually not the case at all. We all have something to protect, whether that's our job or a close loved one. Everyone has a reason and obligation to understand a little but of information security and how dangerous it can be if you let your guard down. If you aren't careful, and you don't have a healthy dose of suspicion you could be a victim or become a gateway for a hack to bigger things.

I know it sounds like I'm trying to scare you but I'm really not. I'm trying to start a conversation with you or at least get you to start a conversation with those around you. I'm a HUGE advocate for cyber security training and awareness campaigns for all and am massively proud of Twitter for implementing additional company-wide training since this happened. Knowledge is power and can help shield you from the dangers out there, so learn up while you can! Don't be the weakest link in the chain.