On October 15th, the New York State Department of Financial Services issued a report on the June 2020 cybersecurity incident in which a 17-year old hacker his friends gained access to Twitter’s account management tools and hijacked over 100 accounts.
The report stresses the critical risk against which social media companies employ their security measures and the simplicity of the hacker’s methods. The DFS raises the link between social media account security and election security and also notes that the S&P500 lost $135.5 billion in value in 2013 when hackers tweeted false information from the Associated Press’s Twitter account. Despite this risk, the 2020 hackers gained access based on a well-executed but simple social engineering campaign, without the aide of malware, exploits or backdoors.
The hackers conducted intelligence. They impersonated the Twitter IT department and called employees to help with VPN problems, which were prevalent following Twitter’s shift to remote work. The hackers directed employees to a fake login page, which allowed them to capture credentials and circumvent multifactor authentication.
The event lasted about 24 hours. The DFS explains that Twitter employed a password re-set protocol that required every employee to attend a video conference with a supervisor and manually change their passwords.
The event and the report are about the remote workforce risk we face today. Twitter had all the components of a good defence in place, but according to the DFS it could have done better given the high consequences of a failure. Here is a summary of some of the DFS recommendations:
- Employ stricter privilege limitations, with access being re-certified regularly. Following the incident Twitter did just this, even though it apparently slowed down some job functions.
- While multifactor authentication is a given, the DFS noted, “Another possible control for high-risk functions is to require certification or approval by a second employee before the action can be taken.”
- The DFS points out that not all multifactor authentication is created equal: “The most secure form of MFA is a physical security key, or hardware MFA, involving a USB key that is plugged into a computer to authenticate users.”
- The DFS says organizations should establish uniform standards of communications and educate employees about them. Employees should know, for example, exactly how the organization will contact them about suspicious account activity.
- The DFS endorses “robust” monitoring via security information and event management systems – monitoring in “near real-time.”
These recommendations could make for very strong remote access and account security, but are worth note.
Report on Investigation of Twitter’s July 15, 2020 Cybersecurity Incident and the Implications for Election Security.