The Twitter hack shows a great cybersecurity vulnerability: employees.


A broken chain of Twitter birds.
Photographic illustration of Slate. Photo from Twitter.

On Wednesday, Twitter was the victim of hackers who used a “coordinated social engineering attack” to compromise some of Twitter’s most high-profile accounts, including those of Barack Obama, Elon Musk, Bill Gates, and Kanye West, to launch a crypto scam. followers of those users. The scammers ended up with multiple accounts and over $ 120,000 in untraceable Bitcoin payments, an amount that pales in comparison to damage to Twitter’s brand.

This was a particularly eye-catching breach, but in the end, it was just another in a long parade of cybersecurity incidents at high-profile, smaller companies alike. While advancements in cyber security have strengthened IT infrastructure and made it increasingly difficult to hack systems remotely, criminals have a logical way to avoid these measures: targeting employees who are already within the systems . This wasn’t even the first time Twitter was the victim of a social engineering attack. In August 2019, Twitter CEO Jack Dorsey was the target of a different type of social engineering attack known as a SIM swap. In that incident, Dorsey briefly lost control of both her personal mobile phone number and Twitter account after hackers used her personal information, including knowledge of which mobile operator she uses, to transfer control of your number to hackers. Twitter, of course, is not alone. At the beginning of this year, Shark tankBarbara Corcoran was nearly scammed with $ 400,000 when the attackers outlined her organization, obtained basic contact information, and impersonated her accountant in a wire fraud scheme. No organization is immune, from Target to the Central Intelligence Agency and cryptocurrency Classic Ether, attackers continue to find ways to take advantage of human weakness to circumvent security measures.

Attackers look for ways to convince or trick employees into helping launch an attack that bypasses security measures designed to prevent penetration from the outside. They use trust schemes to hack into the human “operating system” rather than technical means to hack into computer systems.

There are more than a dozen types of social engineering attacks. The most common are bogus phishing emails, whereby a message purportedly from a colleague or administrator requests a password reset or help to access a system. It seems like a quick favor to someone in distress, but it can give criminal access from the inside.

This is a well known problem in the IT world, and it is difficult to solve. However, it is not enough to train employees to recognize false messages. In many cases, those messages are imperceptible, even by computer systems, to the real ones. The fundamental problem is one of the data. There is a huge and growing ocean of information about all of us: it is publicly available and easily available on the Internet. This data represents a guide for hackers, giving them lots of details about people, from what kind of access to the company’s systems they might have to their writing style. This information, often removed in an automated way, allows hackers to generate phone calls, emails, text messages, and social media posts that are personalized and can deceive even seasoned veterans of the security industry. For example, a family vacation photo posted on social media can help a hacker impersonate the vacationer by email. When the email is sent in sufficient detail from a recognized personal email address (perhaps attached to that social media account) that mimics the language of posts and other communications, requesting that funds be sent to a third party, such Even a supplier who refers to a relationship with the company in a public case study may seem perfectly normal.

In the case of Twitter, the initial violation dates back to the hacker access of an internal chat channel in Slack. Knowledge of Twitter’s corporate structure and the communication styles and roles of its employees likely made the attack smarter and helped plan and affect the gap.

Part of the problem is that the available data is much more actionable than most people think. Basic research on social media (Facebook, Instagram, Twitter, etc.) and Google can reveal enough personal information for a hacker to contact and design plans to trick a person.
This practice, commonly known to experts as cyber recognition, powers more than 90 percent of today’s successful cybercriminals, according to a Verizon report.

That number is unlikely to drop anytime soon, especially since COVID-19 has compounded this problem by forcing so many employees to work from home. Social engineering attacks already rely on remote communication; Naturally, it is much more difficult to assume the appearance of a trusted friend or colleague in person.

The New York Times has reported that a dark figure known as “Kirk” was the ringleader of the recent Twitter attack. Although it is not yet known what social engineering tactics were leveraged to gain that original access, Kirk’s campaign definitely involved recognition. Beyond that, the attack may have relied on an employee who was paid, cheated, or coerced, or a disgruntled employee within the company may have found a partner in crime abroad. Each attack method is data-driven: finding the right contact information, knowing who to impersonate and how … or even profiling the Twitter employee base to find out who could be more valuable (such as users with higher-level privileges). ) and who could be the most vulnerable (those with exposed personal information, such as location, hobbies, contact information, etc.).

Global investment in enhanced security infrastructure over many years has been significant, and will only grow further as we increasingly rely on technology to power all aspects of our lives. A recent report predicts that between 2017 and 2021, cybersecurity spending will cumulatively exceed $ 1 trillion. But as long as we continue to think of security only as a function of the systems we build, and essentially related to its infrastructure, we may lose the most critical element. The most vulnerable targets within companies are actually people sitting at the intersection of our networks, devices, and applications.

The next generation of cyber security tools should focus on cyber hygiene, actively provide a lens on what information about a company and its employees is available to the public, and find ways to reduce or anesthetize that footprint, protecting not only our companies, but also the privacy and integrity of each individual.

Future Tense is an association of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society.