Twitter hack reveals the human vulnerability

Even if Twitter is still silent about who is behind the abuse of various celebrity accounts, there are indications that an internal vulnerability was possibly decisive.

ack Dorsey was contrite: “This is a bad day for us and we feel terrible,” wrote the Twitter co-founder late on Wednesday evening. Shortly before, hackers had advertised dubious Bitcoin deals on the Twitter accounts of numerous US celebrities . Among other things, accounts of ex-President Barack Obama, presidential candidate Joe Biden, Amazon boss Jeff Bezos, Microsoft founder Bill Gates, Tesla boss Elon Musk and rapper Kanye West as well as companies such as Apple and Uber were affected. 

The hitherto unknown cyber criminals had called in the tweets to transfer $ 1,000 in Bitcoin to a cryptocurrency account. “Within 30 minutes every payer will get double the amount back,” said the tweets of the same name that were sent via the hacked accounts within a few minutes before Twitter stopped sending them.

“We are investigating the incident and will provide detailed information as soon as we have a better understanding of what exactly happened,” Dorsey promised to clarify in the short term.

He has not yet made any specific statements. However, there are increasing signs that the accounts concerned were not hacked individually, but that the attack took place indirectly via Twitter insiders. There is a lot to suggest that the hackers have gained access to a so-called management account, through which employees of the short message service have direct access to the accounts of Twitter users in the event of malfunctions – including those of prominent customers such as Bezos, Gates or Obama.

Such management access would not only explain why the forged messages were sent at the same time. It also explained why remote control of the accounts was possible even though the majority of celebrity accounts were protected by so-called two-factor authentication. The master accounts with their special access rights should also be specially protected. In fact, there have been reports of cases in the past in which such accounts were accessed illegally, including on Facebook or Snapchat. Former Twitter employees were arrested only last year for allegedly spying on user accounts for an external client.

Human vulnerability

It is possible that there was such an internal vulnerability this time as well: In the meantime , the US online magazine “Motherboard / Vice” reports that members of a group of hackers contacted the medium and stated that they had taken control of the accounts using internal Twitter software. The hackers also said they paid a company employee to gain access to Twitter’s management platform.

Even if there is still no confirmation from the short message service – they say that alternatively a program or operating error is also conceivable – the incident again highlights a cybersecurity problem that experts call “insider threat”: the human weak point.

“The largest group of perpetrators [of security incidents ] are former or current employees,” writes the Federal Criminal Police Office (BKA) in a current recommendation for companies to avert cyber threats . According to the BKA specialists, bribery or disappointed employees who wanted to take revenge on the employer after being dismissed are not even the greatest risk of damage. “Most of the acts [are] not carried out with criminal intent, but rather because of negligence and a lack of awareness of the problem.”

In many cases, employees are simply not appropriately skeptical when, for example, they open messages or file attachments that supposedly come from superiors, colleagues or business partners – but are actually contaminated with malicious or espionage software. Then a careless, hasty click on the attachments or links in the messages activates, for example, a sniffing program that silently logs the user names and passwords entered by the employees in the background and later secretly sends the data to the hackers. A scenario that is apparently still being examined on Twitter.

A study by the market research institute Ponemon   and the IT group IBM from last year also shows how great the risk of damage is from insider threats . Accordingly, the average cost of damage from such security incidents rose within two years by 31 percent to a total of 11.45 million dollars per company affected. The total number of claims rose by as much as 47 percent. 

To be too good to be true

It is unlikely that the latest Twitter hack will be so expensive – apart from the damage to the reputation of the short message service because either the wrong employees had too many access rights or the management software was insufficiently secured. First of all, all those Twitter users who naively trusted the promises of the hacked celebrities and transferred Bitcoin have to pay for the cyber attack. Within a few minutes, security service providers determined, the crypto account specified in the tweets received payments of almost $ 100,000.

And that although such damage could be prevented – with little effort, but with a little common sense: “If a message sounds too good to be true, then it is usually too good to be true,” says Michael Veit, IT security expert at Sophos. If Musk, Gates, Apple, Biden or a well-known company wanted to give away huge amounts of money, they would not require that you first make an advance payment, according to the expert. “Such an offer is not a gift but a trick. And it’s an obvious sign that the person’s account has been hacked. “