The Twitter Hack and Why You Should Phreaking Care
*picture [1]
In the news recently there has been lots of posts about the Twitter
hack. I have read a few of them and this blog entry is going to be on
the same subject, however I want to focus on just a few keys aspects of
the hack and leave the investigative journalism to others.
There is a strong chance that you have read details on the Twitter hack as well and also understand the who/how/what of it. ([2] wonderful piece on how the hackers were caught).
We know it was primarily carried out by 3 people, we know that government services were able to track down the perpetrators communications via public chat servers, we know that the hackers were also confirmed based on a repetition of IP address.
This is all interesting, but I just find it fascinating that a 17 year old and a couple of his global buddies were able to hijack as many "powerful" twitter accounts as they did. [5]
Taking over social media accounts is not new. It happens daily and [3] a lot. If you think about it it is really not that hard. If a hacker wants to learn something about you all they need to do is poke around a bit in your public account to learn a lot about you. Why stop with one social media account? Gather enough information from a variety of online sources and I am sure that someone who put a minimal amount of effort in could guess your favourite breed of dog, or what the name of the street is where you grew up.
...Better yet...
... how about a targeted spear fishing attempt on a "randomly" selected employee?
This is in fact how the gentlemen were able to compromise as many accounts as they did. A specific Twitter employee was compromised and with the information gathered they gained access and knowledge about internal systems.
Why you should Phreaking care!
So this is not just a catchy tagline to draw in readers of my blog. It is actually a word that has faded a bit from mainstream language.
In the 70s 80s our hacker ancestors explored the limits of the telecommunications hardware. These folks became affectionately called phreaks or phreaker.[6]
in the 90s when email was way more mainstream we encountered a popular social engineering technique of fishing. (trolling email accounts to obtain personal information).
As language tends to do, it evolved and since the two techniques produce such similar results the two merged--> phishing (this term is widely used now).
Phishing has continued to evolve in a way that we can better understand it's specific usage. There is a difference between receiving a general email from Fedex saying you have a package to pick up "Please please please click the link!" [7]; and receiving an email that is a spoofed email of your boss that has detailed actual information about you. [8] This later one is spear-phishing.
This is how the three people were able to abuse Twitter, spear-phishing.
Twitter, this massive company was abused and embarrassed by the simplest of social engineering techniques. So why is this significant? Well if it can happen to them, why can't it happen to you? To your company? Do you personally have hundreds of thousands to spend on security infrastructure (unlike Twitter that does)?
I have worked in this field for long enough to know how easy it is for clients to receive phishing scams. I have also on numerous occasions (as have many of my colleagues) had clients clicking on the tempting link that has been sent to them.
The primary take away that we should take from the incident with Twitter is that phishing attacks are extremely easy and with a minimal amount of effort can be executed by folks with, honestly, very little actual skill.
You can put all kinds of policies to protect your organization assets, but all it takes is for one mistake from a well meaning person inside and the attacker can gain access to your systems and exploit you.
One of the best ways to combat phishing scams is education, have regular discussions with your employees/team about the subject of phishing. Remind people what is at stake. Phishing is so popular that it is not a question of if it will happen, it is a question of when.
Reference:
