As I read through Twitter’s latest update on the hack of high-profile accounts, at one level I appreciate the attempts at transparency. However, as a person who has become cynical in the way companies approach user error, or what I call user-initiated loss, I still don’t think they get the real issues.
Before I go on about Twitter, let me first talk about the recent Cloudflare outage that occurred essentially because someone made a typographical error in a router table. It would have been very easy for Cloudflare CEO Matthew Prince to blame the incident on the engineer in question who made the error. Instead, when someone on Twitter mused that he would hate to be the responsible engineer, Prince did something extraordinary and replied, “The root problem was we didn’t have systems in place to keep them from causing a widespread issue. That’s a problem of leadership that I am more responsible for than the engineer who made the typo.”
With Prince’s statement in mind, I want to be clear that I do not expect Twitter to never suffer an incident. No security will ever be perfect, nor can it be. Since I wrote the initial draft, there has been an arrest of a 17-year-old and two other people charged. Given how quickly he was arrested, it is hard to imagine this teenager qualifies as a “Mastermind” as the media is calling him, so I am even more cynical with the announcement.
Now I look to Twitter’s response, and the predominant message is that it is a people problem. They claim the attacker got in through a “phone spear phishing attack.” There is no such term in common use. Was it a “Smishing” attack, where someone sends an SMS to a phone? Was it a traditional social engineering attack, where someone calls someone up and tricks a user into divulging information, including credentials? Was it a Vishing attack, where someone sends someone a malicious email, and then calls up to entice the person to open the email? It makes me believe that there is limited expertise in the response team. I would not normally be this critical in my comments if it were an individual engineer writing a blog post. However, we must assume that this blog went through many layers of review at Twitter.
At one level, Twitter is saying the right things. The blog mentions that they will enhance misuse and abuse detection. They mention limiting access to administrator tools. However, there is very limited detail, and there is no overarching statement of responsibility like Prince Tweeted.
I also see Twitter trying to focus this as a user issue. They talk about how it was “a concerted attempt to mislead certain employees … and exploit human vulnerabilities …” Well, yes, if you are a company that has value, this is how it works. I detailed back in 1995 how to compromise a bank through social engineering. It involved a fairly complex set of actions. While I don’t expect that Twitter will have read my 25-year-old article, or anything I have since written, you expect a major technology company to realize that they have sophisticated adversaries who will go through more than trivial effort to gain access to valuable systems.
Likewise, Twitter has to realize that criminals go through great efforts to compromise Twitter accounts. For example, my presentation at RSA Conference six years ago about the Syrian Electronic Army (SEA) triggered the SEA to hack this site, as well as hijack The Wall Street Journal and BuzzFeed Twitter feeds. Prior to those attacks, the SEA hijacked the Associated Press Twitter account and caused a major dip in the stock market when it sent out a fake Tweet saying there was an attack on the White House.
As Twitter tries to portray the “latest” attack as complex, unique, unforeseeable, etc., and the result of human error, the reality is that the “human vulnerabilities” exploited were only exploited because there was an operational and technical environment that allowed for the vulnerabilities to be exploitable. While they claim they are also going to continue with ongoing phishing exercises, those exercises clearly didn’t prevent this attack, and are not likely to completely prevent future attacks. Even if Twitter manages to cut people with access to the admin tools in half, there are still 500 potential targets for criminals, and they only need a 0.2% success rate.
While I personally do not believe that this hack is as dire as people want to portray, and I also believe Twitter employees will inevitably be compromised as there can never be perfect security, Twitter is still not displaying the level of responsibility that Matthew Prince did. Twitter is a significant company in commerce and world events. They are targeted by much more competent people than the 17-year-old supposed “Mastermind.” Even though human error was involved in the Twitter hack, it does not address the “problem of leadership” that needs to be addressed. Perhaps they can start by reviewing my RSA Conference 2020 keynote presentation on “You Can Stop Stupid” or my forthcoming book with the same name.