Holy Hell Were We Lucky That Twitter's Big Breach Was Just A Bunch Of SIM Swapping Kids; Can We Please Encrypt DMs Now?

from the not-great dept

Everyone is still sorting out exactly what happened last week with the big hack of Twitter in which a number of prominent accounts — including those of Barack Obama, Elon Musk, Jeff Bezos, Apple, and Uber — all tweeted out a Bitcoin scam, promising to double people’s money if they sent Bitcoin to a specific wallet (which appeared to receive a little over $100k). However, from what has been reported so far, it appears we actually got fairly lucky and that it was mainly a bunch of SIM swapping social engineers who historically have focused on getting popular short usernames. If you’re not familiar with all of this, the Reply All podcast had a fascinating episode about the scam last year.

Meanwhile, Vice has a post describing how the hackers involved convinced a Twitter employee, who had access to a Twitter control panel, to make changes for them. The guy who controls the (formerly Adrian Lamo’s) Twitter account @6, provided some details on how the hack got around two factor authentication controls: within the control panel a new email address was added to the account, and then, from the control panel, the two factor authentication would be disabled. An alert would be emailed out about this — but to the new email address. Brian Krebs provided some details about who he thought was behind all of this (and the connection to the SIM swapped hack of Jack Dorsey’s account from last year). Finally, the NY Times scored an interview with the hackers themselves — again, showing that it was just a crew of SIM swapping kids, mostly doing this for the lulz (and also suggesting that the person Krebs fingered was only peripherally involved, in that he’d made use of the same access to pick up Lamo’s old @6 account, but didn’t take part in the Bitcoin scheme).

The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people ? one of whom says he lives at home with his mother ? who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6.

The Times verified that the four people were connected to the hack by matching their social media and cryptocurrency accounts to accounts that were involved with the events on Wednesday. They also presented corroborating evidence of their involvement, like the logs from their conversations on Discord, a messaging platform popular with gamers and hackers, and Twitter.

What does become clear is that, from the details revealed so far, this wasn’t some grand nefarious scheme. This was a bunch of kids having fun, who happened to get access to a control panel through some means or another.

At the very least, we should be thankful that’s all this was. As multiple people I spoke to have said, we should be very, very, very glad that this was basically some kids having a laugh and hoping to make a little money, rather than a nation state wishing to start World War III. And while Twitter has not yet said if Direct Messages were accessed, from everything that’s been revealed so far, it’s pretty clear that whoever controlled these accounts easily had access to DMs.

And that should raise a bunch of questions.

While the hack was still going on, Senator Josh Hawley dashed off one of his infamous letters to Twitter CEO Jack Dorsey, asking a list of questions. Surprisingly, given Hawley’s involvement and the usual inanity of his letters, this one was somewhat on point and asked a bunch of mostly reasonable questions:

  • Did this event represent a breach of users? own account security or of Twitter?s systems?
  • Were accounts protected by two-factor authentication successfully targeted in this breach? If so, how was this possible?
  • Did this breach compromise the account security of users whose accounts were not used to share fraudulent posts? If so, how many accounts were affected? Were all accounts? security compromised by this breach?
  • How many users may have faced data theft as a consequence of this breach?
  • What measures does Twitter undertake to prevent system-level hacks from breaching the security of its entire userbase?
  • Did this attack threaten the security of the president?s own Twitter account?
  • However, much more important is the key question asked by Senator Ron Wyden: why hasn’t Twitter introduced end-to-end encryption for DMs, which would have prevented the ability for hackers to have read DMs under the circumstances described above.

    “In September of 2018, shortly before he testified before the Senate Intelligence Committee, I met privately with Twitter’s CEO Jack Dorsey. During that conversation, Mr. Dorsey told me the company was working on end-to-end encrypted direct messages. It has been nearly two years since our meeting, and Twitter DMs are still not encrypted, leaving them vulnerable to employees who abuse their internal access to the company’s systems, and hackers who gain unauthorized access,” Wyden said in a statement.

    Of course, given all that, we should note that despite Hawley asking good questions, he’s a bit of a hypocrite here, as he has attacked encryption for years, and is a co-sponsor of the EARN IT Act, which will endanger encryption. If Hawley actually wanted Twitter to better protect user privacy in their data, he should be supporting Wyden’s push to have the company encrypt more, not less.

    Filed Under: , , , , ,
    Companies: twitter

    Rate this comment as insightful
    Rate this comment as funny
    You have rated this comment as insightful
    You have rated this comment as funny
    Flag this comment as abusive/trolling/spam
    You have flagged this comment
    The first word has already been claimed
    The last word has already been claimed
    Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

    Comments on “Holy Hell Were We Lucky That Twitter's Big Breach Was Just A Bunch Of SIM Swapping Kids; Can We Please Encrypt DMs Now?”

    Subscribe: RSS Leave a comment
    Anonymous Coward says:

    Re: Re:

    By using public key encryption, and keeping the private key on the users device. That way gaining control of the account does not include the key needed to decrypt DMs. Controlling the account may allow the keys to be changed, but that should raise a warning with anyone who has used the prior key, and does not allow access to any stored messages.

    Jef Pearlman (profile) says:

    Re: Re: Re: Re:

    There are a bunch of ways to implement end-to-end encryption for messaging, but ones that have the feature you describe generally also have the feature that if your computer dies, you permanently lose all your past DMs. That’s a totally worthwhile trade-off sometimes (e.g., Signal, but see Signal PIN & concerns), but I’m not sure that Twitter DMs are where I want that.

    Mike Masnick (profile) says:

    Re: Re: Re:2 Re:

    There are a bunch of ways to implement end-to-end encryption for messaging, but ones that have the feature you describe generally also have the feature that if your computer dies, you permanently lose all your past DMs.

    Only you haven’t stored the keys somewhere else and can enter them separately on the new device.

    Anonymous Coward says:

    Re: Re: Re: Re:

    End to end like this doesn’t really work for non-savvy users who want their DMs on multiple devices and don’t want to lose their history when they forget their password or get a new phone. I’m sure it’s a low priority for Twitter considering how few users would be likely to opt in.

    Anonymous Coward says:

    Re: Re: Re:2 Re:

    You don’t need or want twitter to manage your private keys. Ideally you keep them in an encrypted file, which you can copy to other devices. Hint, if you cannot copy your private keys to other devices, including a backup device, you are not in control of your private keys, your device vendor has the control.

    Koby (profile) says:

    Re: Re:

    How would end-to-end encryption for DMs help in this circumstance?

    Some end-to-end schemes might store messages on a server in encrypted form. The decryption key would then only reside on the user device (smartphone/laptop/desktop/ect.). Someone may be able to hijack the account, and send new messages. But without the key from the original device, the old messages would remain inaccessible.

    Anonymous Coward says:

    I am not sure I understand the key thing… Telegram for example has end-to-end encryption, but you can connect a new device to the service and get access to the entire history of messages. The old device still receives a PIN for dual-factor authentication, but would that be enough? If you have access on the server side, can you intercept the PIN code?

    Anonymous Coward says:

    The key is stored on the users phone,
    So if a hacker takes over a twitter account or email account , he cannot read the old dms or messages
    In this case the hacker use twitter tools to make a new email address attached to each account to replace the verified users original email address.
    Maybe twitter does not want to encrypt each dm as it
    Is alot of work to do so,
    or they are afraid some people might use twitter to carry out illegal acts, like selling drugs or guns.
    And if the Earnit act pass, s it might make end to end
    encryption illegal for American company’s or at least one’s that have millions of users.

    Gracey Allie says:

    end-to-end encryption and lawful access

    You don’t need or want twitter to manage your private keys. Ideally you keep them in an encrypted file, which you can copy to other devices. Hint, if you cannot copy your private keys to other devices, including a backup device, you are not in control of your private keys, your device vendor has the control.
    For android device hack and tips, join our telegram group https://telegroupslink.com/

    Rishmaq (user link) says:

    how to tell if a vietnamese girl likes you

    Charlottesville white supremacist CRIES sobbing tears on camera recognizing he’s

    A white supremacist who took part in the Charlottesville clashes has posted a video which experts claim he cries sobbing tears over his fears he will be arrested.

    Christopher Cantwell a far right leader who participated in deadly protests at the University of Virginia over the removal of a Confederate statue is seen with tears in his eyes after being told a warrant has been issued for his arrest.

    He also compensation claims he is "afraid" He is likely to be killed and stressed he wanted to be "police abiding" After he was featured in a chilling documentary where he claimed: "we aren’t non violent, We’ll fing kill them if we have to,

    MirrorOnline reported yesterday how Cantwell claimed is now a would die in the shocking footage.

    In the YouTube footage he posted during sleep, Cantwell proclaims: "i am told there’s a warrant out for my arrest.

    "with everything that’s happening, I don’t believe it’s very wise for me to go anywhere. may possibly state of emergency. the national Guard is here.

    Cantwell later told Digg he now thinks a warrant is not out for his arrest but that he believed police in Charlottesville have a "list of subscribers to round up" if you focus on talks with an anonymous "Higher up administration official,

    The video was originally livestreamed on Cantwell Facebook page but his profile was later deleted together with his Paypal, Instagram effectively internet accounts, It was recorded.

    It emerged as Cantwell featured in a disturbing behind the scenes documentary at those involved in the Unite The Right rally.

    Cantwell said: "we’re not non violent, We’ll fing kill these individuals if we have to" As revolting scenes showed racists hurl vile abuse that defined the sickening glimpse of hate.

    He also anticipated more violence at the white supremacists next rally, as they added: "I think a lot more people ought to die before we’re done here,

    The 22 minute Vice documentary captured the events surrounding Saturday planned Unite the Right rally from Friday night torch march harking back to KKK rallies to eerie calm on Sunday night.

    The rally by neo Nazis was halted as violence broke out in the Virginia city and a state of emergency was declared by nys governor.

    Vice reporter Elle Reeve went behind the lines with white supremacists and, acquire, Cantwell, 36, Who believes a race war is no surprise and argues for an "Anglo ethno state’s" getting blacks, Jews or immigrants who aren white wines.

    Footage shows him reacting in pain after being pepper sprayed at the torch march and again over rally at Emancipation Park, <a href=https://www.bestbrides.net/signs-that-vietnamese-women-like-you/>how to tell if a vietnamese woman likes you</a> Where white supremacists gathered to protest removing a statue of a Confederate general.

    As milk is poured into his eyes to alleviate the burning sensation, of the male gender with him chants "Heil Cantwell, in off the Nazis salute for Adolf Hitler.

    daily, A shirtless and agitated Cantwell marches along with other white supremacists after the rally was scuttled by riot police, And he blames anti racism activists for sparking the violence.

    Cantwell, Who was due to convey at the rally, tells how: "we’re not non violent, We’ll fing kill these consumers if we have to,

    The documentary is stuffed with chilling declarations and warnings from white supremacists, putting Robert Ray, Who reports: "We’re starting to slowly unveil a little our power level, You ain’t seen nothing yet,

    The video offers an regarding the racist minds of the rally organisers and supporters, who were flanked by a heavily armed militia.

    paralegal Heather Heyer, 32, Was killed and 19 were injured as anti racism activists marched with the streets in Virginia.

    Rishnrs (user link) says:

    shy asian brides

    Dr Hilary Jones unhappy with government’s decision to change the disadvantages on Covid 19

    This may include adverts from us and 3rd parties based on our education. You can unsubscribe at any time. specifics

    appreciation for subscribingWe have more newslettersShow meSee ourprivacy notice

    Dr Hilary Jones has said he is unhappy with the us government decision to change the restrictions on Covid 19 as he warned people to be cautious.

    The TV doctor appeared on Good Morning Britain and said the latest news regarding Plan B standards being lifted "Made no feel,

    On wednesday, Boris Johnson confirmed he planned to end the legal requirement for those who test positive with coronavirus in England to self isolate in the coming weeks.

    he was quoted saying: "On Monday we reduced the solitude period to five full days with two negative tests.

    "And there will soon come a time when we can remove the legal responsibility to self isolate altogether, Just as we don place legal obligations on people to isolate if they have flu,

    Read MoreScots model Emma Louise Connolly a beach ball in new having a baby snap

    "The self isolation guidelines expire on March 24, after which I very much expect not to renew them,

    Dr Hilary stated GMB presenters Susanna Reid and Ben Shephard: "We are seeing younger and younger people affected by Covid 19, Omicron and thus Delta and other variants across the board, The threat is still there. We are not away from woods yet,

    with regards to the restrictions being lifted, <a href=https://www.bestbrides.net/meet-hot-viet-girl-the-sexiest-influencers-to-follow-in-vietnam/>hot viet girl</a> He generated: "this can be a worry to many, lots of people, It not just me who thinks it too much too early.

    Read MoreWhoopi Goldberg could be coming over to Scotland to film new Amazon show Anansi Boys

    "lecturers, N HS companies, Royal College of breastfeeding, symphony, They all very concerned that taking away all standards suddenly despite the data is too much too soon.

    "hospitality will be happy, Hospitals will be scared, It so simple as that,

    Dr Hilary also believes people who won isolate in future following a Covid diagnosis will have a negative effect.

    Chris (user link) says:

    End To End Encryption In Twitter

    Most of the users don’t need twitter to manage their Twitter account private keys. You should have full control of your private keys, so cyou can use it in your ways. If any Company like twiter has access to your account private keys then your account is even in not your control completely. Telegram is one example of site where you have complete privacy. You can read https://sociofyy.com/telegram-groups-link/ for more information about how your telegram account works.

    Add Your Comment

    Your email address will not be published. Required fields are marked *

    Have a Techdirt Account? Sign in now. Want one? Register here

    Comment Options:

    Make this the or (get credits or sign in to see balance) what's this?

    What's this?

    Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

    Follow Techdirt

    Techdirt Daily Newsletter

    Techdirt Deals
    Techdirt Insider Discord
    The latest chatter on the Techdirt Insider Discord channel...