
Who’s behind Wednesday’s epic Twitter hack? - MindGods
https://krebsonsecurity.com/2020/07/whos-behind-wednesdays-epic-twitter-hack/
======
blisseyGo
I think people are still severely under-estimating how dangerous this was.

Back in 2013 when The Associated Press was hacked with a tweet of "Breaking:
Two Explosions in the White House and Barack Obama is injured" and erased $136
billion in equity market value:

Archive: [http://archive.is/8lCMV](http://archive.is/8lCMV)

[https://www.washingtonpost.com/news/worldviews/wp/2013/04/23...](https://www.washingtonpost.com/news/worldviews/wp/2013/04/23/syrian-
hackers-claim-ap-hack-that-tipped-stock-market-by-136-billion-is-it-
terrorism/)

This twitter hack could have literally destroyed economies, started a war,
potential for black mailing politicians and others etc.

This really needs to be looked at with much bigger eyes. This wasn't just a
bitcoin scam.

~~~
dmitryminkovsky
People keep saying it could have started a war. Excuse me for being naive but
come on—really? This is total sensationalism. What party wouldn’t verify
something on twitter through diplomatic channels before going to war?

Equity destruction: sure. War: no way.

~~~
lifeformed
Here's how I think it could be done:

Get Trump's account, and tweet something like, "I've ordered a NUCLEAR STRIKE
on China! The missiles are already in the air. The DEEP STATE is trying to
take me out. They will try to silence me and delete these tweets and use deep
fakes to say this was a hoax! The storm is here, Q is real, it's time to take
up arms and kill democrats."

Then continue tweeting escalating things over the next half hour (since
apparently the hackers couldn't be stopped for a while).

~~~
mirimir
That already happened, back in 1984. President Reagan was joking during a
sound check, and said the following:

> My fellow Americans, I'm pleased to tell you today that I've signed
> legislation that will outlaw Russia forever. We begin bombing in five
> minutes.

~~~
DonHopkins
[https://en.wikipedia.org/wiki/We_begin_bombing_in_five_minut...](https://en.wikipedia.org/wiki/We_begin_bombing_in_five_minutes)

>Reactions

>Soviet

>By August 14, the recording of Reagan's joke had become world news. On August
15, someone who the National Security Agency described to US Representative
Michael D. Barnes as "a wayward operator in the Soviet Far Eastern command"
sent a coded message from Vladivostok that said, in part, "We now embark on
military action against the U.S. forces." Japanese and US intelligence decoded
the message and raised the alert state in that part of the world; Soviet naval
vessels in the North Pacific, on the other hand, contacted Vladivostok in
confusion. The US never saw any evidence of Soviet attack preparations, and
the alert status as promulgated by Vladivostok was canceled within 30
minutes.[3]

>Initially, on August 13, the deputy minister of Soviet foreign affairs
(Valentin Kamenev) told reporters, "I have nothing to say."[5] By the next
day, though, President Reagan's leaked comments were denounced by the Soviet
government, Pravda, Izvestia, and TASS as "unprecedentedly hostile," as
evidence of the United States' insincerity at trying to improve Soviet
Union–United States relations, and as abuse of the office of the president.
"Western diplomats" described the Soviet response as over-the-top, suggesting
it was an effort to give themselves more collateral at the negotiating table
with the US.[7] US officials were compelled to mollify the Soviet Union and
assure the United States' Cold War adversary that "Reagan’s offhand remark did
not reflect White House policies or U.S. military intentions."[8]

[http://www.msnbc.com/transcripts/rachel-maddow-
show/2016-12-...](http://www.msnbc.com/transcripts/rachel-maddow-
show/2016-12-22)

[https://www.theguardian.com/world/2014/aug/14/ronald-
reagan-...](https://www.theguardian.com/world/2014/aug/14/ronald-reagan-
bombing-russia-joke-archive-1984)

[https://www.politico.com/story/2010/08/reagan-jokes-about-
bo...](https://www.politico.com/story/2010/08/reagan-jokes-about-bombing-
russia-august-11-1984-040921)

Audio and news coverage:

[https://www.youtube.com/watch?v=CFCABnWlN8E](https://www.youtube.com/watch?v=CFCABnWlN8E)

Bonzo Goes To Washington - B-B-B Bombing In 5 Minutes (Jerry Harrison, Bootsy
Collins)

[https://www.youtube.com/watch?v=0k4TNtUZnM4](https://www.youtube.com/watch?v=0k4TNtUZnM4)

[https://en.wikipedia.org/wiki/Five_Minutes_(Bonzo_Goes_to_Wa...](https://en.wikipedia.org/wiki/Five_Minutes_\(Bonzo_Goes_to_Washington_song\))

------
TechBro8615
This is the most important point:

> Also, it seems clear that this Twitter hack could have let the attackers
> view the direct messages of anyone on Twitter, information that is difficult
> to put a price on but which nevertheless would be of great interest to a
> variety of parties, from nation states to corporate spies and blackmailers.

My understanding is the hackers used the admin panel to change the email
addresses of the accounts, which means they could reset passwords and perform
full account takeover [what about 2fa?]. That means they could login as the
user, and so it means they could read the user's direct messages. (Ironically,
Twitter's solution of disabling posts from blue checkmarks would not have
stopped exfiltration of direct messages while an account was compromised.)

~~~
paulpauper
>> Also, it seems clear that this Twitter hack could have let the attackers
view the direct messages of anyone on Twitter, information that is difficult
to put a price on but which nevertheless would be of great interest to a
variety of parties, from nation states to corporate spies and blackmailers.

It is not as much money as pundits probably think it is worth. And also,
trying to negotiate a blackmail is time consuming and opens the risk of being
caught especially if it a high profile target, with no guarantee of being
paid. Do you really think someone like elon musk will pay a bitcoin ransom
assuming there is anything incriminating? Paying off a blackmailer is an
admission of guilt and does no good if the info is released anyway.

It also depends on how sophisticated the thief was. Did he have everything
automated to dump anything everything from the inboxes while automating the
posting of the spam tweets, or was he frantically doing all his postings by
hand before twitter could shut it down. If the thief is not sophisticated his
main priority would probably be making as much money as possible with the
posts and ignore the private messages

~~~
the_duke
> Do you really think someone like elon musk will pay a bitcoin ransom

A somewhat odd blog post by Jeff Bezos about blackmail from last year is quite
interesting in this context. [1]

[1] [https://medium.com/@jeffreypbezos/no-thank-you-mr-
pecker-146...](https://medium.com/@jeffreypbezos/no-thank-you-mr-
pecker-146e3922310f)

~~~
belval
They grossly overestimated their leverage in that story though.

Anything illegal might've been actually good for black mail purposes, but dick
pics? As if someone would actually look for that or even take a business
decision based on that.

~~~
woko
Dick pics are what lead a candidate for Paris Mayor election to resign this
year. It is a powerful item against some people.

~~~
mlindner
Indeed, it's a powerful weapon against anyone who depends on general public
popularity for their power (for example many/most elected officials). This is
in fact one of the things that is highly investigated for getting TS/SCI US
government clearance. They don't want to employ anyone who possibly has dirt
against them in the open.

------
twodave
I'm sure it's been said before, but I just continue to be surprised that the
admin panel used to carry out this attack wasn't locked behind a VPN.

I've worked for multiple fully-remote companies that were easily able to
protect tools like this from the outside world.

The company I currently work for (fully remote) has tons of internal services
that our engineers (who we trust) can access as needed in order to debug
problems and help our clients. None of it is accessible from the Internet.

~~~
xyst
Internal networks only accessible via VPN is considered an anti-pattern now in
terms of security. It puts authorization firmly on the VPN. If the account
with VPN access is compromised, then the attacker has full access to these
sensitive systems.

This hack probably underscores the importance of zero trust. Although if the
system is compromised from within (like this hack is) then there is not much
you can do.

~~~
ReganLaitila
I would be curious as to who is citing that using a vpn is some "anti-
pattern", to what? Not protecting your network accessible assets?

If you have the means, certainly use a corporate/smb/personal vpn. It is one
layer in a multitude of layers you should be using to protect your network.

Its not as if once you achieve vpn access you have no other authz gates to
internal applications. Its a "great filter" to help narrow the possible
avenues of attack and it works. If your inner layer of authz fails its not the
vpn's fault.

Whats your alternative? Just make every application and network endpoint
publicly accessibly on the internet?

~~~
greggman3
[https://www.beyondcorp.com/](https://www.beyondcorp.com/)

Yes, basically you should consider all networks untrusted including your
internal network. You can still have a VPN but it shouldn't be the thing that
protects the services inside your corp net because if it is then any breach
means the intruder gets access to all your stuff.

~~~
peterlk
This thread is a bit confusing to me. Have we moved past layered security for
some reason?

The purpose of a VPN was never supposed to be the authentication layer to
internal services. It's just a layer of security that makes it more difficult
to carry out some types of attacks; thus increasing security defenses of an
organization. Assuming that it has been breached is good practice, but doesn't
mean that there's no point to it.... Unless layered security has been
overturned?

~~~
judge2020
The issue is that, for any company without thousands of employees (heck,
probably even some of these are guilty), the VPN is often the only barrier to
the entire network. The BeyondCorp model makes you explicitly specify "John
can access support.corp.com but not admin.corp.com", while setting up these
explicit checks is the exception for VPN-based access, not the norm (and
sometimes it isn't even done right - eg. relying on DNS filtering).

~~~
trabant00
> The issue is that, for any company without thousands of employees (heck,
> probably even some of these are guilty), the VPN is often the only barrier
> to the entire network.

Sorry, but what? I've worked in multiple small companies where the we where
less than 5 system administrators and inside the vpn we had encrypted traffic
and ldap auth on everything. It's a few days job for a single person to set
everything up this way with open source tools that are extremely well known
and documented.

~~~
totony
Yeah same, I have even seem 1-sysadmin small businesses have multilayer
security

------
roadbeats
Social media was praised so much for its contribution to conflicts outside
western world, like middle east and North Africa. In the beginning of Syrian
civil war for example; Twitter was the place where propaganda was streamed and
extremists from all over the world would leave homes to join other extremists
behading heads somewhere.

Now, we see the potential of social media to be a tool for coordinated attacks
against the western world. Just imagine this attack during the protests last
month in the same narrative that started civil wars in other parts of the
world. When tens of people start shooting and killing eachother, nobody would
discuss what triggered the chain of events.

This is a simple test that reveals how fragile is society in contrast to how
much attention they pay to Twitter. The worst, the value we get from social
media is also unclear. Low quality, unreliable bits of information turned
millions to pigeons jumping from there to there and those who own the seeds
can control the mass.

~~~
creato
The less conspiratorial take on this is that social media simply exacerbates
and foments conflict, period. Maybe some of these involved significant
coordinated propaganda efforts, but I doubt they all did. The mistake the
western world made was thinking that this social media generated conflict was
a result of some coherent "positive" motivation, when perhaps it was simply
blind social media outrage that coincided with revolutions in places we
thought were bad somehow.

It exacerbated it first in the middle east, maybe because those societies were
close to conflict to start with, but the western world doesn't seem _that_ far
behind.

~~~
roadbeats
I don't get how you see conspiracy in my comment. Was I claiming that social
media is an actor in conflicts?

------
christoph
I don’t really think he should be naming who his unnamed sources “think” is
behind an attack on this scale, especially with full name, city of origin,
Instagram, suggested current location, age, etc. It feels a very, very small
step away from doxxing to me.

Added to which he has somebody in the comments essentially calling for the
death penalty over this. If he has this personal information and evidence,
pass it to the relevant authorities and don’t sensationalise it on a blog.
Technical details fine, but people’s personal information feels like it’s
crossing a line on something like this.

~~~
malwarebytess
It's doxxing. My question is why is that a bad thing in this case?

Zero tolerance policies don't make any sense to me.

~~~
scubbo
On the off-chance that you're serious - doxxing someone who is _suspected_ to
be linked to a crime is staggeringly irresponsible, because you are then
effectively convicting them in the court of public opinion. If they are
innocent, but you have not only levelled accusations at them, but provided
ways to access them, then you are partially responsible for what others choose
to do with that information.

~~~
nuclearnice1
Isn’t most crime journalism the same?

Three examples from the front page of the NY post right now.

I am having a hard time figuring out how to distinguish this and the OP
doxxing. The organizationS fact-checking process? Solidness of the evidence?

> Allegations were made against longtime radio broadcaster Larry Michael
> (retired Wednesday), director of pro personnel Alex Santos (fired last
> week), assistant director of pro personnel Richard Mann II (fired last
> week), former COO Mitch Gershman (left in 2015) and former president of
> business operations Dennis Greene (left in 2018).

> Chanice Reyes, 24, was busted around 5 a.m. Thursday, sources said, when
> cops investigated a strong smell of marijuana coming from a car near City
> Hall, where anti-police activists have been gathering in recent weeks.

> Tory Lanez, whose real name is Daystar Peterson, was the person who
> allegedly shot Megan Thee Stallion following a dispute inside his vehicle
> Sunday morning, Page Six has learned.

~~~
jacquesm
It is in the United States. In other countries until conviction only initials
are used. This to avoid ruining people's lives (or even endangering them) in
case an allegation turns out not to be true.

~~~
Ekaros
We don't even do initials here for regular people. Usually it's some vague age
and gender. Maybe ethnicity if relevant.

------
paulpauper
The among taken in this scam is chump change compared to the YouTube scammers.
YouTube is a vastly bigger website than twitter and way slower to respond to
accounts begin stolen by scammers. I remember seeing an Ripple giveaway scam
that in a single day made 100k with just a single account ,. And fake bill
gates one made 40k. the list goes on and on. My guess is the total taken is in
the $3-5 million range from youtube alone.

~~~
crtasm
And you don't even need to steal an account. When the Playstation 5 launch
event was happening I searched for it on Youtube, clicked the top result and
it turned out to be a scammer restreaming the real live event with graphics
added saying Sony would double your BTC - just send to this address ___.

~~~
paulpauper
that may have been an ad. scammers are buying youtube ads too

~~~
d1str0
Ive seen what this previous poster has talked about. They overlay graphics in
the actual video stream promoting btc payments. Happened with a Nasa stream
right after the first spacex manned mission.

~~~
cgy1
Me too. Youtube even put it in my recommended section.

------
stopshills
Funny that Krebs refers to Lucky225 as a longtime friend of Adrian Lamo.

I thought it was very well-known that Lucky225 made that story up as a cover
to hide the fact that he gained control of Adrian Lamo’s @6 Twitter via a SIM
swap hack himself, and also took control of Lamo’s Facebook in order to hijack
ownership of the 2600 Magazine group on Facebook.

~~~
ani-ani
Interesting. I looked for evidence supporting your claim and found this:
[https://github.com/keybase/keybase-
issues/issues/3442](https://github.com/keybase/keybase-issues/issues/3442)

It's a very awkward thread where Lucky225 accidentally demonstrates that he
has indeed taken over Adrian Lamo's email account. Note this doesn't say
anything about whether they were or weren't friends. They definitely had
overlapping interests.

~~~
murat124
Lamo died in '18, comment is from '19.

~~~
Thorrez
Sure. Does that indicate whether the account was taken over maliciously or
sincerely?

------
lyx0
The thing I'm most concerned about is that if Brian Krebs is right and they
had access to their DM's, that the very obvious crypto scam they ran was just
a facade, some kind of distraction because they knew they would have been
noticed, but the true goal were the DM's.

Imagine a celebrity saying some 'not so politically correct' things to a
friend in private 8 years ago, and now imagine this becoming public while the
Twitter cancel culture is in full force. There's a lot of money and power in
having that information.

I don't want to argue about what's wrong or not, I just want to point out what
I find really concerning about the hack.

~~~
donkeyd
Why are you so concerned about some celebs being called out on stuff they
said? To me, the most concerning is innocent people having lost money to a
scammer, not some celebrity's public image being hurt by something they
actually wrote.

~~~
chki
I think the point was that a malicious actor might have power (via blackmail)
over a famous/powerful person.

------
strikelaserclaw
man who falls for this stuff. i've been seeing "send me money to this account
to get double that" scam for like 20 years, its hard to believe there are
people who still don't know better.

~~~
chrisseaton
I too don't understand who's technical enough to know what BitCoin is but not
technical enough to understand the scam.

I think some people are possibly just sending the scammers some money for the
banter? A sign of respect for the hack.

~~~
txcwpalpha
Bitcoin isn't just for "technical" people anymore. The 2017 craze caused a
_ton_ of non-techies to hear about Bitcoin and get involved. It was front page
CNN a decent amount. Coinbase made it their mission to make Bitcoin as
accessible as just downloading an app and giving it your credit card info, and
IIRC at one point Coinbase was the most downloaded app on the App Store.

There's an argument to be made that the only reason Bitcoin became popular the
last few years is _because_ of the amount of non-techies who have been falling
for all the same, tired "join my ICO and get rich!" scams.

------
PiggySpeed
Imagine combining this with a deepfake video.

------
gwittel
It will be interesting to see how the access was gained. I wonder how well
this administrative system was protected. Did they have basic controls like:

1) Accessible via corporate VPN only (requiring 2fa)

2) Admin panel protected by 2fa plus necessary authentication+authorization
controls

3) Audit trails

Short of cooperative access (device handover), I could only see an outsider
gaining access to the system due to poor security practices or a remote access
trojan getting installed. Though more likely, Twitter lacked these basic
controls.

Verified accounts could probably be subject to 2nd person controls so IF
someone were to modify an account via admin panel, then a 2nd support person
(preferably in a different location), would have to vet the change.

~~~
kerng
Many startups and hip companies don't do VPNs anymore - unfortunately they
also dont do Zero Trust (which would require machine certs for everything and
be enforced) - so stuff is often available over Internet with password auth +
maybe MFA. Attacker who gets hold of cookie or bearer token wins.

And the best part, support personnel often doesnt have MFA, because its
outsourced to countries where smart phones with Authenticator apps are not as
common to own for the regular person. I'm not joking.

~~~
texasbigdata
Really stupid question. A key employee leaves, with their personal 2FA. Is
there a standardized corporate solution for this yet? Sorry if that’s weirdly
worded

~~~
hnzix
There are various vendor products that support automated deprovisioning when
an employee is terminated in the master HR system. You're 1000x more likely to
see them in a corporate setting than a startup.

~~~
donkeyd
My previous startup had a bit of both. My access to things like mail and
Atlassian stuff was automatically revoked, while I could still access the
production database months later.

------
hexa00
Isn't it strange all the work we put into securing networks etc... while we're
engineers working from home and all it would take is someone figuring out
where I live via Linkedin or whatnot.. and all this goes away with my physical
security being pretty much non-existent.

~~~
Thorrez
Sure, but the vast majority of computer-focused attackers are unwilling to do
show up in person. They want to operate from behind a computer. So you're not
at risk of a physical attack from them unless they hire someone to conduct the
physical attack. But they tend to be bad at hiring physical attackers, see how
DPR hired hitmen but they turned out to be scammers.

If you're facing a government though, you do need to be wary of physical
attacks.

------
iJohnDoe
Ultimately it doesn’t matter what really happened.

The most important aspect to the American people is that the largest real
estate holder in San Francisco and employs roughly 5,000 employees can’t
figure out how to secure their platform. Which means they are a joke of
company.

Similar to Google who can’t figure out how to provide customer service when
they employ roughly 119,000 employees. Yes, that’s hundreds of thousands of
employees and they haven’t figured out how to provide support when their
“bots”, which is really their outsourced India techs that cancel their
corporate customer accounts on a whim.

Again, this is Google, that distributes malware on their Google Store for
months and years at at a time.

Seriously, the ridiculous interview bullshit we’ve all heard about regarding
Google and not one smart person ever recommended taking some of Google’s
billions and offering customer service or figuring out how not to distribute
malware through their official store.

We shouldn’t forget that Google engineers that have access to everyone’s email
have also been caught and it’s only a matter of time before Google gets hacked
in the same ways Twitter has.

Anyways, Twitter is a cesspool.

Google is also a cesspool that can’t even get search right these days.

It’s a shame that America has these joke of companies on its soil.

There is a healthy contingency of Google and Twitter employees on HN, so I
expect the down votes. However, I know there are a ton of people out there
that share my message.

------
jugg1es
Adrian Lamo's facebook account broadcasted a new post as if it was Lamo
himself a week before this Twitter hack (he's dead!). Is that related?

[https://www.facebook.com/felon/posts/3429161987103431](https://www.facebook.com/felon/posts/3429161987103431)

------
eternalban
"within Twitter’s admin tools, apparently you can update the email address of
any Twitter user, and it does this without sending any kind of notification to
the user."

How is this acceptable? That's practically (thus effectively) identity theft.

------
spir
Is it generally known that this hack was live for at least a few days, not
just Wednesday?

I personally saw one of the official @elonmusk scam tweets earlier this week.

~~~
GaryNumanVevo
I've been seeing similar scams in Elon's replies, they just copy his profile
picture and name and reply with a different account. You might have seen that
one

~~~
spir
I am used to spotting cryptocurrency scams. The tweet I saw was from his
official account, days before the "Wednesday hack".

~~~
jhardy54
I don't think that's been reported anywhere, could you link to an archive or
something?

~~~
spir
I couldn't find any screenshots, archive.org link, or browser history for the
tweet I saw. So, unfortunately I have no evidence that the scam tweets started
before Wednesday. We'll see what Twitter finds.

~~~
jacquesm
Twitter is not incentivized to find anything and make it public if that makes
matters look even worse than they already are.

------
danso
> _“This is NOT a method, you will be given a full refund if for any reason
> you aren’t given the email /@, however if it is revered/suspended I will not
> be held accountable,” Chaewon wrote in their sales thread, which was titled
> “Pulling email for any Twitter/Taking Requests.”_

If access were being sold via message board, I wonder if the thread contains
stipulations on which accounts are off-limits for being hacked. My theory to
why we didn't see any active government officials accounts get pranked is
because the hackers, no matter how confident they were about covering their
tracks, still might have worried that such a breach would almost guarantee
FBI/NSA-level involvement.

~~~
paulpauper
it is possible trump account had a special measure in place to override the
email reset to make it hack-proof.

~~~
danso
What about Reps. Nancy Pelosi or AOC, both of whom are extremely visible and
active politicians, and who draw similar kinds of ire as Obama/Biden?

~~~
WrtCdEvrydy
They're active in the Politics game...

~~~
danso
So is Kanye West and Taylor Swift, who, like Obama, can do things like work
full time as a registered lobbyist, and not have to publicly disclose
financial investments or otherwise ever publicly respond to the public, and
many other things that regular citizens are allowed to do.

------
sillysaurusx
_While it may sound ridiculous that anyone would be fooled into sending
bitcoin in response to these tweets, an analysis of the BTC wallet promoted by
many of the hacked Twitter profiles shows that on July 15 the account
processed 383 transactions and received almost 13 bitcoin on July 15 — or
approximately USD $117,000._

This could be mostly the attackers’ own money. It’s impossible to tell, but I
haven’t seen anyone explicitly mention this.

~~~
chmod775
You'd have to be a special kind of stupid to "un-wash" your own bitcoins this
way.

~~~
sillysaurusx
Possibly. The only reason this would be stupid is because Bitcoin has rapidly
been centralizing. I suspect many exchanges might start blacklisting any
wallet that has any transactions from this wallet.

On the other hand, they can’t really do that. At that point the attackers
would be able to poison any wallet just by sending a small amount of BTC to
it. Therefore it seems like the only penalty is that they’d have to re-wash
their coins.

~~~
whoopdedo
Random, totally not thought all the way through, idea. Could a decentralized
nullifier be put in the blockchain? Allow the consensus algorithm to "vote"
for when an address should be marked as invalid and miners would reject
transactions with it. It would work by someone submitting an "anti-coin"
transaction and wagering their own coin. Miners would provide PoW to confirm
the transaction but instead of the miners collecting a reward they pay a
fraction of the initial wager. Once enough blocks with a confirmation of the
anti-coin are mined to pay back the wager it's accepted as permanent. Now the
only way to use that address would be to fork the blockchain. On the other
hand, if the anti-coin is not accepted the submitter loses their wager, so it
becomes expensive to attempt to destroy coins without cause.

But I don't know nearly enough crypto to even guess at whether or not this is
a really stupid idea. Don't torch me for being foolish.

~~~
Taek
You can do this on a technical level but on a practical one it creates
pathways for abuse which defeat much of the purpose of using crypto in the
first place.

And attackers like the one in the twitter attack would just choose to use
cryptocurrencies where this isn't possible.

------
paxys
It's bizarre to me that someone pulled off an account takeover of this
magnitude and the end result was random people being scammed out of ~$100K in
Bitcoin (that too allegedly). A single well-crafted Tweet from one of these
accounts is probably worth more. Heck Twitter would have paid that much or
more just in bug bounties for reporting this.

~~~
Tempest1981
see this, from earlier:

[https://news.ycombinator.com/item?id=23860584](https://news.ycombinator.com/item?id=23860584)

"No, you couldn't have made more money than the Twitter hacker"
[https://fortenf.org/e/security/2020/07/15/twitter-
hack.html](https://fortenf.org/e/security/2020/07/15/twitter-hack.html)

~~~
paxys
I don't buy the stock market argument. People open short positions worth more
than $100K every day, especially against companies like Tesla. There would be
nothing suspicious about a few such trades.

But really, my point is that pulling off a sophisticated exploit involving
major celebrities, politicians and CEOs, social engineering/bribery, internal
access at a top company etc. doesn't really seem worth the risk if at the end
it nets you $100K.

~~~
herpderperator
> People open short positions worth more than $100K every day

Yes, but you'd need to open one worth $1m to make $100k on a 10% move. $1m is
still not "much" in the grand scheme of things, but it's still significant.

~~~
shwoopdiwoop
Not with put options, no. You can make 1000% return on these, especially when
you control the exact moment the tweets will be published.

------
stormdennis
I don't care about Twitter but what makes this sort of hack impossible at,
say, Gmail or my bank?

------
wereHamster
Why don't companies adopt WebAuthn already?
[https://en.wikipedia.org/wiki/WebAuthn](https://en.wikipedia.org/wiki/WebAuthn)

No 2FA, just pure and simple hardware token that's chap and easily accessible.

------
haecceity
I keep saying phone numbers for 2FA is dumb but entire industry thinks this is
a good idea for some reason. The problem here is that it's not even used as
2FA, it's just one factor and these services think it's sufficient to prove
identity.

~~~
pronlover723
phone numbers for almost anything is dumb.

Discord wants my phone number for forums about sexual topics that could get me
killed if I was in certain countries. Obviously I don't want to give them
something which actually identifies me.

------
interator7
Why would the hackers gain this level of access, and do something that nets
them so little money(relative to the amount they could have gained), when they
can't even spend without having law enforcement outside their door?

~~~
jordansmith
You are assuming the kids doing this don’t think just getting 100k is a lot of
money. They most likely originally got the backdoor solely to get original
usernames and someone had the idea “we could phish bitcoin with this”. I doubt
they went into it with a big plan

------
ransom1538
Twitter:

function adminPanelShow()

{

    
    
       if ( !isInOurVPN() ) 
    
          throw logSecurityBreach(); 
    
          
    
       if ( !isLoggedIn() ) 
    
          throw logSecurityBreach(); 
    
      
       slackSecurityChannel("AdminPanel Access: " + userName); 
    
       ... 
    
    }

~~~
galacticaactual
Do you know how account takeovers work?

~~~
ransom1538
You work in security. Sad.

------
marceloabsousa
The hack was epic and strange. But also epic and strange is how Twitter stock
value hasn't taken a prolonged hit. Is there really so much trust on Twitter
that this was an isolated incident?

------
rdiddly
Very tangential: That's a surprisingly childlike & adorable UI design for a
security admin dashboard!

~~~
zdwolfe
Doesn't really surprise me much. Internal tools get 0.00001% of the UI design
effort that production tools do. It looks like an old version of Bootstrap
too.

------
eunos
Imagine if some verified accounts will really open BTC give away with the same
format. Just for giggles.

------
mro_name
Post on your own sever, syndicate elsewhere?

Nobody mentioned indieweb.org/POSSE yet as a way to mitigate such?

~~~
yosito
POSSE is a great model. One of the problems is that there is no platform that
reduces the friction of implementation. I have the technical ability to
implement this myself on my own website, but I don't have the free time to set
it all up and maintain all of the integrations with various platforms. And
syndication is the creation side of the problem, but on the consumption side
there's the issue of aggregating your friend's posts on other platforms into
one place so you can keep up with everyone without remembering to check
several different websites. That's arguably the more challenging part of
making this model work at scale, and social networks actively prevent this by
blocking API access and making it difficult to programmaticly access data
within their platforms. I can't even subscribe to 2/3 of my content sources
via RSS anymore.

------
teknopurge
It's not a hack when an employee holds the door open and gives use of an admin
management tool to a third party.

Likewise, it's not a bitcoin scam when bitcoin is the method of transfer, just
like it's not a US-dollar scam every other time dollars are used in theft.

~~~
barbecue_sauce
Is bribery not considered a viable form of social engineering?

~~~
bpfrh
I would argue that it is not.

Social engineering is when your target is unaware that what he does is wrong
or will do damage.

------
electro_blah
"or attempting to start a war by issuing false, inflammatory tweets from world
leaders." LMFAO

------
Fjolsvith
My personal theory on this is that it was an attack to stop Trumps' incessant
tweeting to America. Inside access, leaving his account untouched, then all
the screaming about how bad it could have been so we should never use _direct,
un-channeled, unfiltered_ communication by state leaders on social media.

------
known
I thinks it's due to Work From Home;

------
Dahoon
Krebs should get someone half as good at html and CSS as he is in security to
update his awful site. Doesnt even work in Firefox reader.

~~~
madeofpalk
Maybe Firefox should get someone half as good as Chrome developers, because
the reader mode works on his site fine there.

~~~
bishalb
As much as folks here on HN extol Firefox, it just feels somewhat sluggish and
buggy compared to Chrome. I try to use Firefox Developer edition sometimes but
just can't because primarily it feels tangibly slower than Chrome.

