Twitter Security

Romana

The Timeless Child
Joined
Sep 21, 2018
Messages
5,097
SL Rez
2010
I saw a tweet that the hackers had already collected something like $100K? How can people be that gullible? Like any of those famous people would use Bitcoin for their philanthropy? And require money be sent to them first? Maybe Elon Musk, because he's just so weird anyway. But anyone else?
Really, WTF?
 

Noodles

☑️
Joined
Sep 20, 2018
Messages
3,202
Location
Illinois
SL Rez
2006
Joined SLU
04-28-2010
SLU Posts
6947
This is bad for Twitter but also just speaks to how much Crypto Currency is a big fat scam in general. You can't even reverse those transactions to get your money back.
 

Sid

Time for another coffee.
VVO Supporter 🍦🎈👾❤
Joined
Sep 20, 2018
Messages
6,585
I never had a Twitter account, but for now I will even stop clicking on Twitter posts here.
If the company can't guarantee that the tweets come from the real account holder..... nah.

Before you know it, someone is posting bullshit on the 45 account, and no one will ever notice the difference.
 
Last edited:

Free

sapiens gratis
VVO Supporter 🍦🎈👾❤
Joined
Sep 22, 2018
Messages
31,473
Location
Moonbase Caligula
SL Rez
2008
Joined SLU
2009
SLU Posts
55565

Free

sapiens gratis
VVO Supporter 🍦🎈👾❤
Joined
Sep 22, 2018
Messages
31,473
Location
Moonbase Caligula
SL Rez
2008
Joined SLU
2009
SLU Posts
55565
A Twitter insider was responsible for a wave of high profile account takeovers on Wednesday, according to leaked screenshots obtained by Motherboard and two sources who took over accounts.

[...]

"We used a rep that literally done all the work for us," one of the sources told Motherboard. The second source added they paid the Twitter insider. Motherboard granted the sources anonymity to speak candidly about a security incident. A Twitter spokesperson told Motherboard that the company is still investigating whether the employee hijacked the accounts themselves or gave hackers access to the tool.

The accounts were taken over using an internal tool at Twitter, according to the sources, as well as screenshots of the tool obtained by Motherboard. One of the screenshots shows the panel and the account of Binance; Binance is one of the accounts that hackers took over today. According to screenshots seen by Motherboard, at least some of the accounts appear to have been compromised by changing the email address associated with them using the tool.
 
  • 1Wow!
Reactions: Sid

Free

sapiens gratis
VVO Supporter 🍦🎈👾❤
Joined
Sep 22, 2018
Messages
31,473
Location
Moonbase Caligula
SL Rez
2008
Joined SLU
2009
SLU Posts
55565
The bad news: Twitter has now revealed that the attackers may indeed have downloaded the private direct messages (DMs) of up to 8 individuals while conducting their Bitcoin scam, and were able to see “personal information” including phone numbers and email addresses for every account they targeted.

That’s because Twitter has confirmed that attackers attempted to download the entire “Your Twitter Data” archive for those 8 individuals, which contains DMs among other info.
 
  • 1Thanks
Reactions: Sid

bubblesort

Well-known member
Joined
Nov 16, 2018
Messages
1,993
I never had a Twitter account, but for now I will even stop clicking on Twitter posts here.
If the company can't guarantee that the tweets come from the real account holder..... nah.

Before you know it, someone is posting bullshit on the 45 account, and no one will ever notice the difference.
If Trump starts tweeting in complete sentences, with good grammar and punctuation, then we know it's not really him. The only way to impersonate Trump tweets would be to feed it through a Russian translator, then an English translator, then a malfunctioning autocorrect.
 
  • 1LOL
Reactions: Sid

Chalice Yao

The Purple
Joined
Sep 20, 2018
Messages
451
Location
Somewhere Purple, Germany
SL Rez
2007
Joined SLU
Dec 2007
SLU Posts
9108

TL;DR:
It was bored 20-somethings. Oh, and one of them made about 180k in Bitcoin off this by selling accounts.

EDIT:
Oh, I forgot the cream on top here:
Mr. O'Connor said other hackers had informed him that Kirk got access to the Twitter credentials when he found a way into Twitter’s internal Slack messaging channel and saw them posted there, along with a service that gave him access to the company’s servers.
 
Last edited:

Romana

The Timeless Child
Joined
Sep 21, 2018
Messages
5,097
SL Rez
2010
If Trump starts tweeting in complete sentences, with good grammar and punctuation, then we know it's not really him. The only way to impersonate Trump tweets would be to feed it through a Russian translator, then an English translator, then a malfunctioning autocorrect.
What's needed is the opposite of autocorrect-- an autofail, perhaps?
 
  • 1LOL
  • 1ROFL
Reactions: bubblesort and Sid

Chalice Yao

The Purple
Joined
Sep 20, 2018
Messages
451
Location
Somewhere Purple, Germany
SL Rez
2007
Joined SLU
Dec 2007
SLU Posts
9108
Oh God, it gets worse.


More than 1000(!) Twitter Employees have (or had) access to the tools to modify User Accounts. Including some contractors.
 

Free

sapiens gratis
VVO Supporter 🍦🎈👾❤
Joined
Sep 22, 2018
Messages
31,473
Location
Moonbase Caligula
SL Rez
2008
Joined SLU
2009
SLU Posts
55565
Maybe post this in the Florida Man thread?

Early this morning, the FBI, IRS, US Secret Service, and Florida law enforcement placed a 17-year-old in Tampa, Florida, under arrest — accusing him of being the “mastermind” behind the biggest security and privacy breach in Twitter’s history, one that took over the accounts of President Barack Obama, Democratic presidential candidate Joe Biden, Bill Gates, Elon Musk, and more to perpetrate a huge bitcoin scam on July 15th.

The teen is currently in jail, being charged with over 30 felony count, including organized fraud, communications fraud, identity theft, and hacking, according to Hillsborough State Attorney Andrew Warren in a just-broadcast news conference describing the arrest.

It’s not clear whether the 17-year-old is the only suspect in the case. “I can’t comment on whether he worked alone,” said Warren. He was arrested at his apartment where he lives by himself, authorities stated.
 
  • 1Thanks
Reactions: Isabeau

Free

sapiens gratis
VVO Supporter 🍦🎈👾❤
Joined
Sep 22, 2018
Messages
31,473
Location
Moonbase Caligula
SL Rez
2008
Joined SLU
2009
SLU Posts
55565
Of course it did.

Last Friday, a 17-year-old Florida high school graduate, Graham Ivan Clark, was arrested and charged as the “mastermind” behind the massive bitcoin scam that ensnared the accounts of Barack Obama, Joe Biden, Bill Gates, Jeff Bezos, Apple, and more — after he allegedly posed as a member of Twitter’s IT department and used Twitter’s own admin tools to break into those accounts.

This morning, I woke up early to hear what he — or his lawyer — had to say about that. It was so easy I didn’t even have to get to a desk. The court had publicly revealed last week it’d hold hearings over Zoom, no password required, so I tuned in with my phone from bed.

Apparently, it was too easy. So easy that trolls decided to zoombomb the entire hearing, spewing disgusting noises, piping in distracting music in several different languages, cursing out the court, and eventually hijacking the stream with a PornHub clip, according to cybersecurity reporter Brian Krebs. (I stopped watching after I realized the 17-year-old defendant wasn’t going to show up, and I just listened to the rest with my earbuds.)
 
  • 1ROFL
  • 1Facepalm
Reactions: Ashiri and Tirellia

Bartholomew Gallacher

Well-known member
Joined
Sep 26, 2018
Messages
4,940
SL Rez
2002
About two years ago Twitter hired Peiter "Mudge" Zatko as security chief. Before that he was doing stuff for DARPA and Google, and is a quite high profile hacker.

So Mudge found many, many issues and security holes in San Andreas gap size. First he tried to fix these issues internally, so he just did that. As consequence he was fired in January this year, because officially Twitter was not satisfied by his performance.

Since he's got nothing to loose now, Mudge became a whistleblower and published his findings on Twitters' internal security, which you can find here:


And oh boy, it's a slaughterfest. And the lied to the Senate, hard. Mudge says by the way he planned to go public with this before Musk announced his intent to buy Twitter.

Twitter has major security problems that pose a threat to its own users' personal information, to company shareholders, to national security, and to democracy, according to an explosive whistleblower disclosure obtained exclusively by CNN and The Washington Post.

The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform's central controls and most sensitive information without adequate oversight. It also alleges that some of the company's senior-most executives have been trying to cover up Twitter's serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.

The whistleblower, who has agreed to be publicly identified, is Peiter "Mudge" Zatko, who was previously the company's head of security, reporting directly to the CEO. Zatko further alleges that Twitter's leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users' data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don't have the resources to fully understand the true number of bots on the platform, and were not motivated to. Bots have recently become central to Elon Musk's attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk's claims).

[...]
Some of Zatko's most damning claims spring from his apparently tense relationship with Parag Agrawal, the company's former chief technology officer who was made CEO after Jack Dorsey stepped down last November. According to the disclosure, Agrawal and his lieutenants repeatedly discouraged Zatko from providing a full accounting of Twitter's security problems to the company's board of directors. The company's executive team allegedly instructed Zatko to provide an oral report of his initial findings on the company's security condition to the board rather than a detailed written account, ordered Zatko to knowingly present cherry-picked and misrepresented data to create the false perception of progress on urgent cybersecurity issues, and went behind Zatko's back to have a third-party consulting firm's report scrubbed to hide the true extent of the company's problems.
[...]
Sen. Chuck Grassley, the same panel's top Republican and an avid Twitter user, also expressed deep concerns about the allegations in a statement to CNN.
"Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you've got a recipe for disaster," Grassley said. "The claims I've received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further."


Mudge might also be eligible for a monetary reward by the US government.