Holy Hell Were We Lucky That Twitter's Big Breach Was Just A Bunch Of SIM Swapping Kids; Can We Please Encrypt DMs Now?
from the not-great dept
Everyone is still sorting out exactly what happened last week with the big hack of Twitter in which a number of prominent accounts -- including those of Barack Obama, Elon Musk, Jeff Bezos, Apple, and Uber -- all tweeted out a Bitcoin scam, promising to double people's money if they sent Bitcoin to a specific wallet (which appeared to receive a little over $100k). However, from what has been reported so far, it appears we actually got fairly lucky and that it was mainly a bunch of SIM swapping social engineers who historically have focused on getting popular short usernames. If you're not familiar with all of this, the Reply All podcast had a fascinating episode about the scam last year.
Meanwhile, Vice has a post describing how the hackers involved convinced a Twitter employee, who had access to a Twitter control panel, to make changes for them. The guy who controls the (formerly Adrian Lamo's) Twitter account @6, provided some details on how the hack got around two factor authentication controls: within the control panel a new email address was added to the account, and then, from the control panel, the two factor authentication would be disabled. An alert would be emailed out about this -- but to the new email address. Brian Krebs provided some details about who he thought was behind all of this (and the connection to the SIM swapped hack of Jack Dorsey's account from last year). Finally, the NY Times scored an interview with the hackers themselves -- again, showing that it was just a crew of SIM swapping kids, mostly doing this for the lulz (and also suggesting that the person Krebs fingered was only peripherally involved, in that he'd made use of the same access to pick up Lamo's old @6 account, but didn't take part in the Bitcoin scheme).
The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother — who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6.
The Times verified that the four people were connected to the hack by matching their social media and cryptocurrency accounts to accounts that were involved with the events on Wednesday. They also presented corroborating evidence of their involvement, like the logs from their conversations on Discord, a messaging platform popular with gamers and hackers, and Twitter.
What does become clear is that, from the details revealed so far, this wasn't some grand nefarious scheme. This was a bunch of kids having fun, who happened to get access to a control panel through some means or another.
At the very least, we should be thankful that's all this was. As multiple people I spoke to have said, we should be very, very, very glad that this was basically some kids having a laugh and hoping to make a little money, rather than a nation state wishing to start World War III. And while Twitter has not yet said if Direct Messages were accessed, from everything that's been revealed so far, it's pretty clear that whoever controlled these accounts easily had access to DMs.
And that should raise a bunch of questions.
While the hack was still going on, Senator Josh Hawley dashed off one of his infamous letters to Twitter CEO Jack Dorsey, asking a list of questions. Surprisingly, given Hawley's involvement and the usual inanity of his letters, this one was somewhat on point and asked a bunch of mostly reasonable questions:
Did this event represent a breach of users’ own account security or of Twitter’s systems? Were accounts protected by two-factor authentication successfully targeted in this breach? If so, how was this possible? Did this breach compromise the account security of users whose accounts were not used to share fraudulent posts? If so, how many accounts were affected? Were all accounts’ security compromised by this breach? How many users may have faced data theft as a consequence of this breach? What measures does Twitter undertake to prevent system-level hacks from breaching the security of its entire userbase? Did this attack threaten the security of the president’s own Twitter account?
However, much more important is the key question asked by Senator Ron Wyden: why hasn't Twitter introduced end-to-end encryption for DMs, which would have prevented the ability for hackers to have read DMs under the circumstances described above.
"In September of 2018, shortly before he testified before the Senate Intelligence Committee, I met privately with Twitter's CEO Jack Dorsey. During that conversation, Mr. Dorsey told me the company was working on end-to-end encrypted direct messages. It has been nearly two years since our meeting, and Twitter DMs are still not encrypted, leaving them vulnerable to employees who abuse their internal access to the company's systems, and hackers who gain unauthorized access," Wyden said in a statement.
Of course, given all that, we should note that despite Hawley asking good questions, he's a bit of a hypocrite here, as he has attacked encryption for years, and is a co-sponsor of the EARN IT Act, which will endanger encryption. If Hawley actually wanted Twitter to better protect user privacy in their data, he should be supporting Wyden's push to have the company encrypt more, not less.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: dms, encryption, josh hawley, ron wyden, sim swapping, twitter hack
Companies: twitter
Reader Comments
Subscribe: RSS
View by: Time | Thread
How would end-to-end encryption for DMs help in this circumstance? It sounds like they got full access to the accounts, which would give them access to DMs just like if the original user changed their email address legitimately.
[ link to this | view in chronology ]
Re:
By using public key encryption, and keeping the private key on the users device. That way gaining control of the account does not include the key needed to decrypt DMs. Controlling the account may allow the keys to be changed, but that should raise a warning with anyone who has used the prior key, and does not allow access to any stored messages.
[ link to this | view in chronology ]
Re: Re:
Exactly. Without the key they wouldn't have access to any old messages.
The password and the key are not the same thing.
[ link to this | view in chronology ]
Re: Re: Re:
Sure, until someone does an Amazon and "makes things easier" by managing the crypto keys on the server...
[ link to this | view in chronology ]
Re: Re: Re:
There are a bunch of ways to implement end-to-end encryption for messaging, but ones that have the feature you describe generally also have the feature that if your computer dies, you permanently lose all your past DMs. That's a totally worthwhile trade-off sometimes (e.g., Signal, but see Signal PIN & concerns), but I'm not sure that Twitter DMs are where I want that.
[ link to this | view in chronology ]
Re: Re: Re: Re:
There are a bunch of ways to implement end-to-end encryption for messaging, but ones that have the feature you describe generally also have the feature that if your computer dies, you permanently lose all your past DMs.
Only you haven't stored the keys somewhere else and can enter them separately on the new device.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
In other words, backups.
Somehow, I have a hunch that's not gonna work :)
[ link to this | view in chronology ]
Re: Re: Re:
End to end like this doesn’t really work for non-savvy users who want their DMs on multiple devices and don’t want to lose their history when they forget their password or get a new phone. I’m sure it’s a low priority for Twitter considering how few users would be likely to opt in.
[ link to this | view in chronology ]
Re: Re: Re: Re:
There is nothing to stop a user having multiple copies of their private keys, including on an SD card kept in a safe place. If they cannot do that they do not have control over their private keys.
[ link to this | view in chronology ]
Re: Re: Re:
And when this level of access allows them to register a new device (and generate a new key pair) as easily as a new e-mail it’s still no good.
[ link to this | view in chronology ]
Re: Re: Re: Re:
I’m fxxd up. A new pair won’t unlock the old pair.
[ link to this | view in chronology ]
Re: Re: Re:
This means legitimate users wouldn't have access to old messages on other devices, either, unless Twitter provided a means to copy the private key and Twitter kept copies of the encrypted messages.
[ link to this | view in chronology ]
Re: Re: Re: Re:
You don't need or want twitter to manage your private keys. Ideally you keep them in an encrypted file, which you can copy to other devices. Hint, if you cannot copy your private keys to other devices, including a backup device, you are not in control of your private keys, your device vendor has the control.
[ link to this | view in chronology ]
Re: Re:
Thanks for the reply! That sounds like something nice to be able to opt-in for. Kind of a headache for those who change devices frequently.
[ link to this | view in chronology ]
Re:
Some end-to-end schemes might store messages on a server in encrypted form. The decryption key would then only reside on the user device (smartphone/laptop/desktop/ect.). Someone may be able to hijack the account, and send new messages. But without the key from the original device, the old messages would remain inaccessible.
[ link to this | view in chronology ]
Government's campaign against encryption
is just another front in the broader war on all our rights.
[ link to this | view in chronology ]
Just because kids can hack the database doesn't mean that government agencies would be able to./snidely
Or is this another instance of "but think of the children!"?/snarkly
[ link to this | view in chronology ]
I am not sure I understand the key thing... Telegram for example has end-to-end encryption, but you can connect a new device to the service and get access to the entire history of messages. The old device still receives a PIN for dual-factor authentication, but would that be enough? If you have access on the server side, can you intercept the PIN code?
[ link to this | view in chronology ]
If Twitter could start WWIII then we have come to trust and rely on Twitter far too much.
[ link to this | view in chronology ]
The key is stored on the users phone,
So if a hacker takes over a twitter account or email account , he cannot read the old dms or messages
In this case the hacker use twitter tools to make a new email address attached to each account to replace the verified users original email address.
Maybe twitter does not want to encrypt each dm as it
Is alot of work to do so,
or they are afraid some people might use twitter to carry out illegal acts, like selling drugs or guns.
And if the Earnit act pass, s it might make end to end
encryption illegal for American company's or at least one's that have millions of users.
[ link to this | view in chronology ]
end-to-end encryption and lawful access
Of course all the end-to-end encryption of DMs doesn't help if Twitter have also implemented "lawful access" - you can be pretty sure these hackers would still have access to DMs in that case.
[ link to this | view in chronology ]
end-to-end encryption and lawful access
You don't need or want twitter to manage your private keys. Ideally you keep them in an encrypted file, which you can copy to other devices. Hint, if you cannot copy your private keys to other devices, including a backup device, you are not in control of your private keys, your device vendor has the control.
For android device hack and tips, join our telegram group https://telegroupslink.com/
[ link to this | view in chronology ]