5 Cybersecurity Lessons Learned From The Recent Twitter Hack
On Wednesday, July 15th, 2020, a number of high-profile Twitter accounts were taken over. Accounts of notable people and brands such as Elon Musk, Jeff Bezos, as well as Cryptocurrency Exchanges, were taken over and tweeted messages in a charity scam to raise bitcoin from the public. Over $120,000 was sent to a bitcoin wallet by unsuspecting people!
Was this a sophisticated advanced persistent threat by a state-sponsored actor? Maybe someone trying to influence the elections?
This was a relatively straightforward social-engineering attack on Twitter Employees, specifically those that had access to Twitter’s Admin Panel. It was done by opportunistic casual teenagers and those in their 20s. For a complete breakdown of the event, see this Medium post by Lucky.
Table of Contents
- Check Your Password Reset Flow
- Admin Employees
- Social Engineering Is Real
- Secure Your Admin Panel
- All Your Secrets Belong To Us
Twitter Hack Cybersecurity Lesson One – Check Your Password Reset Flow
Something I see time and again is a lack of a solid password reset flow. You want your password reset flow to be fully automated. Additionally, you do not want customer services reps setting “default” passwords for users and asking them to change them later. Users are likely not going to change their passwords later, and now you have a whole subset of users out there with the same password! Additionally, you don’t want any other human knowing the password at all. Period.
Here are my recommendations for all PW reset flows:
All Password Reset Flow
- Notifications are sent to old and new email addresses on file
- Notifications sent to phone numbers on file
- A unique password is automatically generated by the system and sent to the user
- No one knows a user’s password except the user
User Initiated Password Reset Flow
- An email with a temporary token is sent to the l address on file
- The token must expire within 24 hours (less based on your Threat Model)
- If 2FA is enabled, the must enter their 2FA token
Admin Initiated Password Reset Flow
- Verify the user is legitimate and who they say they are. Ask questions about their account only they should know, such as:
- Last logged in location
- Last login date
- Information saved in their profile
- Forum postings or handle
- Temporary passwords are sent to users with a force change password
- Verify the user can log in with their newly set password (how many times have you forgotten your newly set password?)
- Changing an email address should initiate a notification
- If changing the email address of more than 5 by one person within an hour, then a second level of authorization or authentication should occur. Pick threshold and parameters based on your threat model.
- Removing a 2FA token should require additional security measures
- Initiate a notification to user’s emails and phone numbers on file
- Request a recovery token from the user
- Require an employee to enter their 2FA token to allow this operation
- Create a high sensitivity alert to administrators that this change has happened
- Block if the same employee within an hour does more than three 2FA removals
- Pick your threshold based on your threat model and past statistics
Twitter Hack Cybersecurity Lesson Two – Admin Employees
Admin employees often hold the keys to the kingdom. Some examples of employees that hold administrative roles are:
- Customer Service Representatives
- Infrastructure Engineers
- Security Admins
Some things they can do include:
- Change orders or refund payments
- Change login information like passwords, email addresses, physical addresses, 2FA authentication
- Make changes to production website or content
- Bring down or terminate instances
- Submit code into production
Take a look at the people in your company that have these kinds of privileges. Understand their current workflow and the privileges they need to do their job. Take a look at the admin panels they use. Are there multiple roles where the least privilege is enforced? Or even worse: are shared passwords being used?
Twitter Hack Cybersecurity Three – Social Engineering Is Real
If you don’t believe me, check out Darknet Diaries Episode – Human Hacker. Or check out this video where a hacker breaks into your phone account in 2 minutes (below)!
Update Your Threat Model
Many of us already know all the little things that we need to do to improve security in our environment, but prioritization is the hard part. There is no ONE SIZE FITS ALL in Information Security, so we need to understand:
- Current threats
- History of threats and incidents
- Types of data are we trying to protect
- Different ways data can be exploited
- Impact of each threat scenario
- Likelihood based on other companies stance
These are just some of the questions that are asked during a threat modeling exercise. Having the right people in the room and asking all the right questions will help you build a holistic threat model.
Additionally, having engaged engineers—especially senior ones—come up with scenarios they may know specific to their industry is another success signal.
Make sure you update and revisit your threat model periodically. I recommend quarterly since many things change at a company experiencing high and fast growth.
Educate Your Employees
Empower your employees to ask questions and have a sense of when something is peculiar. Listen to the Darknet Diaries Episode – Human Hacker and see how employees were tricked or phished for their credentials.
Remember: our employees are not “dumb” or “stupid.” If this is what you think about your employees, then your security efforts will fail. Sorry, I can’t sugarcoat that. As security practitioners, we need to be enablers: not gatekeepers. Contact me, and I’d be happy to discuss this over coffee.
Customer services employees are often the front lines to the outside world. Ensure they verify accounts and rely on automation and metadata before making drastic changes to an account (see above for tips of password reset flows). Social engineers are trying to get more information about the type of systems in place at your company. Even knowing where or what the outsource provider is for your Customer Service can be valuable. Train your employees to not let others know more information than they need.
Log All Changes
Log ALL changes. Having the ability to go back makes it much easier to understand what happened in the event of an incident.
Additionally, creating alerts for summarized changes may also help shorten the window for detection. Of course, I’m a believer in preventative and corrective controls over detective ones; however, if the former is not available, then we have detective controls.
Twitter Hack Cybersecurity Four – Secure Your Admin Panel
Sometimes, small startups use “God Mode,” an admin panel that is basically direct read/write access to the companies SaaS platform or database, which is very often insecurely protected and has minimal controls.
I have seen admin panels with no password complexity requirements and where everyone had the same full admin access. Sometimes, all the email addresses could be added as a user to the panel.
Here are some general guidelines:
- Limit admin users to @company domains only
- This prevents external users from being added
- Patch your admin panel libraries and systems often
- Employ the model of Least Privilege in your admin panel (see below)
- Protect your admin panel from outside and unauthorized users (see below)
Least Privilege For Your Admin Panel
The concept of least privilege means people (and machines) only have access (authentication) and permissions (authorization) for the minimum required to get the job done.
Do you have RBAC roles on admin or does everyone have admin privileges?
The idea is that you create different groups with different sets of permissions particular to their job. In the event they change jobs, you can simply change their role.
Below are some sample roles:
- Full Admin: reserved for Engineers and Administrators
- Power User: close to Administrators, not as destructive
- Customer Support: the ability to reset passwords, update profile information, etc
- Business Reporting: provide access to generating reports, sometimes as needed
- Read-Only: reserved for Auditors or others to understand the systems without making changes
Of course, find the number of roles that fit your organization; just try to keep it more than one.
Zero Trust Access To Your Admin Panel
Is your admin panel available to the world? Do you have 2FA to login and make changes? Are logins scheduled to timeout or are users logged in forever? Do you have geo-fencing setup?
What about if someone logged in from San Francisco, California, and then logged in from Montreal, Quebec Canada?
With such extraordinary power of the admin panel, you want to make sure it’s protected from the world. For example, what if your admin panel uses an outdated ruby gem with a CVE (vulnerability), allowing unauthenticated access to the panel? Or maybe the server it’s running on got compromised, and now an attacker has access. Limiting the exposure of your admin panel will reduce your threat surface.
Adding a Zero-Trust network proxy in front of the admin panel reduces its footprint dramatically.
Can someone change the email address of 100 users in an instant? If so, make them re-authenticate, get secondary authorization, and/or add notifications to an admin group.
Conduct Social Engineering Tests On Your Admins
Not many companies will do this, but you may want to consider conducting these tests if you are a large public organization with sensitive data or government customers.
Twitter Hack Cyber Security Five – All Your Secrets Belong To Us
According to the New York Times, attackers accessed data stored in engineer’s Slack channels to further their access into other systems. It’s unclear whether they had credentials in those chats that gave access or whether there were links to other internal administrative portals. Those links could have been authenticated or unauthenticated. Sometimes, internal portals are “trusted” and have little or minimal authentication other than the fact they are coming from an internal source. They could have been using a shared password for all we know.
Here are the major takeaways:
- Do not store secrets (passwords, authentication tokens, etc.) in Slack or Messaging platforms
- Do not rely on “internal” anything for security and authentication
As you can see, there is no one solution or silver bullet to all of this—it’s all part of a defense in depth strategy. Attacks can come in many different directions and different ways, but either way, the impact of access can have severe implications.
For a relatively novice attacker to get through so easily says something about how fragile our systems are sometimes or how we underestimate the abilities of an attacker.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.