Skip to main content

This professional hacker says the Twitter attack was a 'big wake-up call.' Here's the advice she gives other tech companies to avoid a similar fate. (TWTR)

* Twitter just experienced an unprecedented hack. On Wednesday, several high-profile accounts were hijacked and tweeted out bitcoin scams. * Twitter has confirmed the hackers gained access to its internal systems by coordinating a social engineering attack on an employee. * One hacker who's often hired by companies to find weaknesses in their systems explains why she saw this coming, and what companies like Twitter can do to better avoid these types of hacks. * Visit Business Insider's homepage for more stories. On Wednesday, Twitter experienced an extraordinary coordinated attack in which several high-profile accounts including those of Kanye West, Elon Musk, and Barack Obama were hijacked. The attack was so colossal that the Federal Bureau of Investigation is now looking into it. And while many of the details are still unknown,  Twitter has confirmed that the hackers gained access to its internal systems by coordinating a social engineering attack on an employee. According to reports from Motherboard and TechCrunch, the hackers accessed an internal dashboard that would have allowed them to reset the passwords on select accounts and take control. Early into the attack, some people started theorizing that this was exactly what was happening. Rachel Tobac, CEO of SocialProof Security, is a hacker hired by companies to break into their security systems and expose their vulnerabilities. As the attack was starting to unfold, Tobac tweeted out a theory: the attackers had likely gained access to Twitter's employee admin panel. "It's one of those moments where a lot of the things I've been recommending for years have come to a head," she told Business Insider. The types of admin privileges the hackers may have accessed is common among tech firms, said Tobac. "It's very common, and a lot of people are shocked that admin access or 'God mode' exist," she said. "Many organizations have a lot of admin access and it's pretty unchecked. It's pretty rare that I get stopped when I'm doing an attack and can't get admin access. Oftentimes, I can get that within 5 minutes." Tobac, whose company has worked with Facebook, Uber, and PayPal, suggested a few things that all companies with these sorts of admin systems should be enforcing, including a requirement for multiple employees to sign off on certain decisions. "Have at least two sets of eyes when you need to make a really big decision, like changing the email on former President Obama's account," she said. Tobac also recommends "multi-factor authentication, hopefully tokenized, for even logging in with those credentials at work." "You can also have threat detection, so if you have an insider threat, and you mark a couple of high value behaviors as possible threat actions, when you see them going off multiple times in an hour that will alerts you that something strange is happening," she added. "And then, making sure there's multi-factor authentication and, of course, training for folks. Employees will inevitably make mistakes so they need technical tools in addition to their training to protect them." Experts have warned that the Twitter attack could be part of something much larger than bitcoin scams. "Noisy attacks are a great way to distract security teams from other malicious activities," one cybersecurity expert told Business Insider. Some experts even believe the bitcoin scam could have been a way for the hackers to show off. Whatever the truth may be, Twitter is under fire to deliver answers explain to lawmakers how an attack like this could happen. Experts believe this could be a wake-up call for Twitter and others who have watched the events unfolding thankful it wasn't happening to them. "To be really frank with you, I think this is an issue that many companies do not take seriously," said Tobac. "Twitter is not alone in this. It's terrible to see it happen to Twitter, but this is hopefully a big wake-up call for companies all over the world to limit their admin access, to consider the implications of who can make those changes, train their employees, and back them up with technical tools." Join the conversation about this story » NOW WATCH: Pathologists debunk 13 coronavirus myths
https://bit.ly/2DRYFJj

Popular posts from this blog

Here's an exclusive look at the pitch deck London fintech Lanistar used to raise $19 million at a $190 million valuation

* London-based fintech startup Lanistar has raised a £15 million ($19 million) funding round from Milaya Capital.  * Founded in 2019, Lanistar is building a personal financial management platform that will launch later in 2020.  * "We're expecting a huge amount of growth upon our launch and have already seen strong interest among our sign ups," Gurhan Kiziloz, founder and CEO of Lanistar, told Business Insider. * Visit Business Insider's homepage for more stories.  The coronavirus lockdown in the UK has brought the importance of managing money into sharp relief. A recent study from Money.com shows that 71% of UK households have saved cash during lockdown, and, with uncertainty about jobs and the economy looming, money management is now front of mind for many. Lanistar, a banking platform with a focus on personal finance, is one company offering tools for consumers to better manage their money. It has just raised a £15 million ($19 million) funding round from Mil...
Read more

SpaceX has a 'go' from NASA to return 2 astronauts to Earth on Sunday as Hurricane Isaias threatens several Florida splashdown locations

* NASA on Saturday gave SpaceX a "go" to undock the company's first crewed space mission, called Demo-2, and land it on Sunday evening. * Hurricane Isaias complicated original plans to return two astronauts to Earth aboard SpaceX's Crew Dragon spaceship in the Atlantic Ocean. * Elon Musk's aerospace company may now try to splash down NASA astronauts Bob Behnken and Doug Hurley in the Gulf of Mexico. * Two out of seven total landing sites near Florida must have good weather conditions, and NASA has until about 5 p.m. ET on Saturday to call off the undocking. * Should the weather worsen, NASA and SpaceX can try again a day later or some other date over the next two months. * Visit Business Insider's homepage for more stories. Astronauts Bob Behnken and Doug Hurley have a "go" to return to Earth this weekend and wrap up an historic space mission for both NASA and SpaceX.  Behnken and Hurley launched to orbit aboard SpaceX's Crew Dragon vehic...
Read more

Jeff Bezos' ex-wife MacKenzie has donated $1.7 billion of her wealth since their divorce, and taken a new last name

* Last year Jeff Bezos and his wife MacKenzie divorced, leaving her with a fortune of about $36 billion and thirteenth-richest person in the world. * In a blog post on Tuesday MacKenzie announced she has donated $1.7 billion to 116 organizations over the past year. * She has also changed her name to MacKenzie Scott. * Visit Business Insider's homepage for more stories. MacKenzie Scott, ex-wife of Amazon's billionaire chief executive Jeff Bezos, has donated $1.7 billion of her wealth in the past year to causes including racial equality, LGBTQ rights, public health and climate change, she said in a blog post on Tuesday. Scott, who was previously known as MacKenzie Bezos, also announced her new last name, which she said was taken from her middle name. Last year, Scott signed the Giving Pledge in a commitment to donate the majority of her fortune after her split from Bezos — the world's richest man — left her with a 4% stake in Amazon. "Like many, I watched the f...
Read more