Twitter Says High-Profile Hack Was the Result of a Phishing Attack (cnn.com) 23
Twitter said Thursday night that it has "significantly limited" access to its internal tools after it learned that the high-profile hack earlier this month affecting dozens of major accounts was the result of a phishing attack targeting the phones of a "small number of employees." From a report: "This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems," Twitter said in a tweet. A phishing attack is a type of cyberattack in which hackers try to trick victims into opening malicious emails or links disguised as legitimate web content. In addition to clamping down on access to administrative systems, Twitter said it was also accelerating the rollout of "security work streams" that had already been in progress.
riiiiiiiight (Score:1)
Re: (Score:2)
Why not? It's not like it's a good excuse. If your employees are vulnerable to phishing attacks, it's your fault for hiring dumbasses.
Sure, most people (more than half) will fall for phishing attacks. Don't hire most people. Hire for intelligence and skepticism, not mindless toadyism.
Re: (Score:2)
Why not? It's not like it's a good excuse.
These days it seems like it doesn't matter if it's a good excuse or not.
They just issue the statement, wait for the laughter to die down, and continue on as if nothing really happened.
Re: (Score:2)
Hire for intelligence and skepticism
The problem is those types of people want to be as far from Twitter as possible.
Re: (Score:2)
Nope, not buying this. But it is plausible and boring enough to be what actually happened. Lots of little errors in judgement added up in way that is hard to separate out after the fact. It will be fun to read the final report, right? The final, public report.
But I do prefer the disgruntled, incel-neckbead tech who is so much smarter than everyone else waiting for some savior to swoop in with a pile of cash to trade for access.
Re: (Score:3)
What are you proposing that's worse than admitting randos can call up your office and you'll just hand them the keys to everything?
Re: (Score:3)
Unpatched vulnerabilities? Access to source code? Rogue elements on staff?
I don't believe anything that comes out of Twitter Corporate. They lie to themselves as much as they lie to everybody else. The whole thing is a cesspool and all thinking people should abandon it altogether. You are not your Twitter handle. You are not promoting yourself by being on Twitter, you are promoting Twitter by being on Twitter. Twitter long ago abandoned any pretense of being an open platform. It is nothing but a containment
Re: (Score:3)
Most "sophisticated attacks" claimed by companies are not remotely sophisticated. That's why admitting (or at least claiming) that they fell prey to a phishing attack rings plausible to me. Experian claimed that the hack of its database was sophisticated, when in reality, they left an unpatched server online for way too long that shared credentials with another system that let the attackers leapfrog into the core systems. Retailers called attacks sophisticated when their stores used WEP for WiFi authenticat
Re: (Score:2)
Opinions may vary, but I'd consider what Twitter says happened worse than any of those.
Re: (Score:1)
That was my thinking as well. The initial allegation was employee bribery or collusion and it seems from the summary (with a useless CNN link) we're only being given Twitter's word that it was a phishing attack making them look more innocent.
MFA? (Score:2)
Voice Mail (Score:3)
I get the really odd Chinese voice mail message, really short, never call them, why would I. I can not figure out why other people respond to odd out of place messages. I forward all questionable email to https://www.acma.gov.au/ [acma.gov.au] and just ignore weird voice mail and texts. Keep in mind I use my mobile to connect to the world and not the other way round, I often go out in public with my phone left behind, so very few messages on my phone and the odd ones really stand out (in a year maybe one hundred so the odd ones really stand out). It's a trap pops in my mind when it comes to strange messages. When in doubt simply delete or email forward to your government spam handler and let them deal with it.
Re:Voice Mail (Score:4, Funny)
It's a trap pops in my mind
When that happens, who do you visualize -- Lt. Worf or Admiral Ackbar?
Re:Voice Mail (Score:5, Informative)
It's far smarter than that.
I had one at a workplace. It was an email that come through to the finance department, looking for the world like an email from our boss. It had his signature, his device info, a well-researched sign-off that wasn't a carbon copy of his normal one but close enough to be convincing and at the same time realistically "him" without being out of character.
It picked up a conversation that was realistic and just the kind of thing that happens, and written in his tone, and asking the finance girls to "just pay this", but in less direct wording.
It came from the same mail supplier IP ranges so it bypassed SPF checks, etc. It knew our processes (which aren't public), it knew the terminology, the timing, the business process, the customer, it knew what would pass for a convincing request to transfer money, who it had to come from, who it would be sent to, who it would copy in, everything.
It was sent while he was on holiday, and that gives them a certain leeway in terms of getting it right because people send emails differently when they're away.
It was a work of art.
The only giveaway was that I'd trained the finance girls to look at the user image in Outlook - something which is supplied from AD and can't be faked by outside emails. It didn't show an image because it wasn't from our guy, but other than that it was very, very convincing.
Even I had to read the headers three-four times to work out it wasn't actually sent from our systems, even remotely, but without the AD banner, I'd not have suspected and may well have just waved it through.
But we spotted it and reported it, and were much more suspicious. We received several more, different but obviously with the same amount of skill applied. One of them was literally phoning up and trying to engage the finance department as a customer, and that's very tricky to tell if they are or not. We reported those too.
A targeted phishing attack is almost impossible to stop. It's not just a dodgy email with a link to "hackme.ru/fdhasj" and inviting you to click it "to fiks your account".
And that's just someone trying to scam a few thousand out of a business. People hacking Twitter to get access to internal details about the president are going to be whole levels above even that.
Re: (Score:2)
Twitter Statement (Score:3)
Twitter Statement: "We are fully committed to closing the barn doors the instant that horse has disappeared over the horizon," a Twitter spokesperson said, "and we'll be interviewing the other horses to see if they have any plans to escape as well."
Again... fire 'em. (Score:2)
Leaving aside why would such tools be so widely available to employees in the first place... I've commented in the past that, assuming said employees have received anti-phishing training, anyone who provably falls for this should simply be terminated, immediately. No kind of company could or should be more vigilantly aware of social engineering attacks than a social media company.
We've been dealing with the fallout of systems not designed with security in mind from the ground up, for decades now. For a comp
Re:Again... fire 'em. (Score:5, Insightful)
Then you just instill fear in the remaining employees, making them less likely to report a suspected phish that they fell for. If they click Submit and then realize that maybe they shouldn't have done that, they can keep quiet thinking that maybe their creds won't get used and they can continue working there (and maybe change their password immediately, if they know how to do it), or they can report it and probably get fired. By the time you pick up that something's wrong, there's a good chance you won't know how they got in to begin with.
Set up a forgiveness program with limits. If someone self-reports before anything obvious has happened, they get amnesty. Screw up once without self-reporting? It happens. Yes, you got training, but there are some clever people out there. You know what happened, so you should be more vigilant next time. Anyone else think they fell for this, please speak up now so we can properly assess the risk. More than one time? Consider it case-by-case, because, as said, there are some clever people out there.
Re: (Score:2)
It's every employee's responsibility to remain vigilent. If they're not, then damned right they should be scared. It's just like driving these days... assume everyone else on the road is out to get you.
If a company has employees who click submit and only THEN think about whether it was right to have done so... clearly, if they received training at all, it was either ineffective, or they ignored their training.
Problem is, most anti-phishing training is laughable - some 30-60 minute online video training, "yo
Re: (Score:2)
I never said self-reporting should be the only mitigation. It should be *one* mitigation. There are other technical and training mitigations every company should take.
Maybe you have the perfect training approach that can 100% guarantee that every recipient will spot every phishing attack ever created, or that ever will be created, such that they can avoid them and notify IT. If so, I would like to get your contact details so I can provide a reference for my client.
But if not, your approach puts companies in
Four elements of security (Score:2)
'wargames' sequel (Score:1)