Cybersecurity - All is Not Quiet on the Social Media Front
Privacy Plus+
Privacy, Technology and Perspective
Cybersecurity - All is Not Quiet on the Social Media Front. This week, we learned that the as-yet unidentified attackers who recently compromised Twitter with a scam also caused a data breach, exfiltrating the personal information, including email accounts and phone numbers, of 130 accounts, and the private messages of 36 accounts, including those of some of the world’s most prominent businesspeople and several of prominent politicians.
You can read more about the attack in the following articles:
https://www.washingtonpost.com/technology/2020/07/15/musk-gates-twitter-hack/
One of the hacker’s (hackers’) movitation(s?) is clear enough. This appears to have been an old-fashioned “bunko” scam, one of dozens that are as old as commerce: (“Hi! Everyone is asking me to give back, now is the time. Join me! If you’ll send $1,000 in bitcoins to this address, I’ll send double your contribution to some charity. Offer good for a short time only. Hurry!”) At least some people always fall for it. At least a few people fell for it here. Maybe that was enough for the hacker(s).
The problem is that it shows Twitter still isn’t secure.
And certainly, Twitter isn’t nearly secure enough to handle the out-sized role it has assumed in American society.
As these stories relate, the hacker(s) defeated 2-factor authentication and strong passwords. (What more were the account owners supposed to do, to protect themselves?) This suggests that the hacker(s) reached Twitter’s back-end, administrative controls, possibly using social engineering to assume credentials.
That is serious – extremely serious – because Twitter is now so beloved of politicians and public figures of every type who use it constantly to get short messages out fast.
Suppose bad actors used compromised Twitter accounts on Election Day to send false messages meant to misdirect and confuse, such as, “Alert! Voting places have just been changed, go to [fictional] address such-and-such”?
Twitter has had a lot of time to address its insecurity and privacy problems. In fact, in March of 2011, Twitter settled Federal Trade Commission charges that “serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including both access to non-public user information and tweets that consumers had designated as private, and the ability to send out phony tweets from any account.” The press release regarding that settlement follows:
Twitter promised to do better. That was in 2011.
Yet last year, in 2019, Twitter’s own founder Jack Dorsey found his own Twitter account hacked:
https://www.washingtonpost.com/technology/2019/08/30/twitter-founder-jack-dorseys-account-hacked/
Now this, in late July 2020.
Think about the implications for our election if influential politicians’, government authorities’, or election officials’ Twitter accounts are hijacked on Election Day and used to spread disinformation.
Twitter has 101 days – just a little more than 2400 HOURS FROM NOW – to straighten this out and prevent that happening on Election Day.
In our view, Twitter has an absolute, peremptory duty to secure its operations well enough to prevent them being used by our national adversaries to sew chaos in our elections.
We appreciate that Twitter is a valuable resource, when used by responsible people. But bad actors have compromised Twitter’s systems deeply, over and over.
We ask: if Twitter can’t manage to secure its platform by Election Day, should it operate at all while U.S. polls are open?
---
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.