What We Can Learn From Twitter’s Big Hack
We at NortonLifeLock Labs are committed to keeping consumers safe online and helping them make wise decisions about their security, identity and privacy. Therefore, we take the integrity of information shared online incredibly seriously – especially now that we are headed towards an election. As part of our efforts in this space, we are focusing our research on activities that prey on people and exploit the difficulty of assessing the legitimacy of information online, including detecting scams and disinformation networks. To that end, we recently released BotSight, a tool that can detect certain types of social bots and show those findings inline to Twitter users.
Last Wednesday, the Twitter accounts of numerous high-profile politicians, billionaires, and other notable figures were taken over by attackers to fraudulently solicit Bitcoin from their followers.
While the details of precisely how the attack was carried out are still a little murky, it is clear that the attackers managed to net a little over $118,000 for an attack lasting a few hours.
More interesting than the specifics of this attack are the vulnerabilities in the social media ecosystem that it exposed: we trust (perhaps too much) the authenticity of the messages on social platforms, especially from accounts of famous individuals, likely assuming that such accounts would be highly secured and “impenetrable”. Reality has however demonstrated that we should always consume online content with great caution.
Imagine if this hack had taken place on November 3, 2020, during the US election. Imagine if the attacker, during prime polling hours at 5 PM, had taken over Joe Biden’s account and tweeted that he had conceded to President Trump, and asked his supporters not to cast any more ballots. Imagine if Governor Gretchen Whitmer of Michigan tweeted that polling places were unsafe in the Detroit metro area and people should avoid them until further notice. Imagine if the official Twitter account for the Philadelphia Police Department had tweeted there was a bomb threat at some polling location.
For this week’s attack, 2 hours to fix the problem may seem very fast. But on election day, 2 hours of disinformation could seem like an eternity. This attack underscores the very real danger of social media and its potential impact on democracy. And this scenario is not unique to Twitter – next time it might be Facebook or Instagram. All social media companies are vulnerable; or in fact, it is us who are vulnerable and social media is just the platform.
Regardless of whether the attack was a result of malicious insiders, or insiders being compromised through phishing, this raises the question of how and why we trust the contents of a Tweet. Can anyone inside Twitter create a new Tweet on behalf of a high-profile account? And how do we defend not just the person who posted the Tweet, but the people reading it?
Some possible solutions would be to develop stronger authenticity guarantees around Tweets (1), have Twitter flag certain accounts as possibly hacked and alert the public while they investigate, and educate the public about these types of threats.
In the Tweet below, Twitter displays the device used to post the Tweet (Twitter Web App). However, it doesn’t check whether this device, in fact, belongs to Jeff Bezos. Twitter can borrow a technique from cryptography called “digital signing” to fix this. This technique, if implemented carefully, would allow each user to mathematically prove that a Tweet was sent from their own device, and would make forging Tweets much more difficult. Each device, when registered, would create secret random data, called a certificate, in the device’s protected trusted enclave. The certificate would be stored by Twitter in a special structure, called a ledger, for the world to see – but since the certificate is random, this would not violate a user’s privacy. This certificate would be used to sign all the Tweets a person sends, automatically, inside the Twitter app. When you see a signed Tweet, your Twitter app could then automatically check the Tweet’s authenticity by verifying the certificate exists on the ledger and belongs to the same person that created the Tweet.
While this has a few downsides, like not allowing Tweeting from a random web browser, it might make sense to implement for a few accounts of special significance, like public figures or users with massive followings (2).
Second (and more easily), Twitter could create an annotation on an account that it believes might have been compromised, which would take special privileges to set and remove. This annotation would be displayed to all users viewing any of that account’s Tweets, notifying them that the messages stemming from that account might not be authentic. This would be a more effective strategy than just repeatedly taking down offending Tweets.
Finally, we all have to be wary since there is only so much the social media companies can do to protect us from misinformation. We must understand that there is a significant possibility this, or something like it, will happen again. Because the next time an attack of this scale happens, the consequences might not be $118,000 of stolen Bitcoin, but an election.
While some tools, like NortonLifeLock Labs’s BotSight, are capable of detecting certain types of social bots, it’s ultimately up to each person to be critical of the information we read and determine whether the information is real or fake.
As the election looms closer, we all need to be aware that in the information war, the real targets are not Twitter, or Facebook, or Google. The real targets are us.
Footnotes
1. Emails can be signed using a per-device key, which is checked against a blockchain of known keys. Tweets can be equipped with the same security
2. Even for the case of a random browser, you could use an existing device to automatically communicate with Twitter and sign the Tweet with the owner’s permission. This would be a little difficult to do correctly but might be the correct solution long-term.
NortonLifeLock Labs™ is the cornerstone of NortonLifeLock’s thought leadership in Cyber Safety, leading the company’s future technology and guiding the consumer cybersecurity industry around the globe. The Labs team, sitting within the office of the CTO, includes leading threat and security researchers aimed at protecting customers against known and new threats and delivering consumer-focused innovation in the space of security, privacy and identity. Through these efforts, we continually improve our industry-leading protection and detection capabilities to help keep consumers Cyber Safe, while also delivering innovative prototypes with test-friendly features so adventurous users can learn and offer feedback.
Copyright © 2020 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Other names may be trademarks of their respective owners.