Saturday, July 25, 2020

The Twitter Hack: What We Should Really Be Worried About


Of course it was a surprise to log onto Twitter two weeks ago to find that over a hundred accounts had been hijacked, but sadly, hacking is so commonplace today--even of large companies that hold vast quantities of personal information--that it's only somewhat interesting.

Most people kept tweeting, with only cursory reminders and jokes about passwords and password managers. And after the hack was brought under control, activity returned mostly back to normal.

Twitter's statement indicates the hacker got access to the tools used to access the accounts that were hacked via a social engineering scam that involved employees. Apparently, over 1,000 employees at Twitter had access to these tools. There are several facts still in question. 

One is why over a thousand employees had access to tools that allow such control over the company's user-facing system, and whether their use of these tools is audited, as is common practice. 

A second is how the alleged social engineering took place. 

 But that's not the point.

To address, these questions, though: 

An alert sent to the security team in the instance of unauthorized access to the tools that allowed this hack to take place is how the issue was likely detected, so we hope Twitter did its due diligence and had the most obvious policies in place--at least in that respect. 

In this case, since the hijacking was small in scale and not very profitable, it's unlikely an employee would risk a career on it. It's more likely an employee was tricked out of login credentials including 2FA access, phone, or unlocked laptop with access to tools.

Common scenarios of social engineering include using social links to get access to a specific person's property. A call from the "bank" asking for a mother's maiden name, an email from the "IRS" asking for a social security number, or a simple skim through Facebook to find birthdays and the names of family members and pets are simple expedients. 

There are other scenarios. A colleague who installed hardware on a work laptop to spy and steal passwords, a cloned SIM card, etc. 

But again, that's not the point.

The point
The point is that if the hack was accessed somehow from within, it was not due to failed technology. It was due to human error. 

We must realize that control of our online accounts always goes back to a human being. No matter what hardware, software, or other safeguards we put in place, the decisions of another person will always be a factor in what happens to our lives online.

How can we gain some leverage over the decisions made by the human on the other end of our account? 

This is the weakest of all forms of leverage, and it's the one used most often. They are the only real measure taken by free services like Twitter to gain our trust. 

Privacy policies and terms of conditions are determined by the company's legal arm. If you read these, you'll find that the reason they sound so incomprehensible is because they make very few definite action statements that explain what the company will or won't do, so that the companies have more flexibility in the decisions they make to increase revenue. 

Lawsuits against Google, for example, point out where it violated its own terms and conditions, but if those terms are vague enough, very few will be able to prove it.

Legal boundaries. 
Laws in place set by governments or governing bodies for the internet are only marginally more effective than self-governing efforts for two reasons: 

1. Not every law in place applies to the entity in question. Few if any laws governing the internet are overarching and applicable to all entities on the web. New laws are constantly being made and revised as new cases are brought to the table. But with some familiarity with the laws, architecture, norms, and market as it is and as it changes on the internet, and you'll be able to pick out which companies you're more likely to trust with decisions regarding your personal information.

2. Criminals are not bound by laws, and are seldom caught. Even when they are, the damage they've done in the process of stealing, data, identities, or money often far outweighs possible reparations.

In this case, the fact that so many employees had access to the same set of tools that were used to hijack accounts is definitely a cause for worry. Laws that limit that kind of access and require auditing don't exist yet, but for the sake of any company like Twitter and its users, perhaps they should.

Financial agreement. 
Imagine a requirement that a user enter a minimum $0.01/year agreement with a web-based service we all take for granted like Twitter. It's a tiny exchange that may even seem unnecessary at that point, right?

Financial agreements with online entities are more binding because once you've bought something on the internet whether product or service, you have a right to whatever it is that the other party has included in the agreement, no more and no less. Whether you like it or not. But you can ensure that you will like it because it's here you have a lot more control. 

These agreements come under commerce laws, which are a lot more black and white. In business, if Terms and Conditions, Privacy Policies, and contracts are not clear to you, you can clarify, request adjustments, demand verification of identity, and place counter offers until you're personally satisfied with what you will be giving and getting in return. Once money has changed hands, you have the right to sue if the other party doesn't hold up their end of the deal. Most established entities on the net will do almost anything to keep that from happening, because of the fact that most of us seem to forget (but a business's lawyers will never let it forget): that all the actions we take online do in fact affect our lives and livelihoods offline--and those of others.

If even a small business transaction brings into play a whole set of commerce laws that entail rights for the customer and responsibilities for Twitter and other entities like Facebook or Netflix, a paid Twitter sounds a lot less crazy, right? 

Final thoughts
Today, Twitter is a free service governed only by its own policies, and the laws that apply to it as an internet business. The strictest govern its relationships internally with its own employees and externally with advertisers, not users. So again, we're at the mercy of the company to a certain extent, until we can find a way to get leverage over what happens to our personal data. That extent depends on your online privacy etiquette. Something to keep in mind as you continue to use Twitter, especially as the CEO makes noises about moving toward paid services. 

No comments:

Post a Comment