‘Insider’ attacks like those on the accounts of Elon Musk, Barack Obama and others show how inept institutional security is
As the ramifications of a potentially catastrophic hack of Twitter continue to reverberate across the security industry, I’m reminded of that trope of slasher movies: when the surviving teens are told that the killer’s phone calls have been coming from inside the house all along.
There are still questions to be answered about the hack, which saw many of the biggest accounts on the social network, including those of Joe Biden, Elon Musk and Barack Obama, co-opted to promote a bitcoin scam. Who was behind it? Was money their only motivation? Did they do anything else while they had access?
But Twitter has confirmed one thing, which is that the attack wasn’t the result of a sophisticated technological vulnerability. Nor was each user’s account compromised individually. Instead, the company says, it was the victim of “a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”
In other words, Twitter employees were tricked or coerced into handing over privileged access to the company’s innermost systems, and from there, the attackers could run riot.
The concept of an “insider threat” is nothing new in the technology world. Information security experts routinely advise companies to practise compartmentalisation: limiting access within a secure network, for instance, so that even if an attacker breaks through the perimeter, the damage they can do is limited.
Those limitations also serve to guard against the threat of a rogue employee. If you make sure to limit access to financial records, for example, to those who work in the finance department, you make it harder for a hacker to steal details – and you also make it harder for Frank who works in sales to sneak a peek.
Twitter should be particularly aware of these sorts of concerns, because the company has already fallen prey to insider threats before. In 2017, a “rogue employee” took unilateral action against Donald Trump’s account, suspending it from the service for about 11 minutes before it was restored. The employee, a German man named Bahtiyar Duysak, deactivated Trump’s account on his last day working as a contractor for the social network.
Duysak later confessed that he hadn’t intended to actually deactivate the account: he had been working as a moderator and, when a report came in that Trump had broken the site’s rules, decided to accept the report as valid, rather than reject it out of hand. He had expected that call to be reversed further up the chain, but in the end it never was.
(After that affair, Twitter put “safeguards” in place to prevent it happening again – which appear to have also protected the president’s account from this latest attack.)
Last November, a more sinister insider attack was revealed, when two former Twitter employees were charged with spying for Saudi Arabia. One of the employees, Ali Alzabarah, was even fired in 2015 for accessing user data, but told the company that he had done so “out of curiosity”. He fled to Saudi Arabia the day after.
That case also exposed an uncomfortable truth about insider attacks: we simply don’t know how common they are. If Alzabarah hadn’t been charged with espionage offences, we would never have known that he had abused his access. Similarly, in 2018, a Facebook employee was fired after bragging on Tinder that he was using his access to stalk women online. That case would never have come out if the women hadn’t complained, yet it rapidly led to the disclosure by Vice that at least three other Facebook employees had been fired for similar offences.
Some companies don’t even seem to view insiders misusing data as a threat. In 2016, for example, Uber employees were discovered to be regularly abusing their “God Mode”, which let them spy on the movements of “high-profile politicians, celebrities and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses”, according to a court complaint. Even Beyoncé was allegedly monitored.
All of which underscores the scariest thing about this latest wave of attacks, which is that we got lucky. The attackers apparently gained a secret way to invisibly take control of any account on the social network and then, whether through greed or stupidity, blew up their access in the most excessive way possible. The $100,000 they made in the process might feel good as it sits in an easily-laundered bitcoin wallet, but it pales in comparison to the mayhem a more canny attacker could have caused with the same access.
Insider threats will always be here. Only the most paranoid among us are prepared to jump through the hoops required to use an internet that doesn’t fundamentally require some level of trust to be placed in the gatekeepers of technology. But as today’s hack demonstrates, that trust can sometimes be misplaced.
• Alex Hern is the UK technology editor for the Guardian