This post was originally published on this site
On July 17, 130 high-profile Twitter accounts were hijacked for the purpose of tweeting messages that solicited cryptocurrency scams.
As a result, 12.58 bitcoin BTCUSD, +0.91%, or close to $116,000, went to addresses mentioned in fraudulent tweets. According to an official tweet, the social-networking service fell victim to “… a coordinated social engineering attack by people who successfully targeted some of employees with access to internal systems and tools.”
The story illustrates that a system is only as strong as its weakest link. In this case, it was a brain, not a machine, that was hacked.
Social engineering
Social engineering is a psychological manipulation of people to perform actions or divulge confidential information. Greed, dishonesty, vanity, opportunism, lust, compassion, credulity, irresponsibility, desperation and naivete are all human traits that can be exploited, and no social-engineering scheme is the same.
As its basis, it involves recognizing “weak links” in a victim’s character, gaining a person’s trust or abusing his lack of suspicion, and then playing on those weaknesses to perform a malicious act. In Twitter’s case, it was tricking key employees into giving hackers access to internal systems and tools.
“We used a rep that literally done all the work for us,” one of the hackers said in an interview with Motherboard, while other added that the Twitter representative got paid for providing access to a special set of Twitter internal tools that enabled them to do the deed. Screenshots of the tools were leaked after the hack took place.
The real news
While many obsess over dissecting this information and getting into the nitty-gritty of what really happened with Twitter, the fact that many of its employees — over 1,000, according to Reuters — have such access over every individual account is the real news. It shows that Twitter cannot only block/unblock your account (which is fine), but also that it has access to private messages (known as “direct messages,” or DMs) sent to or by you.
This last part is the most worrisome aspect, as it means that nothing published on Twitter is ever private. Rather, it’s visible to many Twitter employees. They can peruse your DMs and do whatever they please with your private correspondence without you ever realizing it.
Twitter has never been a politically neutral platform, and knowing that its employees have this kind of power and oversight over the communication of those they deem dangerous or simply disagreeable is deeply worrying. It goes without saying that you should never share on Twitter any information, especially via DMs, that you would not otherwise share publicly. This will remain the case until the company implements end-to-end encryption for direct messages. (End-to-end encryption is a method of secure communication that prevents third parties from accessing data while it’s transferred from one device to another.)
But Twitter isn’t the only social-networking platform with “special tools.” Two years ago, the New York Post reported of a security engineer at Facebook FB, -0.81% who was accused of using their “privileged access” to personal data to stalk women online. SnapLion is a tool of choice for eager Snapchat employees, enabling them unfettered access to the user data. I’m sure the list goes on, and I’m also sure that some of this info finds its way to the dark web, where more notorious individuals gain access to your personal data for nefarious purposes.
When asked, many of these companies will say that the access to personal and private data is sometimes necessary — for example, to respond to a government inquiry or to provide system maintenance. Even if this were true, one thing is certain: If this access isn’t properly monitored, it will inadvertently be abused. Perhaps not by an entire company trying to sabotage your political endeavors, but simply by an overly curious employee — or a hacker.
This is not acceptable. Insisting on end-to-end encryption should be a hill to die on, lest we lose the last shreds of our privacy.
What do you think? Let me know in the comment section below.
Jurica Dujmovic is a MarketWatch columnist.