On Wednesday, July 15th, 2020 a number of high profile Twitter accounts were taken over. Accounts of notable people such as Elon Musk, Jeff Bezos, as well as Cryptocurrency Exchanges were taken over and tweeted messages in a charity scam to raise bitcoin from the public. Over $120,000 dollars was sent to a bitcoin wallet by unsuspecting people!
Was this a sophisticated advanced persistent threat by a state-sponsored actor? Maybe someone trying to influence the elections.
This was a relatively straightforward social-engineering attack on Twitter Employees, specifically those that had access to Twitter’s Admin Panel. It was done by opportunistic casual teenagers and those in their 20’s. For a complete breakdown of the event, see this medium post by Lucky.
Twitter Hack Cybersecurity Lesson One – Check Your Password Reset Flow
Something I see time and again is a lack of a solid password reset flow. You want your password reset flow to be fully automated. Additionally, you do not want customer services reps setting “default” passwords for users and asking them to change it later. Users are likely not going to change the passwords later and now you have a whole subset of users out there with the same password! Additionally, you don’t want any other human knowing the password at all. Period.
Here are my recommendations for all PW reset flows
All Password Reset Flows
- Notifications are sent to old and new email addresses on file
- Notifications sent to phone numbers on file
- Unique password is automatically generated by the system and sent to user
- No one should know a user’s password except the user
User Initiated Password Reset Flows
- Email with a temporary token is sent to email address on file
- Token must expire within 24 hours (less based on your Threat Model)
- If 2FA is enabled, user must enter their 2FA token
Admin Initiated Password Reset Flows
- Verify user is legitimate and who they say are. Ask questions about their account only they should know such as:
- Last logged in location
- Last login date
- Information saved in their profile
- Forum postings or handle
- Temporary passwords sent to users with a force change password
- Verify the user can login with their newly set password (How many times have you forgotten your newly set password?)
- Changing an email address should initiate a notification
- If changing the email address of more than 5 by one person within an hour, then a second level of authorization or authentication should take place. Pick threshold and parameters based on your threat model.
- Removing a 2FA token should require additional security measures
- Initiate a notification to user’s emails and phone-numbers on file
- Request a recovery token from the user
- Require employee to enter their 2FA token to allow this operation
- Create a high sensitivity alert to administrators that this change has happened
- Block if more than three 2FA removals are done by the same employee within an hour
- Pick your threshold based on your threat model and past statistics
Twitter Hack Cybersecurity Lesson Two – Admin Employees
Admin employees often hold the keys to the kingdom. Some examples of employees that hold administrative roles ares:
- Customer Service Representatives
- Infrastructure Engineers
- Security Admins
Some things they can do are:
- Change orders or refund payments
- Change login information like passwords, email addresses, physical addresses, 2FA authentication
- Make changes to production website or content
- Bring down or terminate instances
- Submit code into production
Take a look at the people in your company that have these kinds of privileges. Understand their current workflow and the privileges they need to do their job. Take a look at the admin panels they use, are there multiple roles where least privilege is enforced? Or even worse are shared passwords being used?
Twitter Hack Cybersecurity Three – Social Engineering Is Real
If you don’t believe me, checkout Darknet Diaries Episode – Human Hacker. Or checkout this video where a hacker breaks into your phone account in 2 minutes (below)!
Update Your Threat Model
Many of us already know all the little things that we need to do to improve security in our environment, but knowing what is a priority is the hard part. There is no ONE SIZE FITS ALL in Information Security, so we need to understand:
- What are our current threats?
- What is our history of threats and incidents?
- What types of data are we trying to protect?
- What are different ways this data can be exploited? What is the impact of each scenario? What is the likelihood based on other companies stance
These are just some of the questions that are asked during a threat modeling exercise. Having the right people in the room and asking all the right questions will help you build a holistic threat model.
Another successful sign is when you have engaged engineers, especially senior ones, coming up with scenarios they may know specific to their industry.
Make sure you update and revisit your threat model periodically. I recommend quarterly as so many things change at a company experiencing high and fast growth.
Educate Your Employees
Empower your employees to ask questions and have a sense of when something is peculiar. Listen to the Darknet Diaries Episode – Human Hacker and see how employees were tricked or phished for their credentials.
Remember our employees are not “dumb” or “stupid”. If this is what you think about your employees, then your security efforts WILL FAIL. Sorry, I can’t sugarcoat. As security practitioners we need to be enablers, no gatekeepers. Contact me, and I’d be happy to discuss over coffee.
Customer services employees are often the front lines to the outside world. Ensure they verify accounts and rely on automation and metadata before making drastic changes to an account. (See above for tips of password reset flows). Social engineers are trying to get more information about the type of systems in place at your company. Even knowing where or what the outsource provider is for your Customer Service can be valuable. Train your employees to not let others know more information than they need.
Log All Changes
Log ALL changes. You need to have the ability to go back and understand what happened in the event of an incident.
Additionally, creating alerts for summarized changes may also help shorten the window for detection. Of course, I’m a believer of preventative and corrective controls over detective ones, however in the event that the former is not available, then we have detective controls.
Twitter Hack Cybersecurity Four – Secure Your Admin Panel
Sometimes known as “God Mode” most startup build an admin panel that is basically direct read/write access to the companies SaaS platform or database. It is very often insecurely protected and has minimal controls.
I have seen admin panels that had no password complexity requirements and where everyone had the same full admin access. Also any email address could be added as a user to the panel.
Some general guidelines:
- Limit admin users to @company domains only
- This prevents external users from being added
- Patch your admin panel libraries and systems often
- Employ the model of Least Privilege in your admin panel, see below
- Protect your admin panel from outside and unauthorized users, see below
Least Privilege For Your Admin Panel
The concept of least privilege means people (and machines) only have access (authentication) and permissions (authorization) for the minimum required to get the job done.
Do you have RBAC roles on admin or does everyone have admin privileges?
Create different groups with different sets of permissions, particular to their job. In the event they change jobs, you can simply change their role. Below are some sample roles:
- Full Admin – This is should be reserved to Engineers and Administrators
- Power User – Close to Administrators, not as destructive
- Customer Support – Usually the ability to reset passwords, update profile information, etc.
- Business Reporting – Sometimes only reports are needed, this role would provide access to generating reports
- Read-Only – An account for auditors or others to understand the systems without making changes
Of course find the number of roles that fit your organization, just try to keep it more than one.
Zero Trust Access To Your Admin Panel
Is your admin panel available to the world? Do you have 2FA to login and make changes? Do logins timeout or are they logged in forever? Do you have geo-fencing setup?
What about if someone logged in from San Francisco, California and then logged in from Montreal, Quebec Canada?
With such extraordinary power of the admin panel, you want to make sure it’s protected from the world. For example, what if your admin panel is using an outdated ruby gem that had a CVE (vulnerability) in it allowing unauthenticated access to the panel. Or maybe the server it’s running on got compromised, and now an attacker had access. Limiting the exposure of your admin panel will reduce your threat surface.
Adding a Zero-Trust network proxy in front of the admin panel reduces its footprint dramatically.
Can someone change the email address of 100 users in an instant? If so, make them re-authenticate, get secondary authorization, and/or add notifications to an admin group.
Conduct Social Engineering Tests On Your Admins
Not many companies will do this, but if you are a large public organization with sensitive data or government customers, you may want to consider conducting these tests.
Twitter Hack Cyber Security Five – All Your Secrets Belong To Us
According to the New York Times the attackers used access to data stored in engineer’s slack channels to further their access into other systems. It’s unclear whether they had credentials in those chats that gave access, or whether there were links to other internal administrative portals. Those links could have been authenticated or unauthenticated. Sometimes internal portals are “trusted” and have little or minimal authentication other than the fact they are coming from an internal source. Could have been using a shared password for all we know.
- Do not store secrets (passwords, authentication tokens, etc) in Slack or Messaging platforms
- Do not rely on “internal” anything for security and authentication
As you can see there is no ONE solution or silver bullet to all this. It’s all part of a defense in depth strategy. Attacks can come in many different directions and in different ways. The impact of access can have severe implications.
For a relatively novice attacker to get through so easily, says something about how fragile our systems are sometimes or how we underestimate the abilities of an attacker.
Did you find this article helpful? Please share or like it if you did. Have a suggestion or comment? Would love to hear from you. Need help figuring our your Cloud Security or getting your team onboard? Let’s talk.