Gordon Campbell | Parliament TV | Parliament Today | News Video | Crime | Employers | Housing | Immigration | Legal | Local Govt. | Maori | Welfare | Unions | Youth | Search


What We Can Learn From Twitter’s Big Hack


We at NortonLifeLock Labs are committed to keeping consumers safe online and helping them make wise decisions about their security, identity and privacy. Therefore, we take the integrity of information shared online incredibly seriously – especially now that we are headed towards an election. As part of our efforts in this space, we are focusing our research on activities that prey on people and exploit the difficulty of assessing the legitimacy of information online, including detecting scams and disinformation networks. To that end, we recently released BotSight, a tool that can detect certain types of social bots and show those findings inline to Twitter users.

Last Wednesday, the Twitter accounts of numerous high-profile politicians, billionaires, and other notable figures were taken over by attackers to fraudulently solicit Bitcoin from their followers.

While the details of precisely how the attack was carried out are still a little murky, it is clear that the attackers managed to net a little over $118,000 for an attack lasting a few hours.

More interesting than the specifics of this attack are the vulnerabilities in the social media ecosystem that it exposed: we trust (perhaps too much) the authenticity of the messages on social platforms, especially from accounts of famous individuals, likely assuming that such accounts would be highly secured and “impenetrable”. Reality has however demonstrated that we should always consume online content with great caution.

Imagine if this hack had taken place on November 3, 2020, during the US election. Imagine if the attacker, during prime polling hours at 5 PM, had taken over Joe Biden’s account and tweeted that he had conceded to President Trump, and asked his supporters not to cast any more ballots. Imagine if Governor Gretchen Whitmer of Michigan tweeted that polling places were unsafe in the Detroit metro area and people should avoid them until further notice. Imagine if the official Twitter account for the Philadelphia Police Department had tweeted there was a bomb threat at some polling location.

For this week’s attack, 2 hours to fix the problem may seem very fast. But on election day, 2 hours of disinformation could seem like an eternity. This attack underscores the very real danger of social media and its potential impact on democracy. And this scenario is not unique to Twitter – next time it might be Facebook or Instagram. All social media companies are vulnerable; or in fact, it is us who are vulnerable and social media is just the platform.

Regardless of whether the attack was a result of malicious insiders, or insiders being compromised through phishing, this raises the question of how and why we trust the contents of a Tweet. Can anyone inside Twitter create a new Tweet on behalf of a high-profile account? And how do we defend not just the person who posted the Tweet, but the people reading it?

Some possible solutions would be to develop stronger authenticity guarantees around Tweets (1), have Twitter flag certain accounts as possibly hacked and alert the public while they investigate, and educate the public about these types of threats.

In the Tweet below, Twitter displays the device used to post the Tweet (Twitter Web App). However, it doesn’t check whether this device, in fact, belongs to Jeff Bezos. Twitter can borrow a technique from cryptography called “digital signing” to fix this. This technique, if implemented carefully, would allow each user to mathematically prove that a Tweet was sent from their own device, and would make forging Tweets much more difficult. Each device, when registered, would create secret random data, called a certificate, in the device’s protected trusted enclave. The certificate would be stored by Twitter in a special structure, called a ledger, for the world to see – but since the certificate is random, this would not violate a user’s privacy. This certificate would be used to sign all the Tweets a person sends, automatically, inside the Twitter app. When you see a signed Tweet, your Twitter app could then automatically check the Tweet’s authenticity by verifying the certificate exists on the ledger and belongs to the same person that created the Tweet.

While this has a few downsides, like not allowing Tweeting from a random web browser, it might make sense to implement for a few accounts of special significance, like public figures or users with massive followings (2).

Second (and more easily), Twitter could create an annotation on an account that it believes might have been compromised, which would take special privileges to set and remove. This annotation would be displayed to all users viewing any of that account’s Tweets, notifying them that the messages stemming from that account might not be authentic. This would be a more effective strategy than just repeatedly taking down offending Tweets.

Finally, we all have to be wary since there is only so much the social media companies can do to protect us from misinformation. We must understand that there is a significant possibility this, or something like it, will happen again. Because the next time an attack of this scale happens, the consequences might not be $118,000 of stolen Bitcoin, but an election.

While some tools, like NortonLifeLock Labs’s BotSight, are capable of detecting certain types of social bots, it’s ultimately up to each person to be critical of the information we read and determine whether the information is real or fake.

As the election looms closer, we all need to be aware that in the information war, the real targets are not Twitter, or Facebook, or Google. The real targets are us.


1. Emails can be signed using a per-device key, which is checked against a blockchain of known keys. Tweets can be equipped with the same security

2. Even for the case of a random browser, you could use an existing device to automatically communicate with Twitter and sign the Tweet with the owner’s permission. This would be a little difficult to do correctly but might be the correct solution long-term.

NortonLifeLock Labs™ is the cornerstone of NortonLifeLock’s thought leadership in Cyber Safety, leading the company’s future technology and guiding the consumer cybersecurity industry around the globe. The Labs team, sitting within the office of the CTO, includes leading threat and security researchers aimed at protecting customers against known and new threats and delivering consumer-focused innovation in the space of security, privacy and identity. Through these efforts, we continually improve our industry-leading protection and detection capabilities to help keep consumers Cyber Safe, while also delivering innovative prototypes with test-friendly features so adventurous users can learn and offer feedback.

Copyright © 2020 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Other names may be trademarks of their respective owners.

© Scoop Media

Parliament Headlines | Politics Headlines | Regional Headlines

Gordon Campbell: On The America’s Cup, Critical Race Theory And A New, Weekly Music Playlist

So… Why don’t they just cut to the chase, and call it the Emirates Cup? As this column predicted several months ago, the next America’s Cup challenge is headed overseas. Here’s what Werewolf said back in March:
Emirates has made a major commitment to Portsmouth/Isle of Wight as a sailing centre of excellence – and voila, that’s where the next challenger of record is coming from, and where the next Cup contest could well be sailed. Such incredible luck for Emirates, right..? More>>


Marine: Wider Roll-out Of Cameras On Boats To Support Sustainability And Protect Marine Life

Up to 300 inshore commercial fishing vessels will be fitted with on-board cameras by 2024 as part of the Government’s commitment to protect the natural marine environment for future generations... More>>


Government: Plan For Vaccine Rollout For General Population Announced

New Zealanders over 60 will be offered a vaccination from July 28 and those over 55 from August 11, Prime Minister Jacinda Ardern announced today... More>>


Jewish Council: New Zealand Not Immune From Rise In Antisemitism

The representative body of New Zealand Jewry, the NZ Jewish Council (NZJC), has expressed concern about the high number of antisemitic incidents in New Zealand recorded last month. Spokesperson for the NZJC, Juliet Moses, said... More>>

NZNO: Nurses Reject DHB Offer And Confirm Strike Action

The New Zealand Nurses Organisation says its 30,000 members who work in DHBs have voted overwhelmingly to reject a second offer in their current round of multi-employer collective agreement (MECA) negotiations... More>>





InfoPages News Channels