Scoop has an Ethical Paywall
Work smarter with a Pro licence Learn More

Gordon Campbell | Parliament TV | Parliament Today | News Video | Crime | Employers | Housing | Immigration | Legal | Local Govt. | Maori | Welfare | Unions | Youth | Search

 

What We Can Learn From Twitter’s Big Hack

 

We at NortonLifeLock Labs are committed to keeping consumers safe online and helping them make wise decisions about their security, identity and privacy. Therefore, we take the integrity of information shared online incredibly seriously – especially now that we are headed towards an election. As part of our efforts in this space, we are focusing our research on activities that prey on people and exploit the difficulty of assessing the legitimacy of information online, including detecting scams and disinformation networks. To that end, we recently released BotSight, a tool that can detect certain types of social bots and show those findings inline to Twitter users.

Last Wednesday, the Twitter accounts of numerous high-profile politicians, billionaires, and other notable figures were taken over by attackers to fraudulently solicit Bitcoin from their followers.

While the details of precisely how the attack was carried out are still a little murky, it is clear that the attackers managed to net a little over $118,000 for an attack lasting a few hours.

More interesting than the specifics of this attack are the vulnerabilities in the social media ecosystem that it exposed: we trust (perhaps too much) the authenticity of the messages on social platforms, especially from accounts of famous individuals, likely assuming that such accounts would be highly secured and “impenetrable”. Reality has however demonstrated that we should always consume online content with great caution.

Advertisement - scroll to continue reading

Are you getting our free newsletter?

Subscribe to Scoop’s 'The Catch Up' our free weekly newsletter sent to your inbox every Monday with stories from across our network.

Imagine if this hack had taken place on November 3, 2020, during the US election. Imagine if the attacker, during prime polling hours at 5 PM, had taken over Joe Biden’s account and tweeted that he had conceded to President Trump, and asked his supporters not to cast any more ballots. Imagine if Governor Gretchen Whitmer of Michigan tweeted that polling places were unsafe in the Detroit metro area and people should avoid them until further notice. Imagine if the official Twitter account for the Philadelphia Police Department had tweeted there was a bomb threat at some polling location.

For this week’s attack, 2 hours to fix the problem may seem very fast. But on election day, 2 hours of disinformation could seem like an eternity. This attack underscores the very real danger of social media and its potential impact on democracy. And this scenario is not unique to Twitter – next time it might be Facebook or Instagram. All social media companies are vulnerable; or in fact, it is us who are vulnerable and social media is just the platform.

Regardless of whether the attack was a result of malicious insiders, or insiders being compromised through phishing, this raises the question of how and why we trust the contents of a Tweet. Can anyone inside Twitter create a new Tweet on behalf of a high-profile account? And how do we defend not just the person who posted the Tweet, but the people reading it?

Some possible solutions would be to develop stronger authenticity guarantees around Tweets (1), have Twitter flag certain accounts as possibly hacked and alert the public while they investigate, and educate the public about these types of threats.

In the Tweet below, Twitter displays the device used to post the Tweet (Twitter Web App). However, it doesn’t check whether this device, in fact, belongs to Jeff Bezos. Twitter can borrow a technique from cryptography called “digital signing” to fix this. This technique, if implemented carefully, would allow each user to mathematically prove that a Tweet was sent from their own device, and would make forging Tweets much more difficult. Each device, when registered, would create secret random data, called a certificate, in the device’s protected trusted enclave. The certificate would be stored by Twitter in a special structure, called a ledger, for the world to see – but since the certificate is random, this would not violate a user’s privacy. This certificate would be used to sign all the Tweets a person sends, automatically, inside the Twitter app. When you see a signed Tweet, your Twitter app could then automatically check the Tweet’s authenticity by verifying the certificate exists on the ledger and belongs to the same person that created the Tweet.

While this has a few downsides, like not allowing Tweeting from a random web browser, it might make sense to implement for a few accounts of special significance, like public figures or users with massive followings (2).

Second (and more easily), Twitter could create an annotation on an account that it believes might have been compromised, which would take special privileges to set and remove. This annotation would be displayed to all users viewing any of that account’s Tweets, notifying them that the messages stemming from that account might not be authentic. This would be a more effective strategy than just repeatedly taking down offending Tweets.

Finally, we all have to be wary since there is only so much the social media companies can do to protect us from misinformation. We must understand that there is a significant possibility this, or something like it, will happen again. Because the next time an attack of this scale happens, the consequences might not be $118,000 of stolen Bitcoin, but an election.

While some tools, like NortonLifeLock Labs’s BotSight, are capable of detecting certain types of social bots, it’s ultimately up to each person to be critical of the information we read and determine whether the information is real or fake.

As the election looms closer, we all need to be aware that in the information war, the real targets are not Twitter, or Facebook, or Google. The real targets are us.

Footnotes

1. Emails can be signed using a per-device key, which is checked against a blockchain of known keys. Tweets can be equipped with the same security

2. Even for the case of a random browser, you could use an existing device to automatically communicate with Twitter and sign the Tweet with the owner’s permission. This would be a little difficult to do correctly but might be the correct solution long-term.

NortonLifeLock Labs™ is the cornerstone of NortonLifeLock’s thought leadership in Cyber Safety, leading the company’s future technology and guiding the consumer cybersecurity industry around the globe. The Labs team, sitting within the office of the CTO, includes leading threat and security researchers aimed at protecting customers against known and new threats and delivering consumer-focused innovation in the space of security, privacy and identity. Through these efforts, we continually improve our industry-leading protection and detection capabilities to help keep consumers Cyber Safe, while also delivering innovative prototypes with test-friendly features so adventurous users can learn and offer feedback.

Copyright © 2020 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Other names may be trademarks of their respective owners.

© Scoop Media

Advertisement - scroll to continue reading
 
 
 
Parliament Headlines | Politics Headlines | Regional Headlines


Gordon Campbell: On The US Opposition To Mortgage Interest Deductibility For Landlords


Should landlords be able to deduct the interest on the loans they take out to bankroll their property speculation? The US Senate Budget Committee and Bloomberg News don't think this is a good idea, for reasons set out below. Regardless, our coalition government has been burning through a ton of political capital by giving landlords a huge $2.9 billion tax break via interest deductibility, while still preaching the need for austerity to the disabled, and to everyone else...
More


 
 

Government: Concerns Conveyed To China Over Cyber Activity
Foreign Minister Winston Peters has confirmed New Zealand’s concerns about cyber activity have been conveyed directly to the Chinese Government. “The Prime Minister and Minister Collins have expressed concerns today about malicious cyber activity... More

ALSO:


Government: GDP Decline Reinforces Government’s Fiscal Plan

Declining GDP for the December quarter reinforces the importance of restoring fiscal discipline to public spending and driving more economic growth, Finance Minister Nicola Willis says... More

ALSO:


Government: Humanitarian Support For Gaza & West Bank

Winston Peters has announced NZ is providing a further $5M to respond to the extreme humanitarian need in Gaza and the West Bank. “The impact of the Israel-Hamas conflict on civilians is absolutely appalling," he said... More


Government: New High Court Judge Appointed

Judith Collins has announced the appointment of Wellington Barrister Jason Scott McHerron as a High Court Judge. Justice McHerron graduated from the University of Otago with a BA in English Literature in 1994 and an LLB in 1996... More

 
 
 
 
 
 

LATEST HEADLINES

  • PARLIAMENT
  • POLITICS
  • REGIONAL
 
 

InfoPages News Channels


 
 
 
 

Join Our Free Newsletter

Subscribe to Scoop’s 'The Catch Up' our free weekly newsletter sent to your inbox every Monday with stories from across our network.