Skip to main content Link Search Menu Expand Document (external link)
LIS 640

Week 5 Studio: Twitter Advertising Bitcoin

Many companies and services have high-risk users that are specifically targetted by dedicated attackers. One famous example is Google’s GMail system. One GMail user back in 2016 was a man named John Podesta, who was the campaign manager for Hillary Clinton when she was running for President of the United States. Mr. Podesta was targetted by foreign hackers (probably from Russia), who managed to break into his GMail account, steal his emails, and publish them publicly on Wikileaks.

Most companies are excited when famous or important people start using their service. But cybersecurity professionals at those companies often get worried as their users become more famous.

For our case study this week, we are going to look at a breach that happened at Twitter in 2020 that caused a large number of famous people, including Joe Biden and Elon Musk, to advertise fake Bitcoin opportunities. The attackers ended up receiving bitcoin transfers of over $118,000 in less than 3 hours.

Start by reading this case report on the breach: https://security-assignments.com/cases/case-twitter-2020. The New York Times also has a good report on what happened: https://www.nytimes.com/2020/07/15/technology/twitter-hack-bill-gates-elon-musk.html

These reports will give you a good overview of what happened here, who did it, and how Twitter responded.

Part 1: Understand the Case

Let’s use the skills we’ve been developing to understand this case. Start by reading the case report. You’ve read through a number of case studies, and are starting to get a better gut feeling for what information is important and what information isn’t. Trust your gut; you can always go back and look again later.

Let’s go through the same process we have been doing for the last couple of weeks to map out and understand what is happening:

  1. Figure out who the relevant actors are. We’ve got the attackers (hackers), the victim, additional defenders, etc. Fill out an actors and motivations worksheet for each of them to try to think through who was doing what, and why they did what they did.

    The “Epilogue” section of the case report includes links to later news articles about the specific hackers. You might want to skim those to identify who the actual hackers were and what their motivations were.

  2. Figure out the attack, and what vulnerability enabled the attack.
    You can use the vulnerability worksheet if you like, to help to understand what the weakness was that these attackers were trying to exploit.

Don’t spend too long on this. Details help, but all of this work is really to help you gain a basic understanding of what happened. You should hopefully be getting faster and better at these tasks as you practice them every week.

Part 2: Fixing the Problem

Next, we want to try to sovle this problem. Imagine you were Twitter and you just got hacked. OR, imagine that you are one of Twitter’s competitors (Facebook? Mastodon? YouTube?). What would you change so that this doesn’t happen again? The hackers clearly just showed the rest of the world how to make money by exploiting you. You don’t want copy cat hackers to do this to you again.

What changes would you make?

Start by talking to your teammate(s) and making an initial list of suggestions. Try to be comprehensive. Remember: this breach cost Twitter a lot of money to deal with, and caused Twitter users to lose hundreds of thousands of dollars. It is worth a lot of time and effort to stop things like this from working.

Think about ways that you can securely communicate. What would you need to change so that you could trust that the message is really coming from who it says it is. Should you put information on the tweet about how the person is logged into Twitter (i.e. Logged in using 2FA from their phone). Should you include GPS location information that the user could verify? Should you encrypt the message so that only you and the original sender can read it? (How?) Should you ask that all messages are digitally signed on the sender’s computer? Should you require users to use 2FA, or security keys? Should you change how the servers operate, or who in Twitter’s company has access to them?

Make an initial list suggestions for what Twitter (or a similar social media company) might do to stop attacks like this. Start by brainstorming with your teammate(s), and talking through ideas. Write every idea down, though feel free to cross out ideas that you decide aren’t very good.

After you make your initial list, I want you to think about two more sets of challenges:

High-risk users

Most Twitter (now X) users are like you and me; not very important and not particularly at a high risk of being attacked. But some users have a much higher risk. For example, both Donald Trump and Joe Biden have Twitter (X) accounts that they post on. So does Elon Musk and Bill Gates. Famous, important people’s tweets can have major effects in the world, including causing international incidents and moving stock markets. This causes them to be at much higher risk of attack than most of the rest of us.

Twitter, as the service provider, isn’t just providing a service to us. They are also providing this service to those high-risk users that are likely to be subject to dedicated, persistent, and sophisticated attacks. As this incident illustrates, you don’t necessarily have to hack into Bill Gates’ account to post as him; you could instead hack into Twitter as a whole. So the risk that Twitter faces – the likelihood of attack, the sophistication of attack, etc. – is at least the risk of the highest risk user on the site.

How should Twitter think about this? What kinds of things should Twitter do to handle the fact that some of the accounts on the site are at very high risk of attack?

Restoring Trust

I want you to think about this from a user point of view. Someone just posted using Bill Gates account, or Elon Musk’s account, or your best friend’s account. How do you know it is really them? Should you just trust Twitter? (Obviously, no; that wasn’t actually Bill Gates posting that.)

Security isn’t just stopping attacks. It is equally, and possibly more, important that people know you are stopping those attacks. After Twitter suffered this breach, a lot of people wondered if you could really trust anything that was being posted on Twitter. After all, a bunch of teenagers just hacked into Twitter and were pretending to be some of the richest, most powerful people on the planet.

What kinds of things should Twitter do to restore trust? As you think about what you would suggest Twitter do, think about what, if anything, they can do to help people trust that Twitter users really are who they say they are. Go through your existing list(s), and see which of those things might help restore trust.

To do this, think about visibility; which of your suggestions are invisible, behind-the-scenes fixes that actually protect Twitter, but no one can really tell if they are working? And which of your suggestions are visible things that end users actually can see working, that might help convince them that Twitter is taking this problem seriously and that they should trust Twitter?

Go through your existing list, and label which ones are visible vs. invisible suggestions. And then brainstorm and think about if there are any additional suggestions you would make to help users trust the content on Twitter again.

Compare with Twitter’s response

Twitter made a bunch of changes after this happened (another summary is in the case study page). Mostly, they tried to improve their authentication: they started using hardware security keys instead of one-time codes. They also restricted access to that only people who needed to be able to access account information could.

Similarly, after the John Podesta email hack (mentioned in the first paragraph above), Google created a special “Advanced Protection Program” for high-risk users such as politicians, journalists, and victims of intimate partner abuse.

How did their changes compare with your suggestions? Did they do everything you would have suggested? Did they do anything above-and-beyond what you suggest? Did they do anything that you considered and rejected?

Twitter is a major company with a (presumably) competent cybersecurity team. Take their changes seriously as a reasonable answer. See what you missed, and think about why they might have chosen what they did. Did they make a different tradeoff than you did? Did they prioritize something different than you would have?

But also, remember that Twitter isn’t perfect. Indeed, they have been breached multiple times since this incident. Maybe they didn’t do enough, and they should listen to some of your suggestions?