Graham Ivan Clark, Onel de Guzman and Michael Calce. These three names will go down in e-commerce history alongside Jack Dorsey, Mark Zuckerberg and Jeff Bezos.
We all know the high profile entrepreneurs who have provided us with the tools and services that underpin our digital economy. However, Clark, de Guzman, and Calce are equally notable as leading members of the script kiddies hall of fame – teens who educate early on how the same tools and services are riddled with profound privacy and security flaws.
The problem is that Clark, 17, of Tampa, Florida, is teaching us much of the same lessons in the summer of 2020 that de Guzman and Calce did in the spring of 2000 I love you email virus orbiting the globe infecting millions of personal computers; Calce, aka Mafiaboy, published the Melissa internet worm that knocked offline Amazon, CNN, eBay, and Yahoo.
Judging by the success of the script kiddies, the tech giants apparently haven’t learned much about security in 20 years. Clark was arrested in late July on charges of hijacking and tweeting the Twitter accounts of A-list celebrities subtract a bitcoin scam. Its capers are worrying in two ways. First, it shows how resistant companies are to very workable cyber hygiene practices – measures that would prevent such hacks. Second, it reminds us of the ability to devastate really malicious parties, not just script kiddies. That’s terrifying considering the times we are in. On the cusp of electing a U.S. president as the world struggles to recover from a global pandemic, there are nuanced lessons we can learn from the Twitter bitcoin hack. Here’s what all consumers and businesses should be aware of going forward.
How the hack happened
Court records and New York Times coverage portray Clark as a selfish youth who went the wrong way by cheating on other Minecraft video game players and then resorting to mobile hacking scams to steal Bitcoin. With the handles “Open” and “OneHCF”, Clark became notorious to sell cool Minecraft names and accessories, like character capes, to other players for $ 50-100; he made the sales pitch, collected the money, but then never delivered the goods or quickly retrieved the items.
He graduated next SIM exchange. This involved collecting personal information about a targeted victim and then using that information to convince a cellular operator to transfer the victim’s SIM card metadata to a blank SIM card in their possession. In 2019, Clark took control of a Seattle tech investor’s smartphone and allegedly stole 164 bitcoins, valued at $ 864,000 at the time. The US secret service got involved and returned 100 bitcoins to the victim. Notably, authorities let Clark off the hook despite having evidence of his role, according to New York Times reporting.
Encouraged, Clark next targeted Twitter. Clark and several co-conspirators took a two-step approach. First he fought his way into the company network of Twitter via phishing. Next, they moved sideways wherever they could to understand how Twitter’s network was set up.
“This knowledge then enabled them to approach additional employees who had access to our account support tools,” he said the company said in a statement. “Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, eventually tweeted 45, accessed 36 DM inboxes, and downloaded seven Twitter data.”
The intruders took control of the accounts of Barack Obama, Jeff Bezos, Elon Musk, Bill Gates, Joe Biden, Mike Bloomberg and Kanye West, among others. They tweeted of these celebrities’ official accounts and performed bitcoin variants of the classic Nigerian prince-guy from Grift, which grossed $ 118,000 in Bitcoin payments in just over an hour before Twitter discovered and stopped the fake activity.
The Consequences of Abuse on Social Media
It’s easy to sell a teen who cleverly uses villainous tweets to gullible victims with a too good to be true get-rich-quick as triviality. However, the Twitter bitcoin hack underscores the possibility that social media could be misused for malicious purposes. This is anything but a trivial development in these times. Consider how social media services have emerged as powerful tools for influencing public opinion – at a time when some weighty questions are on the table about civilization as we know it: Will democracy be in America give way to authoritarianism? Can the nations of the world unite to stop climate change? What will the global economy look like after Covid-19? Should social injustice and the distorted distribution of wealth continue as usual?
Continue reading: The Big Twitter Hack vs. Privacy
Another script kiddie hack vividly illustrates the immense potential of social media services to be abused by anyone, whatever their motives. I’m referring to how the teenage users of the TikTok and K-Pop social media sites Registered en masse for tickets to a Trump rally last June in Tulsa, Oklahoma. This has got the rally organizers to brag about receiving 1 million reservation requests. Only 6,200 people came to a venue set up for a crowded crowd of 20,000.
In the meantime, Facebook boss Mark Zuckerberg has come under fire from his own employees this summer for not contradicting Trump’s Facebook posts and ultimately rejecting everything ignite the George Floyd protests. In contrast, Twitter CEO Jack Dorsey has opened up on details about how his company was hacked and has promised to do better. And on July 21st, Dorsey was leading the Mea Culpa of sorts Removal of thousands of Twitter QAnon accounts used to spread baseless conspiracy theories.
Zuckerberg eventually gave in to public pressure and followed Dorsey’s lead on August 7th Blocking of the Facebook account one of the largest public groups fueling QAnon conspiracy theories. QAnon has been using Twitter and Facebook for several years to stir up fear and hatred. You may remember that this is the group that spread this Pizzagate, a conspiracy theory Hillary Clinton accused of running a child trafficking ring at a pizzeria in Washington, DC. This resulted in one Vigilante shows up in the restaurant in December 2016 and opening the fire in a closet.
I’m not at all surprised that the public is calling for social media companies to lean more towards the social justice movement. Moving in this direction would position Twitter and Facebook much better with a large percentage of the population. However, this is in contradiction to the profitable imperative of one’s own board of directors.
“Facebook and Twitter are in the unenviable position of being stuck on multiple fronts amid gigantic social conflicts,” observes Karthik Krishnan, CEO of Concentric.ai, a San Jose, California-based artificial intelligence systems provider. “There is no way these social media giants are going to make everyone happy.”
Why ‘Least Privilege’ Make Sense
It would be a big step forward if Twitter and Facebook at least did more to strengthen the security of their company’s IT systems. Like many large companies, the social media giants have placed far too much emphasis on agility – opening their systems to everyone – and not nearly enough on basic cyber hygiene. There’s really no excuse for that. Twitter has a market valuation of over $ 30 billion, but when the chief information security officer (CISO) left the company last December, the company did nothing; it was still searching for a replacement CISO seven months later – when the celebrity accounts were hijacked.
Clark’s successful hack showed that Twitter doesn’t even have a “least privilege“Approach to account access that is a small step towards the introduction of a full”Zero trust“Identity and Access Management (I AM) Processes that many advanced companies in the technology and finance sectors have adopted. Had it enforced the least privileged access, Twitter would have had a very narrowly defined and closely monitored list of employees who could take control of the celebrity’s accounts. It would have been a lot harder for young Mr. Clark to find anyone on that short list and cheat on them. And even if they did, any unusual use of this access would quickly have triggered a warning.
In fact, given the sensitive personal information they collect and monetize, Twitter and Facebook should already be Zero Trust. Zero Trust boils down to not trusting anyone until they can prove who they are and why they deserve access. To achieve this, Zero Trust uses automation and machine learning to decompose and dice access queries at multiple levels. This makes it much more difficult to pull through security breaches; it limits the damage that can be caused by any hacker who breaks through.
We could all just wait for human users to somehow become less gullible. Aside from this ever happening, Zero Trust is the future. Twitter and Facebook should have steered towards zero trust long ago. Will they do this now after all that has happened in 2020 so far? We will see. I will keep watch.