Comments by "XSportSeeker" (@XSpImmaLion) on "how a social engineering attack DESTROYED Twitter (feat. Marcus Hutchins) // Twitter Hack 2020" video.

  1. Necroposting, but sharing some thoughts. I think the reality of it is that this had a few components to happen. 1. A social engineering component of sorts. Of sorts because apparently it wasn't the stuff you usually hear about social engineering, the example given by... Chuck?/ITProTV. Who knows what the truth is, but I think Marcus and Chuck are right given the timing, the way it happened, and the reports. And man, could this have been much much worse. It was as close to White Hat Hacking as it could be, almost unbelievably so; 2. Weak/bad/lose policies while handling sensitive user data... which is part of the vast majority of leaks and hack cases - Equifax, US Voter leak, Dow Jones leak, WWE leak, Verizon leak, Time Warner Cable leak, etc etc etc. And honestly, I think it'll take an accidental war and deaths for businesses to start thinking more seriously about this. If tech corporations that are directly involved with tech, have security sectors by necessity, and are directly handling throngs of sensitive user data on a daily basis, still can't think of basic stuff like that, let alone everyone else that isn't in that exact situation; 3. Exploitable platform. I didn't hear people questioning this point much, but you gotta ask if Twitter having an administrative tool that allows someone else, even if it's an administrator or Twitter worker, to publish messages (in this case public Tweets) on someone's behalf is a good idea at all. Personally, I think this is the most important thing that came out of this entire case. It involves all the hacking and leaking cases where a disgruntled worker was the source - Sony, Capital One, Grifffin Hospital, AshleyMadison, Marriott's Hotels, etc. But you gotta think about it. Not that it comes as much of a surprise, but it's too much power for individuals to have. Arguably, it's too much power for a company to hold. It's already kinda been forgotten and there has been no public changes or further explaining on this, which is extremely bad in itself. Thing is, in a sane world where privacy and security was really held up in high regard, this wouldn't be just a problem Twitter had - this would call for a total rethinking of the platform itself. If those administrative tools still exist, there is nothing that prevents a similar attack from happening, with worse consequences this time, by more powerful people. Contractual obligations, consciouness and righteousness be damned, if a foreign state or big hacking group gets a hold of some Twitter employee, they'll find a way of getting it. And you see, that administrative tool shouldn't exist, really. Not with the power it has. Perhaps Tweeting with a costumer account is needed to some level, but the platform should identify that it's been take over for x purposes automatically. Better if the ability wasn't there at all, to be honest. Of course, in a sane world we also wouldn't be using Twitter or any other social network in official capacity for important people, ever. Politicians, CEOs, celebrities and whatnot, none of them should be using a social network as primary means of giving official updates, announcements, information that is significant in any way for business or government operations, ever. Because hack or not hack, it's a private service that is outside those peoples' control. The discrepancy is palpable... for you to borrow your mouth to say stuff for other people, there are all these procedures and barriers we naturally put forward. People even resist terrorist threats to go against something like that. The Twitter hack just revealed how much worse things are. Not only they control the platform itself, they have the ability to put words in peoples' mouth, directly. They have tools for it, and multiple employees have access to it, and they are exchanging the methods to use it via another private service app, Slack. That's now two private companies with the ability to put words in peoples' mouth. Insanity. It shouldn't take too long for a real major incident to happen, we're lucky it still didn't, or rather their worst side effects. Because you know, major leaks and hacks have already happened... there just haven't been a use case of information stolen that lead to catastrophic events just yet.
    1