This week at Twitter, there was a security incident that allowed access to a number of high profile accounts. The end result was a Bitcoin scam, with every account promising to "double any BTC sent" to them.
Twitter has come out fairly quickly to say that the incident was a result of social engineering. Someone convinced an employee at Twitter to hijack accounts via a backdoor administrative system.
What I wanted to focus on today is this: Why do backdoor systems like this exist - and how do we protect ourselves?
We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.— Twitter Support (@TwitterSupport) July 16, 2020
Everything Has a Backdoor
If you think there isn't a backdoor way into a system, you probably just haven't found it yet.
From years as working in IT - one thing is certain: Someone controls the data. And that person(s) can do with it what they wish.
Are backdoors always a bad thing? Not inherently, no. We all want the convenience of being able to regain access to a locked account right? Then someone has to have the keys to override the system to make that change.
We all take our corporate email and domain logins for granted. Sure, we have a kind helpdesk employee that may help to reset a password - but how much access does that person have to our account? Even so, maybe we expect that in this case.
For example, there was a company I worked for a long while ago. HR/Payroll wanted to switch to using internal email to distribute paystubs. In order to do so, they required that every employee manually opt-in. None of the systems admins in the organization opted-in. We all knew how easy it was for any of us to read each others email. In fact, our internal security policy required any email containing sensitive information going in or out of the organization to be manually reviewed by someone. You know what qualifies as sensitive info? Payroll data.
Social media platforms (or any major website really) are no different. Someone needs to manage the backend systems. Someone has to be able to reset passwords & assist those who use the platform. In this particular case, someone at Twitter had the ability to hijack accounts by changing email addresses & resetting the passwords.
What About MFA?
MFA is like anything else in security - it's another layer, but it doesn't solve all problems.
MFA can protect you from someone who has your login credentials (username/password). If they don't have your token, phone, or whatever else you're using - they can't successfully authenticate.
That being said, if you already control the keys to the backend systems - bypassing or disabling MFA is just another click on your journey to taking over accounts.
How Do We Prevent This?
That's a good question. And a hard one to answer.
The general idea is to limit the amount of privilege that a single individual has. For example, if the average Twitter help desk employee is only responsible for resetting passwords - they shouldn't even have the option to disable MFA or change email addresses.
That being said - that's not always easy to accomplish. Systems need to be built around security and implement strict access control where necessary. Unfortunately we still live in a world where security is often an afterthought - or at least not designed into the solution on Day 1. That's not even considering that often security is still under-funded, and/or under-prioritized....
Depending on the size of the organization, this control comes in many flavors. On the more strict side, we could have an administrative panel that is only accessible by high-level, trusted employees. Even then, we could implement a multi-step process by which a single employee could not make changes to sensitive accounts without secondary approval (or more). Going a step further - proper logging & alerting may be triggered to alert someone that a change has happened, which prompts review to see if this was legitimate.
More commonly, what I see in organizations is just a simple policy. Yes, we acknowledge that you have unrestricted access to view/modify/delete customer data. But we have a policy that tells you not to.
The problem with that? One, it expects that most people read (and care about) the policies. I've seen quite a number of organizations that hand you a huge pile of policies & paperwork to review in your first week of employment. How many people truly take the time to read, review, and consider the content of those?
For two, a policy does nothing to prevent someone from taking action. Sure, fear of repercussion or losing a job may help. But if we're talking about a potentially malicious individual, those things likely do not concern them.
As another example, I've previously worked at an organization with such policies. "Don't look at customer data unless you have explicit approval from the customer". Okay, but the customer opened a support ticket because of some issue they're having. This issue sounds familiar and I can fix it real quick, if I just log into their tenant and make a change. OH. Whoops. I just saw sensitive data.
I wish I could say things like that never happened...
Well, now we wait.
Twitter has been fairly forthcoming with information so far. Yes, it's been vague - but that's to be expected while they pick up the pieces of what happened. The important thing is that they've been steadily communicating what they do know so far.
Rumors are that an internal employee may have been paid to make changes to the accounts. I suppose we'll find out eventually - but if this is truly the case, there isn't much to be done.
One would hope that access to high-profile accounts would be restricted. One would hope that the people with that access are trusted, reliable individuals. Yet here we are.
It will certainly be interesting to see how much data Twitter releases about the actual events & timeline. Preventing this from happening again will likely require further restricting access to those accounts & possibly some form of the multi-tiered change approval mentioned earlier.
In the end - it sounds very likely this was an internal job. Those can be extremely hard to prevent, and require security training, additional security controls, etc. Even then - Humans create security controls, which means we also create ways to get around them.