image

Twitter Hack – How it could have been avoided

Breaking News:

According to numerous top tier press articles literally, dozens of high-profile checkmark verified accounts, including those of Joe Biden, Barack Obama, Bill Gates, Kim Kardashian West, and Elon Musk as well as prominent Bitcoiners seemed to be compromised by hackers.  The hackers proceeded to post tweets claiming they would double people’s contributions of $1,000 in bitcoin.  Although details are sketchy the press seems to be coalescing on this being an insider hack driven by someone with elevated access rights.

According to this article in the NY Times:

“Security experts said that the wide-ranging attacks hinted that the problem was caused by a security flaw in Twitter’s service, not by lax security measures used by the people who were targeted. Alex Stamos, director of the Stanford Internet Observatory and the former chief security officer at Facebook, said one of the leading theories among researchers was that the hacker, or hackers, had obtained the encryption keys to the system, which enabled them to essentially imitate or steal the “tokens” that grant access to individual accounts.”

According to this article by the Verge:

“the perpetrator has somehow gained access to a Twitter employee’s admin privileges”

According to this article by NBC:

“Kelley Robinson, a security advocate for Authy, a company that provides two-factor authentication, said the scale of the attack indicated the hackers had gotten administrative access at Twitter itself.”

According to this article by CNET:

“I am concerned that this event may represent not merely a coordinated set of separate hacking incidents but rather a successful attack on the security of Twitter itself,” Hawley said.

According to this article by Fox News.

“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” Twitter support wrote in a statement.

Alternative approaches exist to how Twitter appears to be running its backend systems.

IBM Cloud Hyper Protect Crypto Services

Not all public cloud services are the same.  In situations like this using a different more secure platform is definitely a preferred approach. IBM Public Cloud has a differentiated approach to secure compute and services.  One key example of the secure services is IBM Cloud Hyper Protect Crypto Services which is a key management and cloud hardware security module (HSM). It is designed to enable you to take control of your cloud data encryption keys and cloud hardware security modules, and is the only service in the industry built on FIPS 140-2 Level 4-certified hardware.

Built on IBM LinuxONE technology, the service helps ensure that only you have access to your keys. A single-tenant key-management service with key vaulting provided by dedicated customer-controlled HSMs helps you create encryption keys with ease. Alternatively, you can bring your own encryption keys to manage. The managed cloud HSM supports industry standards, such as PKCS #11, so your applications can integrate cryptographic operations like digital signing and validation.

Find out more here.