Wednesday’s Twitter hack has exposed a gaping weakness for the U.S. and its most powerful leaders — their reliance on a private company to secure their communications with the public.
The attack showed that Twitter couldn’t even protect former President Barack Obama’s account from spreading a Bitcoin scam, while the company’s efforts to plug the breach silenced President Donald Trump’s tweets, stifled National Weather Service tornado alerts and left some lawmakers still locked out as of Thursday afternoon.
And it prompted lawmakers to raise an uncomfortable question: What’s to stop a more insidious group of hackers from using leaders’ trusted Twitter accounts to spread lies about national emergencies, wars or the November election?
“Let’s imagine that at 4 p.m. on Election Day, Barack Obama’s Twitter account sends revised polling locations to 20,000 Black voters in Florida,” senior House Intelligence Committee member Jim Himes (D-Conn.) said Thursday during a Third Way webinar on election interference.
Such an incident would prompt “litigation that would make Bush v. Gore … look like a walk in the park,” Himes said. “The degree of uncertainty is horrifying.”
The GOP-led Senate Intelligence Committee and other congressional panels asked Twitter on Thursday for briefings on the cyberattack. The FBI announced that it had opened a probe into the breach, whose perpetrators may have made off with as much as $118,000 from victims who sent Bitcoin to the hacked Twitter accounts.
Beyond the immediate search for the perpetrators, the episode highlighted the risks of outsourcing key government functions to social media platforms — a concern that Twitter inadvertently amplified when it froze verified accounts as part of its response Wednesday night. Senate Intelligence Vice Chairman Mark Warner (D-Va.) and Ohio Rep. Jim Jordan, the top Republican on the House Judiciary Committee, were among the lawmakers who said they were still unable to get back into their accounts Thursday.
The scope of the attack, and Twitter’s initial comments, suggested that the intruders had obtained the passwords of some of Twitter’s most trusted employees — enabling the kind of disinformation operation that has inspired years of anxious theorizing among security professionals. The breach also underscored that Twitter’s process of “verifying” accounts belonging to prominent people doesn’t come with any special protections — although Trump’s account reportedly has its own security measures.
Lawmakers taking stock of all those troubling facts warned about the havoc that a future Twitter hack could wreak.
Himes said he worried far more about an “irreversible, quick” attack, such as a burst of fake tweets on Election Day, than about the more widely discussed risk of hackers breaching a voter registration database and tampering with records.
Other lawmakers imagined equally grim scenarios. “Imagine a civil defense chief’s twitter account being hacked, or a Commanding General,” tweeted Sen. Brian Schatz (D-Hawaii).
Government agencies have their own sordid history of breaches, including the White House, the State Department and the federal personnel office that houses employees’ security clearance files, but lawmakers’ concerns about Twitter reflect a different trend: In recent years, governments have outsourced key tasks, from communications to data storage, to tech companies beyond their direct control.
The latest bipartisan uproar comes as intelligence officials warn that foreign government hackers and trolls are using social networks to stir up controversy and spread disinformation ahead of November’s elections. This misuse of Facebook, Twitter and other large platforms, which reached a zenith during the 2016 presidential campaign, has led to extensive congressional oversight. Wednesday’s mass hack seems likely to produce more scrutiny.
“The ability of bad actors to take over prominent accounts, even fleetingly, signals a worrisome vulnerability in this media environment — exploitable not just for scams, but for more impactful efforts to cause confusion, havoc, and political mischief,” said Warner, the top Democrat on the Senate Intelligence Committee, which released a report last October on the Russian government’s 2016 disinformation operations.
So far, the 2020 election has not seen any public revelations of activity approaching the coordinated cyberattacks of 2016. But security experts warned that the latest evidence of weaknesses at Twitter would only compound the public’s fear and mistrust.
Lawmakers wasted no time requesting answers. Barely hours after hackers began seizing the accounts of prominent figures such as Obama, Bill Gates and rapper Kanye West to propagate a Bitcoin scam, Sen. Josh Hawley (R-Mo.) sent Twitter CEO Jack Dorsey a letter asking for details about the breach. On Thursday, Senate Commerce Chairman Roger Wicker (R-Miss.) and House Oversight Committee ranking member James Comer (R-Ky.) requested briefings from Twitter. So did Senate Intelligence, according to a person familiar with the matter who was not authorized to speak publicly.
“Millions of your users rely on your service not just to tweet publicly but also to communicate privately through your direct message service,” wrote Hawley, a top critic of social media giants. “A successful attack on your system’s servers represents a threat to all of your users’ privacy and data security.”
“[I]t cannot be overstated how troubling this incident is, both in its effects and in the apparent failure of Twitter’s internal controls to prevent it,” Wicker wrote to Dorsey.
Similar statements of concern came from several House Democrats in the California delegation, including Mark Takano, John Garamendi and Harley Rouda, as well as Sen. Ed Markey (D-Mass) and the House Oversight Committee.
So far, however, lawmakers have announced no new push for legislation to address incidents like the mass hacking, such as stringent cybersecurity requirements for social media employees.
The breach also raised the question of what else the hackers may have been able to do with the compromised accounts besides tweet from them. Sen. Ron Wyden (D-Ore.), an Intelligence Committee member and leading cybersecurity advocate, criticized Twitter for failing to encrypt users’ private direct messages despite a promise from Dorsey in September 2018.
“While it still isn't clear if the hackers behind yesterday's incident gained access to Twitter direct messages, this is a vulnerability that has lasted for far too long, and one that is not present in other, competing platforms,” Wyden said in a statement.
Twitter said late Wednesday that the hackers had mounted “a coordinated social engineering attack” against company employees with administrator privileges, suggesting that the hackers had tricked employees into handing over their passwords so they could manipulate accounts from the inside. As Twitter scrambled to contain the hack, it deleted tweets showing screenshots of the administrator tools that it later admitted were abused in the breach.
Twitter’s explanation placed the spotlight on so-called phishing attacks, which use misleading messages to co-opt well-meaning employees, but an anonymous person claiming to have participated in the hack told Vice that the attackers had instead bribed a Twitter employee.
Trusted employees abusing their powers represent the nightmare scenario for tech companies, even as phishing attacks — such as the malicious email that ensnared Hillary Clinton campaign chairman John Podesta in 2016 — have received more public attention. Internet services have a long history of insider abuse, including social networks MySpace, Snapchat and Facebook and the video game Roblox.
In the past, Twitter has faced problems with both insider threats and poor handling of its account management tools. In 2011, the company settled Federal Trade Commission allegations that it failed to protect its administrator systems. And in 2017, a disgruntled Twitter employee briefly disabled Trump’s account before leaving the company, an incident that spurred the creation of the special protections that the president’s account now enjoys.
Despite a steady drumbeat of digital attacks on prominent figures’ social media accounts, Twitter has declined to offer special security features for those users. Google, by contrast, created an Advanced Protection Program for journalists, politicians, human-rights activists and members of other frequently targeted groups.
At least one prominent Twitter user has no plans to abandon the platform, despite the security breach. White House press secretary Kayleigh McEnany told reporters Thursday that Trump “will remain on Twitter.”
Cristiano Lima, Martin Matishak and Andrew Desiderio contributed to this story.
"now" - Google News
July 17, 2020 at 05:27AM
https://ift.tt/30fG7KE
Twitter's security holes are now the nation's problem - POLITICO
"now" - Google News
https://ift.tt/35sfxPY
Bagikan Berita Ini
0 Response to "Twitter's security holes are now the nation's problem - POLITICO"
Post a Comment