Apscitu masthead.
Apscitu motto.

Expert IT News Article tab.

No Twitter, fake Trump tweeting, nuclear explosion, Twitter dunce, hash, Apscitu.

Apscitu Warned of Twitter Hacking Two Years Ago



By Duane Thresher, Ph.D.          July 24, 2020

It was reported that in mid-July, Twitter, in its worst data breach yet, was hacked such that hackers could tweet from the accounts of the rich and powerful — e.g. Jeff Bezos, Elon Musk, Bill Gates, Joe Biden, Barack Obama — in order to fool their followers into sending the hackers money via Bitcoin. Over two years ago I warned, including the Trump Administration, about the dangers of the rich and powerful using Twitter in Trump Using Twitter is a National Security Risk (February 2018) and about how IT incompetent Twitter was in How Twitter Made a Hash of Passwords (May 2018).

As reported, badly, by the IT incompetent media, once the hackers had control of the accounts of such rich and powerful Twitter users, they made tweets like "Everyone is asking me to give back. You send me $1,000, I send you back $2,000." along with a Bitcoin account number (address). While it can be hard to find, and prosecute, the owner of a Bitcoin account, particularly if he is in another country, like Russia, how much is in the account is (by design) public knowledge and easily checked. Apparently this Twitter Bitcoin scam was quite successful — people believe such rich and powerful people wouldn't lie — garnering over $120,000 in just a few hours.

In February 2018, I wrote in Trump Using Twitter is a National Security Risk:
In January 2018 in Hawaii there was an alert of an intercontinental ballistic missile (ICBM) attack. It was false (caused by IT incompetence) but believable because North Korea has credibly threatened exactly that, using nuclear warheads. The false alert was quickly and widely spread — and believed — by Twitter, through accounts with a lot less credibility than @realDonaldTrump.   ...    History shows that panic can be a weapon of mass destruction too.

What if someone hacked Trump's Twitter account and put out a nuclear ballistic missile alert for the entire United States?
I was so alarmed by this prospect that I immediately wrote a letter and sent a copy of the article to Lt. Gen. (Army) H. R. McMaster, President Trump's second National Security Advisor. I received no response. (McMaster was fired a month later.)

Twitter says that President Trump's account was not, and could not be, affected by this latest worst-yet Twitter hacking, but IT incompetent Twitter's assurances about the security of any Twitter accounts are meaningless (and ludicrous) at this point.

The rightfully worried U.S. Senate, including the Senate Select Committee on Intelligence, has demanded more information about the data breach from Twitter. (The Committee's vice chairman is my senator, Mark Warner, who I have contacted about cybersecurity matters before.)

In May 2018, I wrote in How Twitter Made a Hash of Passwords:
Yesterday it was reported that Twitter user passwords may have been exposed, at least to Twitter employees, which may be a bigger security risk than you think, and any Twitter hackers. The descriptions of the technical aspects of this story in the IT incompetent media have been awful, to say the least. Here is the best description, one boiled down to its understandable essentials, from an actual IT expert.   ...

The implications of Twitter's stupid mistake are huge. Since President Trump uses Twitter a lot, it is a national security risk.
It's impossible to find the person responsible for IT, particularly cybersecurity, at Twitter — no CIO nor CISO — and what her/his IT qualifications are (that's why they aren't in the IT Incompetents Hall of Shame). Mostly, there is the PR myth of Twitter founder and CEO Jack Dorsey as some programming child prodigy. Total nonsense. Dorsey dropped out of college after attending two not-so-good ones and he does not even disclose what he majored in.

What is known about IT at Twitter is that Twitter relies almost exclusively on open-source software, i.e. free software not written by them so not understood by them, particularly its security. If you are IT incompetent, you can't write your own software.

Twitter suggested that its latest worst-yet hacking was due to "social engineering". While this sounds nice to a liberal, social engineering is actually a category of hacking methods. The most popular such method, apparently used in the Twitter hacking, is phishing, whereby emails are sent, particularly to company employees with computer administrative privileges, to try to trick the recipient into disclosing her/his password. Even more effective (to IT incompetents) is spear phishing, whereby a particular employee is targeted after the hacker first learns personal details about the employee (from their Twitter posts for example) in order to make the emails more convincing.

Unfortunately for Twitter, this excuse is just more proof of IT incompetence. Avoiding phishing attacks is basic employee cybersecurity training.

The FBI said it was looking into the Twitter hacking. This will lead to nothing. The FBI itself is IT incompetent and can do nothing, and does nothing, about data breaches.

I had not one but two(!) of my health insurers hacked while I and my family were members. The FBI said it was looking into both and I wrote the FBI asking for answers but the hackers were never indentified, never mind caught, and the FBI never responded. (Actually, I and my family had a third(!) health insurer hacked while we were members: I recently (March 2020) made the shocking discovery, reported nowhere else, that HealthCare.gov, the Obamacare website, had been hacked; see HealthCare.gov Hacked.)

More recently (April 2020), I too had a Bitcoin scam tried on me. In a spear phishing email, "hackers" said they had hacked into my website and unless I paid $1500 to a Bitcoin address, they would destroy my business. I host my own websites and program everything on them personally (see Web Programming Expertise in my Credentials), so I knew this was nonsense and didn't pay, but I checked the Bitcoin address and the hackers had apparently been quite successful with this scam.

I reported this scam to the FBI, as they ask you to, but yet again they never did anything about it nor responded. The same will be true for the Twitter hacking.

In any case, the rich and powerful and everyone else should heed the advice I put on Apscitu's Twitter account over a year ago: Stop using Twitter.

I also put this same advice on my fake Twitter account, which I've had for seven years, even though it announces right on it that it is a fake account. Understandable, since if Twitter removed all the fake accounts, there wouldn't be many accounts left.


[Update: The hackers were caught, but not by the FBI and not due to any real IT expertise by any law enforcement agency — essentially, a rival hacker group ratted them out. As stressed in Stop IT Incompetence, the hackers were not geniuses and it was not a sophisticated hacking. Among numerous other acts of sheer stupidity, one hacker registered for the Bitcoin account with his real driver's license, which included his home address. The hackers registered for and used Gmail addresses — Google supports hackers but also colludes with the NSA. As predicted above, IT incompetent Twitter was hacked using spear phishing, which is far from a sophisticated hack and does not work on even basically-trained employees.]