Apscitu Warned of Twitter Hacking Two Years Ago
By
Duane Thresher, Ph.D. July 24, 2020
It was reported that in mid-July, Twitter, in its worst data
breach yet, was hacked such that hackers could tweet from the
accounts of the rich and powerful — e.g.
Jeff
Bezos,
Elon
Musk, Bill Gates, Joe Biden, Barack Obama — in order
to fool their followers into sending the hackers money via
Bitcoin. Over two years ago I warned, including the Trump
Administration, about the dangers of the rich and powerful
using Twitter in
Trump
Using Twitter is a National Security Risk (February 2018)
and about how IT incompetent Twitter was in
How
Twitter Made a Hash of Passwords (May 2018).
As reported, badly, by the
IT
incompetent media, once the hackers had control of the
accounts of such rich and powerful Twitter users, they made
tweets like "Everyone is asking me to give back. You send me
$1,000, I send you back $2,000." along with a Bitcoin account
number (address). While it can be hard to find, and
prosecute, the owner of a Bitcoin account, particularly if he
is in another country, like Russia, how much is in the account
is (by design) public knowledge and easily checked.
Apparently this Twitter Bitcoin scam was quite successful
— people believe such rich and powerful people wouldn't
lie — garnering over $120,000 in just a few
hours.
In February 2018, I wrote in
Trump
Using Twitter is a National Security Risk:
In January 2018 in Hawaii there was an alert of an
intercontinental ballistic missile (ICBM) attack. It was false
(caused by IT incompetence) but believable because North Korea
has credibly threatened exactly that, using nuclear
warheads. The false alert was quickly and widely spread
— and believed — by Twitter, through accounts with
a lot less credibility than
@realDonaldTrump. ...
History shows that panic can be a weapon of mass destruction
too.
What if someone hacked Trump's Twitter account and put out a
nuclear ballistic missile alert for the entire United
States?
I was so alarmed by this prospect that I immediately wrote a
letter and sent a copy of the article to Lt. Gen. (Army)
H. R. McMaster, President Trump's second National Security
Advisor. I received no response. (McMaster was fired a month
later.)
Twitter says that President Trump's account was not, and could
not be, affected by this latest worst-yet Twitter hacking, but
IT incompetent Twitter's assurances about the security of any
Twitter accounts are meaningless (and ludicrous) at this
point.
The rightfully worried U.S. Senate, including the Senate
Select Committee on Intelligence, has demanded more
information about the data breach from Twitter. (The
Committee's vice chairman is my senator, Mark Warner, who I
have contacted about cybersecurity matters
before.)
In May 2018, I wrote in
How
Twitter Made a Hash of Passwords:
Yesterday it was reported that Twitter user passwords may have
been exposed, at least to Twitter employees, which may be a
bigger security risk than you think, and any Twitter hackers.
The descriptions of the technical aspects of this story in the
IT incompetent media have been awful, to say the least. Here
is the best description, one boiled down to its understandable
essentials, from an actual IT
expert. ...
The implications of Twitter's stupid mistake are huge. Since
President Trump uses Twitter a lot, it is a national security
risk.
It's impossible to find the person responsible for IT,
particularly cybersecurity, at Twitter — no CIO nor CISO
— and what her/his IT qualifications are (that's why
they aren't in the
IT Incompetents
Hall of Shame). Mostly, there is the PR myth of Twitter
founder and CEO
Jack Dorsey
as some programming child prodigy. Total nonsense. Dorsey
dropped out of college after attending two not-so-good ones
and he does not even disclose what he majored in.
What is known about IT at Twitter is that Twitter relies
almost exclusively on open-source software, i.e. free software
not written by them so not understood by them, particularly
its security. If you are IT incompetent, you can't write your
own software.
Twitter suggested that its latest worst-yet hacking was due to
"social engineering". While this sounds nice to a liberal,
social engineering is actually a category of hacking methods.
The most popular such method, apparently used in the Twitter
hacking, is phishing, whereby emails are sent, particularly to
company employees with computer administrative privileges, to
try to trick the recipient into disclosing her/his password.
Even more effective (to IT incompetents) is spear phishing,
whereby a particular employee is targeted after the hacker
first learns personal details about the employee (from their
Twitter posts for example) in order to make the emails more
convincing.
Unfortunately for Twitter, this excuse is just more proof of
IT incompetence. Avoiding phishing attacks is basic employee
cybersecurity training.
The FBI said it was looking into the Twitter hacking. This
will lead to nothing. The FBI itself is IT incompetent and
can do nothing, and does nothing, about data
breaches.
I had not one but two(!) of my health insurers hacked while I
and my family were members. The FBI said it was looking into
both and I
wrote
the FBI asking for answers but the hackers were never
indentified, never mind caught, and the FBI never responded.
(Actually, I and my family had a third(!) health insurer
hacked while we were members: I recently (March 2020) made the
shocking discovery, reported nowhere else, that
HealthCare.gov, the Obamacare website, had been hacked;
see
HealthCare.gov
Hacked.)
More recently (April 2020), I too had a Bitcoin scam tried on
me. In a spear phishing email, "hackers" said they had hacked
into my website and unless I paid $1500 to a Bitcoin address,
they would destroy my business. I host my own websites and
program everything on them personally (see
Web
Programming Expertise in my
Credentials),
so I knew this was nonsense and didn't pay, but I checked the
Bitcoin address and the hackers had apparently been quite
successful with this scam.
I reported this scam to the FBI, as they ask you to, but yet
again they never did anything about it nor responded. The
same will be true for the Twitter hacking.
In any case, the rich and powerful and everyone else should
heed the advice I put on
Apscitu's Twitter account
over a year ago: Stop using Twitter.
I also put this same advice on my fake Twitter account, which
I've had for seven years, even though it announces right on it
that it is a fake account. Understandable, since if Twitter
removed all the fake accounts, there wouldn't be many accounts
left.
[Update: The hackers were caught, but not by the FBI and
not due to any real IT expertise by any law enforcement agency
— essentially, a rival hacker group ratted them out. As
stressed in
Stop IT
Incompetence, the hackers were not geniuses and it was not
a sophisticated hacking. Among numerous other acts of sheer
stupidity, one hacker registered for the Bitcoin account with
his real driver's license, which included his home address.
The hackers registered for and used Gmail addresses —
Google
supports hackers but also colludes
with the NSA. As predicted above, IT incompetent Twitter
was hacked using spear phishing, which is far from a
sophisticated hack and does not work on even basically-trained
employees.]