Well, first and foremost, from all of us here at BN.Net, Inc. ™, I want to wish everybody a very Happy New Year! May it be prosperous and profitable for everybody, but most importantly, let it be free of any Cyber related incidents.
As you celebrated in the ushering of the New Year, I am sure that many of you have sent your pictures, videos, messages over just about any medium that is possible, including the likes of Social Media.
These sites still make the news headlines of the Security risks that they pose, but it seems like that Facebook has received its more than fair share of controversy towards the last quarter of 2018. We haven’t heard too much from Twitter or Instagram back then, but we are starting to hear from them again today.
The Social Media site to make the first splash in 2019 is that of Twitter. In an effort to raise awareness about the vulnerabilities that are posed by Twitter, a Cybersecurity firm known as “Insinia Security” hacked into several high-profile accounts, which included the likes of:
*Journalist and Broadcaster Eamonn Holmes;
*British documentary filmmaker Louis Theroux;
*Travel journalist Simon Calder;
*TV presenter Saira Khan.
The goal of this high-profile attack was to show how easy it is to send fake messages from a hacked account by just using their phone number, if it is on Twitter. Apparently, Insinia Security has repeatedly warned Twitter about this vulnerability, but as of now, there has been no acknowledgement of it by Twitter.
The other big fear in this regard is that not only can fake messages be sent, but unsuspecting victims from within that contact list of the hacked account could also be tricked clicking on links that will send them to phony or spoofed websites. From there, they could be tricked into submitting their PII, and even have malware instantly downloaded onto their Smartphone or other wireless device.
So how was this exactly accomplished? They won’t say for sure, but here is the general process that they discussed publicly:
*Somehow, they had the ability to analyze how Twitter “interacts” with iOS and Android devices when Tweets are sent;
*Along with the above, coupled with the knowledge of the victim’s phone number (which is actually made available publicly on Twitter), allowed for the team at Insinia Security to post messages that appeared to come from the account’s real owner;
*Once the victim logged into their Twitter account, they then received a message which stated that the following: “This account has been temporarily hijacked by Insinia Security”.
They even released a blog posting on how this was done (of course, without revealing too much information either), and it can be seen at this link:
The company claims that it did not hijack any other forms of PII from the victim’s account; and all that it wanted to do via this exercise was to prove just how vulnerable Twitter can actually be. They claim that nothing was maliciously hijacked, and the CEO even came out to say the following: “There’s nothing unethical or irresponsible about what we did”. (SOURCE: https://cyware.com/news/security-firms-hacked-high-profile-twitter-accounts-to-highlight-security-risk-093b01f0/).
My thoughts on this?
First let us examine in the way this was carried out. As a Cybersecurity specialist myself (although I am just a writer), I find that this act conducted by Insinia Security to be a truly reprehensible, completely irresponsible, and a pure violation of the law. Yes, this type of test can be conducted, but it has to be done within the confines of the law.
This is where the field known as “Penetration Testing” comes into play. In these instances, you have what are known as “White Hat Hackers” whose main job is to break into the lines of defenses of a corporation or a business, in order to fully discover where all of the known and even the unknown Security vulnerabilities lie at. But this is all done within the letter of the law, and with explicit and written client consent.
They simply do not just attack targets without this. In Penetration Testing, there is a very specific cadence that must be followed when it comes to abiding by the wishes of the client. Any Pen Testing exercise that the White Hat Team wants to do must be spelled out in writing, and the client must agree to it first. Also, if there are other tests that are deemed to be necessary and have not been spelled out at first, it must be subsequently documented and once again, the client must give approval.
Also, it is the responsibility of the White Hat Team to take backups of the IT Assets that are going to be Pen Tested, just in case. In my view, what Insinia Security did totally poisons the level of trust that so many Cybersecurity firms have worked so hard for to gain with their clients.
This just sets a precedence in their own minds as well if even they could be attacked by the Cybersecurity firm with whom they have entrusted their Security needs and requirements to.
True, there have been other Cybersecurity firms and researchers that have done this so called “Proof of Concept” (or “PoC”) stuff before, but they have experimented this on their own Virtual Machines or Sandboxes. Or, they have received explicit permission from a group of volunteers that have allowed them to hack into their accounts.
I just wonder how these victims of Twitter feel now that they are accounts have been hacked into in the name of Cybersecurity testing. I am sure that they feel attacked, and that their guard must be up ultra-high when it comes to protecting their more sensitive accounts.
The true Cyberattacker has no ethics or morals when they hack into systems, but this line should not be blurred into the law abiding “Cyberattacker” when it comes to proving a point on a weakness or a vulnerability.