Jump to content

Twitter b1tcoin hack...

tater

By tater
in The Lounge

 Share

Recommended Posts

Okhin

Okhin

Posted
Posted

So, after reading the vie article linked by @tater, it appears it is not a hack at all. It's just some criminals bribing twitter employees with sufficient access to an admin panel (panel that you cannot tweet screenshots of without being twitter locked it seems, which is security by obfuscation and its kinda the worst kind of security ever).

I like the language used by twitter:

Quote

We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.

Which is big words for: someone bribed one of our employee. There's no need for coordinated attack, just for one meeting with one disgruntled admin at twitter (and giving the company seems to have issues keeping its employees happy, it's probably not that hard).

So, probably not a state actors. And it expects the low gains too, there was no magical exploits or security flaw exploited. Just someone using a phone and some cash.

And bad management practice at twitter.

Link to comment
Share on other sites
DDE

DDE

Posted
Posted
16 hours ago, tater said:

Hard to imagine anyone stupid enough to fall for it, but Elon Musk

Oh, he in particular. The responses to all of his tweets are rife with bitcoin scammers.

Link to comment
Share on other sites
tater

tater

Posted
  • Author
Posted
Just now, DDE said:

Oh, he in particular. The responses to all of his tweets are rife with bitcoin scammers.

Yeah, although some of the space reporter people who I follow replied, and it was all jokes (thinking he was trolling people for that very reason, that every Musk post has like 10000 bitcoin scmmers in the replies faking his handle).

Link to comment
Share on other sites
DDE

DDE

Posted
Posted
15 hours ago, TheSaint said:

Lots of places I can think of that can use some hard currency at this point. Also lots of places where the line between "state actor" and "organized crime" is pretty blurry.

The BlueNoroff guys are well-known to hunt for crypto exchanges, while their toolkit correlates with Chinese/North Korean activity.

14 hours ago, Nightside said:

Data from people who click on the website might be more valuable than any money they make.

Obfuscation of the actual goals. Intimidation. Some think the big ransomware attacks a few years back were a field test with a built-in duration limit.

38 minutes ago, Okhin said:

So, after reading the vie article linked by @tater, it appears it is not a hack at all. It's just some criminals bribing twitter employees with sufficient access to an admin panel (panel that you cannot tweet screenshots of without being twitter locked it seems, which is security by obfuscation and its kinda the worst kind of security ever).

I like the language used by twitter:

Quote

We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.

Which is big words for: someone bribed one of our employee.

No. 'Social engineering' is a very broad term, but it generally encompasses every manner of deceptive practice, up to an including a mundane phish. And tailored 'spear-phishes' are astonishingly effective.

Of course, Twitter could be lying. Remember how one of their employees deleted Trump's account on their last day?

Link to comment
Share on other sites
Okhin

Okhin

Posted
Posted

Yeah, I know what social engineering encompass. But using it in a public statement is a way to make things looks way more complex than what they actually are. like involving spy games, impersonating, and stuff like that (all of that being reinforced by the fact they claim it's a hack. it's not. It's an attack, sure, but not of the technical kind). While the issue is the fact that the panel exists. And that twitter is a bit too shy about it (they're even removing screencaps of this panel, even edited ones).

Link to comment
Share on other sites
DDE

DDE

Posted
Posted (edited)
1 hour ago, Okhin said:

While the issue is the fact that the panel exists.

Oh, that's a separate issue.

Probably.

Setting off a media firestorm and a 5% dip in market capitalization are a big price to pay to ineffectually drown out the revelation of one of the world's biggest open secrets.

Edited by DDE
Link to comment
Share on other sites
magnemoe

magnemoe

Posted
Posted (edited)
15 hours ago, Elthy said:

It seems realy strange they just went for some bitcoins. Having access to such high level Twitter accounts would open way bigger possibilities. It just starts at stock market manipulation, e.g. Elon Musk "announcing" that Tesla is being bought by Apple and them confirming it. When it comes to political twitter accounts (especialy Trumps) there is great potential to cause real life violence.

The bitcon scam on the profiles was just to show that they had full control.  
Now if they had the database and especially the private messages you have an serious blackmail tool against lots of powerful people who don't know how to behave on social media. 
Rian Johnson' is said to deleted his account, he is known for his hot takes so its likely the PM are far more hot blooded. 
Now the hackers just has to sort through the data to find compromising stuff so they can start blackmailing. 

Now if you did not used twitter PM for stuff who you could not say in public you are safe. 

Edited by magnemoe
Link to comment
Share on other sites
magnemoe

magnemoe

Posted
Posted
20 hours ago, TheSaint said:

2020: It just keeps getting better.

Maybe if we're lucky this will be the end of Twitter. I know, but a guy can dream, can't he?

Well for one lots of famous and outspoken people might have serious problems if said stuff on twitter PM: everything from admitting to be frauds, stuff they are not supposed to say on twitter, over to talking excrements about the company they work for,  down to NDA breaches and downright criminal stuff. 
An system who stores all messages in an common database is never secure. 

@Okhin is correct in that their security is probably good, however getting into an banks data system does not let you move some billions to an offshore account. 
Now they hacker can probably get the account data who can be very damaging if shady like the Panama leaks. 
For twitter the hot stuff is the PM. 

Link to comment
Share on other sites
Shpaget

Shpaget

Posted
Posted
5 hours ago, Okhin said:

While the issue is the fact that the panel exists.

Someone correct me if I'm wrong, but if there is access to raw database, it can used in for a hack of this sort, special admin panel or not; and of course, there has to be access to the database, so it's a matter of who you trust enough to give such access to. While deciding on that individual, keep in mind that everybody has their price.

Social engineering is mindbogglingly effective. Just take a look at some YT videos of white hat hacking and pen testing. Facilities much more important that Twitter server room open their doors to unauthorized individuals, just because they have a high vis vest and ask nicely.

Link to comment
Share on other sites
TheSaint

TheSaint

Posted
Posted
2 hours ago, magnemoe said:

Well for one lots of famous and outspoken people might have serious problems if said stuff on twitter PM: everything from admitting to be frauds, stuff they are not supposed to say on twitter, over to talking excrements about the company they work for,  down to NDA breaches and downright criminal stuff. 
An system who stores all messages in an common database is never secure. 

@Okhin is correct in that their security is probably good, however getting into an banks data system does not let you move some billions to an offshore account. 
Now they hacker can probably get the account data who can be very damaging if shady like the Panama leaks. 
For twitter the hot stuff is the PM. 

Exactly. If the goal was to do serious damage, why make the hack public at all? They could have grabbed tons of damaging information on these folks and used it to wreak havoc behind the scenes. The more I think about it the more it seems like a PR attack on these individuals and/or Twitter itself.

47 minutes ago, Shpaget said:

Social engineering is mindbogglingly effective. Just take a look at some YT videos of white hat hacking and pen testing. Facilities much more important that Twitter server room open their doors to unauthorized individuals, just because they have a high vis vest and ask nicely.

And the clipboard. Don't forget the clipboard. ;)

Link to comment
Share on other sites
Okhin

Okhin

Posted
Posted
1 hour ago, Shpaget said:

Someone correct me if I'm wrong, but if there is access to raw database, it can used in for a hack of this sort, special admin panel or not; and of course, there has to be access to the database, so it's a matter of who you trust enough to give such access to. While deciding on that individual, keep in mind that everybody has their price.

Not if done correctly. For instance, getting a database leak of correctly hashed passwords won't really helps you to do use them. It also implies that no one except the user can change their password.

The issue here are the functionality of the panel, which seems to be able to change critical information (email, phone number and then start a password reset) without the consent of the user. So if you have access to this panel, you can basically reset all passwords. That's just bad design. I cannot really see the benefit of this kind of feature, even for protecting verified account against impersonation, while it paint this very sort of panel with a big juicy target, with a "HACK ME PLEASE" bumper sticker on it.

Of course, I speculate the functionality of this panel from a reporting done by Vice (and the fact that twitter is really trying to hide what the panel looks like).

 

Link to comment
Share on other sites
DDE

DDE

Posted
Posted
23 hours ago, TheSaint said:

Maybe if we're lucky this will be the end of Twitter. I know, but a guy can dream, can't he?

Doubt it. I don't think privacy or security have ever been Twitter's strong points. It's more about outrage-farming and exhibitionism.

3 hours ago, magnemoe said:

Well for one lots of famous and outspoken people might have serious problems if said stuff on twitter PM: everything from admitting to be frauds, stuff they are not supposed to say on twitter, over to talking excrements about the company they work for,  down to NDA breaches and downright criminal stuff.

If anyone thinks this is far-fetched, you have to realize just how stupid many rich and influential people are.

https://theblacksea.eu/stories/secrets-of-the-international-criminal-court-jolie-clooney-and-the-world-fixer-psychosis/

Link to comment
Share on other sites
Shpaget

Shpaget

Posted
Posted
41 minutes ago, Okhin said:

For instance, getting a database leak of correctly hashed passwords won't really helps you to do use them. It also implies that no one except the user can change their password.

But you don't need to change passwords to perform this type of attack.

You just need to add a new entry into the database called Elon's tweets (or modify a previous tweet). That part of the database is not hashed.

Link to comment
Share on other sites
Okhin

Okhin

Posted
Posted

You might need the access right to insert the text, protecting some table from write access is something which makes sense. I do not know about the internal of twitter database (and I suspect it's both extremely interesting and a nightmare), but I assume that to insert content, you need to auth a transaction somehow.

And admin do not need to be able to write content. They can add flags, remove them, but they should not be able to change the content of a tweet (maybe on a test platform, and maybe the root admin - if it exist - can do that). Even in MariaDB you can do this kind of things (but it can get weird fast).

Link to comment
Share on other sites
magnemoe

magnemoe

Posted
Posted (edited)
6 hours ago, TheSaint said:

Exactly. If the goal was to do serious damage, why make the hack public at all? They could have grabbed tons of damaging information on these folks and used it to wreak havoc behind the scenes. The more I think about it the more it seems like a PR attack on these individuals and/or Twitter itself.

And the clipboard. Don't forget the clipboard. ;)

If purpose was selectively targeting someone like some politician you would keep this secret, Yes you could impersonate others to get the responses you wanted who then could be leaked or used for blackmail.
Even if leaked most would assume weak passwords or someone inside the politicians organization set this up. 

Blowing the lid was an signal that they had been hacked big time. 
If it was just to damage they could just dump the logs onto torrent sites. This can very well happen to an large degree. 

However if this is an large scale blackmail attempt they want to extract all the serious compromising stuff also stuff they don't want out. 
Then they probably drop the rest, it would be lots of very cringe stuff and stuff you have an hard time explaining for your friend or your boss. 
The logs misses many names, yes they are on some replies but why are they missing. Now ask for money from the accounts with serious compromising stuff.
-----

And the clipboard tend to work, an heavy package is probably even better. I say it would work everywhere unless its strong security focus. Been at some data centers it would not work, here security is serious as you have direct access to servers. 
Yes still plenty of holes you could exploit if willing to spend resources. 

 

Edited by magnemoe
Link to comment
Share on other sites
magnemoe

magnemoe

Posted
Posted
9 hours ago, Nuke said:

if anyone specifically asks for bitcoin its probably a scam. usually when people are looking for legit donations they will accept a wide variety of payment methods. 

Yes, or they are very shady. 
However this was more funny as various famous profiles offered double the amount of bitcoins back that you put in under to promise to give back to people. 
Yes it sounds legit :) wonder who was dense enough to fell for it. 

I believe that was mostly to show they had hacked the site, perhaps getting some money as an bonus, media obviously ate it. 

Link to comment
Share on other sites
Nuke

Nuke

Posted
Posted

i wonder who got the bright idea of using bitcoin for nefarious purposes. the block chain pretty much guarantees you can back track every transaction ever done and not only figure out who is spending but who is profiting as well. you just have to resolve the credentials with a particular transaction and they are made, easily done with a standard issue law enforcement sactioned sting operation. 

Link to comment
Share on other sites
DDE

DDE

Posted
Posted
On 7/17/2020 at 6:19 PM, Shpaget said:

Your favorite three letter agency?

A lot of people still think the Favorite Three-Letter Agency was behind it in the first place, as an alternative to suitcases of cash.

Link to comment
Share on other sites
magnemoe

magnemoe

Posted
Posted
On 7/17/2020 at 3:33 PM, Nuke said:

i wonder who got the bright idea of using bitcoin for nefarious purposes. the block chain pretty much guarantees you can back track every transaction ever done and not only figure out who is spending but who is profiting as well. you just have to resolve the credentials with a particular transaction and they are made, easily done with a standard issue law enforcement sactioned sting operation. 

Now this is very interesting, don't really know how it works but its seems safe enough for medium levels criminals. 
If you get into national security level you also have lots of other problems up to air strikes with heavy bombers. Did not looked like the islamists was fan of bitcoin for some reason, they was not exactly smart but they was probably correct in that it could be brute forced. 

Link to comment
Share on other sites
This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...