How Twitter Survived Its Biggest Hack—and Plans to Stop the Next One

WIRED

Photographer: Jens Gyarmaty/Redux

July 15 was, at first, just another day for Parag Agrawal, the chief technology officer of Twitter. Everything seemed normal on the service: T-Pain’s fans were defending him in a spat with Travis Scott; people were upset that the London Underground had removed artwork by Banksy. Agrawal set up in his home office in the Bay Area, in a room that he shares with his young son. He started to hammer away at his regular tasks—integrating deep learning into Twitter’s core algorithms, keeping everything running, and countering the constant streams of mis-, dis-, and malinformation on the platform.

But by mid-morning on the West Coast, distress signals were starting to filter through the organization. Someone was trying to phish employee credentials, and they were good at it. They were calling up consumer service and tech support personnel, instructing them to reset their passwords. Many employees passed the messages onto the security team and went back to business. But a few gullible ones—maybe four, maybe six, maybe eight—were more accommodating. They went to a dummy site controlled by the hackers and entered their credentials in a way that served up their usernames and passwords as well as multifactor authentication codes.

Shortly thereafter, several Twitter accounts with short handles—@drug, @xx, @vampire, and more—became compromised. So-called OG user names are valued among certain hacker communities the way that impressionist artwork is valued on the Upper East Side. Twitter knows this and views them internally as high priority. Still, the problem didn’t filter up to Agrawal just yet. Twitter has a dedicated Detection and Response Team that triages security incidents. DART had detected suspicious activity, but the needed response was limited. When you run a sprawling social network, with hundreds of millions of users, ranging from obscure bots to the leader of the free world, this kind of thing happens all the time. You don’t need to constantly harangue the CTO.

But then, at 3:13 pm ET, the cryptocurrency exchange Binance sent an unlikely tweet announcing that it was “giving back” around $52 million of bitcoin to the community with a link to a fraudulent website. Over the next hour, 11 cryptocurrency accounts followed suit. And then, at 4:17 pm ET, @elonmusk tweeted a classic bitcoin scam to his nearly 40 million followers. A few minutes later, @billgates did the same.

Full article

Think Twice Before Using Facebook, Google, or Apple to Sign In Everywhere

WIRED

Illustration: Elena Lacey

If you’re drowning in website logins and constantly using Forgot My Password prompts to get into random accounts, a “Log In With Google” or “Log In With Facebook” button can look a lot like a lifeline. The services provide a quick way to continue whatever you’re doing without having to set up a whole account and choose a new password to guard it. But while these “single sign-on” tools are convenient, and do offer some security benefits, they’re not the panacea you might think.

The SSO schemes offered by big tech companies have some obvious advantages. For example, they’re developed and maintained by companies with the resources to bake in strong security features. Take Sign In With Apple, which lets you use TouchID or FaceID to log into any number of sites.

But for all its convenience, consumer SSO has some real drawbacks, too. It creates a single point of failure if something goes wrong. If your password or access token gets stolen from an account you use for SSO, all the other sites you used it to log in with could be exposed. And not only do you have to trust the companies that offer SSO to protect your privacy and security, you also have to trust all the third-party websites offering these options to implement them correctly.

Full article

Russia’s Fancy Bear Hackers Are Hitting US Campaign Targets Again

WIRED

The Russian military intelligence hackers known as Fancy Bear or APT28 wreaked havoc on the 2016 election, breaking into the Democratic National Committee and Hillary Clinton’s campaign to publicly leak their secrets. Ever since, the cybersecurity community has been waiting for the day they would return to sow more chaos. Just in time for the 2020 election, that day has come. According to Microsoft, Fancy Bear has been ramping up its election-targeted attacks for the past full year.

On Thursday, Microsoft published a blog post revealing that it has seen Russia’s Fancy Bear hackers, which Microsoft calls Strontium, targeting more than 200 organizations since September 2019. The targets include many election-adjacent organizations, according to researchers at Microsoft’s Threat Intelligence Center, including political campaigns, advocacy groups, think tanks, political parties, and political consultants serving both Republicans and Democrats. Microsoft named the German Marshall Fund of the United States and the European People’s Party as two of the hackers’ targets. The company otherwise declined to publicly name victims or say how many of the attempted intrusions had been successful, though it said that its security measures had prevented the majority of attacks.

Full article

Mark Zuckerberg Says He’s Got This Election Stuff Under Control

WIRED

Photograph: Shana Novak/Getty Images

It’s the evening of November 3rd. Election Day 2020. The polls have closed, and in-person vote totals are being reported, but millions of mail-in ballots, which skew heavily Democratic, won’t be counted for days or weeks. Donald Trump, unsurprisingly, doesn’t care to wait for that to happen. He’s leading the in-person vote in the decisive swing states. He takes to Facebook to declare premature victory and insist that ballots stop being counted.

This hypothetical chain of events has come up a lot recently, as an unprecedented number of Americans prepare to vote by mail. The Democratic data firm Hawkfish calls it the “red mirage:” an apparent Trump landslide on election night, leading to a fight over the millions of outstanding ballots that makes Bush v. Gore look like a tea party. Which raises an important question: How will the social media platforms where so many Americans get their news respond?

On Wednesday morning, we got some answers to that question. In a blog post, Mark Zuckerberg laid out Facebook’s latest election-related policies, including its plan to deal with the possibility that a winner won’t be officially declared on Election Day. The company plans to use its new Voting Information Center “to prepare people for the possibility that it may take a while to get official results.” On Election Day, the information center will include authoritative information from Reuters and the National Election Pool. And if a candidate claims victory prematurely, Zuckerberg says Facebook will “add a label to their post educating that official results are not yet in and directing people to the official results.” (Posts that could trick people out of having their vote counted—or use Covid-19 scaremongering to deter them from voting—will be subject to removal.)

These are good ideas, in theory. The question, as with every Facebook policy announcement, is how well they will be executed. “We’ve already strengthened our enforcement against militias,” Zuckerberg’s blog post notes, less than a week after the Verge reported that Facebook failed to act on multiple user warnings about militia-related events prior to the shooting in Kenosha, Wisconsin, that left two people dead. The new policies leave similar room for uncertainty. Will a false claim of victory by a politician be clearly and decisively debunked? Or will misinformation simply be presented next to a vague link to “Get Voting Information”? The latter is what initially happened with Trump’s strange Wednesday post attempting to retroactively clean up his suggestion that North Carolina Republicans illegally vote twice. Facebook later updated the post with a different label that says, “Voting by mail has a long history of trustworthiness in the US and the same is predicted this year. (Source: Bipartisan Policy Center.)” That’s a shade more helpful—but the change underscores how unpredictable this policy implementation can be. The generic label remains on other posts in Trump’s feed, as well as on posts by Joe Biden that discuss election issues.

Full article

Tired of Gmail? Try a Privacy-First Email Provider

WIRED

Illustration: Elena Lacey

A large part of your online life revolves around your email address. It acts as a central hub for almost everything you do: Travel documents and itineraries arrive there, it’s home to receipts for all your Amazon purchases, it acts as a recovery mechanism for the sites and apps you sign up for and then forget your login details. And, of course, there are all the emails you send.

Your inbox holds plenty of private information—and in many cases secrets—that when pieced together can build up a profile of your interests, movements, and social connections. But email privacy can often be neglected. The threats faced depend on who you are. For businesses, phishing attacks launched through emails can lead to entire corporate networks being compromised. But for individuals there are privacy concerns beyond working out if your account has been hacked.

Full article

Hackers Flood Reddit With Pro-Trump Takeovers

WIRED

Photograph: Win McNamee/Getty Images

In what appears to be a massive coordinated strike against Reddit, hackers took over dozens of pages on Friday afternoon, using their access to plaster pro-Donald Trump imagery across subreddits with huge followings.

Coming just over three weeks after hackers used access to high-profile Twitter accounts to tweet a bitcoin scam, the wave of Reddit compromises has a similarly eye-popping reach. Reddit communities with well over a million members—including r/space, r/food, and r/NFL—were all defaced with Make America Great Again campaign banners and other pro-Trump signage.

Sometime on Friday morning, hackers began breaking into the accounts of the moderators of dozens of subreddits, ranging from the popular channels cited above to more niche fare like r/beerporn. They used that access not only to splash the pro-Trump imagery all over the page, but in many cases posted a MAGA missive from the moderator’s account with the subject “We Stand With Donald Trump #MIGA2020.”

Full article

Incognito Mode May Not Work the Way You Think It Does

WIRED

Illustration: Elena Lacey

No matter which browser you prefer—Chrome, Firefox, Edge, Safari, Opera, or any of the others—it will almost certainly offer an incognito or private mode, one which ostensibly keeps your web browsing secret. (Google Chrome still shows a hat-and-glasses icon when you go incognito, as if you’re now in disguise.)

Incognito or private mode does indeed keep certain aspects of your browsing private, but it’s important to be aware of what it hides and erases from your computer or phone and what it doesn’t. Once you understand exactly what these modes do in your browser, you’ll know when they can be most useful.

What Incognito Mode Does

Perhaps the easiest way to think about incognito mode is that as soon as you close the incognito window, your web browser forgets the session ever happened: Nothing is kept in your browsing history, and any cookies that have been created (those little bits of data that log some of your actions online) are promptly wiped.

Cookies are what keep items in your Amazon shopping cart even if you forget about them for days, for example, and they also help sites to remember if you’ve visited them before—which is why you normally only get pestered to sign up for a site’s newsletter the first time you arrive. You might notice if you visit all your favorite sites in incognito mode, you won’t get recognized, and are then asked to sign up for a whole load of newsletters and special offers all over again.

Full article

How the Alleged Twitter Hackers Got Caught

WIRED

Photograph: David Paul Morris/Bloomberg/Getty Images

On July 15, a Discord user with the handle Kirk#5270 made an enticing proposition. “I work for Twitter,” they said, according to court documents released Friday. “I can claim any name, let me know if you’re trying to work.” It was the beginning of what would, a few hours later, turn into the biggest known Twitter hack of all time. A little over two weeks later, three individuals have been charged in connection with the heists of accounts belonging to Bill Gates, Elon Musk, Barack Obama, Apple, and more—along with nearly $120,000 in bitcoin.

Friday afternoon, after an investigation that included the FBI, IRS, and Secret Service, the Department of Justice charged UK resident Mason Sheppard and Nima Fazeli, of Orlando, Florida in connection with the Twitter hack. A 17-year-old, Graham Ivan Clark, was charged separately with 30 felonies in Hillsborough County, Florida, including 17 counts of communications fraud. Together, the criminal complaints filed in the cases offer a detailed portrait of the day everything went haywire—and how poorly the alleged attackers covered their tracks. All three are currently in custody.

Despite his claims on the morning of July 15, Kirk#5270 was not a Twitter employee. He did, however, have access to Twitter’s internal administrative tools, which he showed off by sharing screenshots of accounts like “@bumblebee,” “@sc,” “@vague,” and “@R9.” (Short handles are a popular target among certain hacking communities.) Another Discord user who went by “ever so anxious#0001” soon began lining up buyers; Kirk#5270 shared the address of a Bitcoin wallet where proceeds could be directed. Offers included $5,000 for “@xx,” which would later be compromised.

That same morning, someone going by “Chaewon” on the forum OGUsers started advertising access to any Twitter account. In a post titled “Pulling email for any Twitter/Taking Requests,” Chaewon listed prices as $250 to change the email address associated with any account, and up to $3,000 for account access. The post directs users to “ever so anxious#0001” on Discord; over the course of seven hours, starting at around 7:16 am ET, the “ever so anxious#0001” account discussed the takeover of at least 50 user names with Kirk#5270, according to court documents. In that same Discord chat, “ever so anxious#0001” said his OGUsers handle was Chaewon, suggesting the two were the same individual.

Kirk#5270 allegedly received similar help from a Discord user going by Rolex#0373, although that person was skeptical at first. “Just sounds too good to be true,” he wrote, according to chat transcripts investigators obtained via warrant. Later, to help back up his claim, Kirk#5270 appears to have changed the email address tied to the Twitter account @foreign to an email address belonging to Rolex#0373. Like Chaewon, Rolex#0373 then agreed to help broker deals on OGUsers—where his user name was Rolex—with prices starting at $2,500 for especially sought-after account names. In exchange, Rolex got to keep @foreign for himself.

Full article

Chinese Hackers Charged in Decade-Long Crime and Spying Spree

WIRED

Photograph: Lintao Zhang/Getty Images

Li Xiaoyu had a problem. At some point in his decade-long hacking spree with former college classmate Dong Jiazhi, as alleged in a recent Justice Department indictment, the Chinese national found himself unable to break into the mail server of a Burmese human rights group. The usual methods apparently hadn’t worked. For Li, the solution came from having a friend in high places: An officer with China’s Ministry of State Security handed him zero-day malware—unknown to security vendors, and so harder to defend against—to help finish off the job.

Other countries have long blurred the lines between criminal and state-sponsored hacking, particularly Russia, Iran, and North Korea. But in a detailed indictment unsealed by the Department of Justice Tuesday, the United States has for the first time officially accused China of belonging to that club. Since at least 2009, authorities say, Li and Dong have hacked hundreds of companies around the world. Their targets range from manufacturing and engineering companies to videogame and education software to solar energy to pharmaceuticals. More recently—and unsurprisingly, given the intense international interest—the pair has targeted firms working on Covid-19 vaccines and treatments. They’ve allegedly stolen invaluable intellectual property to pass along to their MSS handlers, while lining their own pockets along the way.

China is using cyberintrusions as part of its rob, replicate, and replace strategy to technological development, said assistant attorney general for national security John Demers at a press conference Tuesday. China is providing a safe haven for criminal hackers who, as in this case, are hacking in part for their own personal gain, but willing to help the state and on call to do so.

The indictment outlines at length how Li and Dong allegedly worked as a tag team. Dong would research victims and how they might be exploited; Li did the dirty work of compromising the networks and exfiltrating the data. The pair used the same general workflow regardless of the victim, which makes sense given the volume of attacks to which they have been linked. Efficiency at scale counts for a lot.

First, they would identify high-value targets, and attempt to get a foothold either through poorly configured networks or through fresh vulnerabilities that their targets hadn’t yet patched. On September 11, 2018, for instance, Adobe disclosed a critical bug in its ColdFusion platform; by October 20 of that year, Li had successfully exploited it to install a so-called web shell on the network of a US government biomedical research agency in Maryland.

Full article

How to Know If You’ve Been Hacked—and What to Do About It

WIRED

Illustration: Elena Lacey

Everyone is vulnerable to the threat of cybercriminals or hackers getting access to your information, but the threats aren’t equal for everyone.

The average person will likely face fewer sophisticated threats than, say, a senior politician, activist or CEO. More high-profile figures may be targeted with phishing emails that are looking to steal secrets from corporate networks or initiate the transfer of large sums of money. You, your friends and your family will likely face different threats: from people you know seeking revenge, or, more likely, crime groups using automated tools to scoop up credentials en masse.

We all like to think that we’re not susceptible to social engineering or other kinds of cyberattacks but the truth is that even intelligent, self-aware people still get caught up in online scams that can have very damaging consequences, says Jake Moore, a cybersecurity specialist at Eset, an internet security company. Many people will even admit they don’t click on phishing emails but may still get caught up in online scams. A number of emails may still slip through the net without realization and can have serious effects financially or socially.

Full article