And a reply to that tweet mentions that it was used to hack other accounts before:
"I know this is an old Tweet. But are you helping out with Shrouds jacked account? Looks like whoever took over the account is using Cloudhopper to post these hateful messages on Shrouds Timeline."
Looks like it's gone now but there was a Tweet from Jack's account that said, "Unsuspend my shit @plugwalkjoe @percocet @99 u bald skeleton head tramp"
The fact that the account was used to spread racist & nazi propaganda should be a clue; timing it for 1pm on a Friday afternoon suggests a degree of sophistication.
Because people in the same timezone are mostly at lunch and starting to relax for the weekend, so the potential audience is large. I wasn't thinking of anything market-related as another person suggested.
Some forms of 2FA are unphishable. If he used Authy or SMS, where you type in a code that can be intercepted in replayed within a window, yes. If he had set up a hardware key like U2F (like a yubikey), no.
edit because I can't reply: for twitter you have to remove your phone number. I keep TOTP active as a backup, but might not if I had a highly followed account.
Twitter has option of using 2FA with a authenticator app though if this is an ATT issue he must’ve fallen victim to a port attack and must’ve been using SMS based 2FA (which many would argue is not really 2FA at all)
If it's this easy to hack Trump's Twitter account and say things that could trigger war, maybe we need to reconsider allowing elected officials to use social media as their official communications channel. Instead, they should have a government run portal where they relay whatever info they need to.
Would it? Is there any country whose leaders are so foppish as to believe what they read on Twitter as though it were some actual diplomatic channel, or even an early warning system?
I'd wager you're correct in your assumption that most decision makers would not be duped by something like that, however a bogus tweet from an official source could be used as plausible cover for leaders who are seeking justification to take actions they wanted to take anyway.
Can you imagine what would have happened if a post-9/11 Iranian leader's account had tweeted "we have successfully acquired nuclear weapons and will be attacking Washington DC and Jerusalem tonight"? Elements within the governments of the USA and Israel have been agitating for war with Iran for decades, and that could give them the cover they need to act on it.
I'd wager that government-run portals might be even easier to hack.
Regardless of that, separating "official communications" from "personal" would be really tricky. Which tweets would come as "the current president" and which as "the candidate up for re-election"?
In addition to that, there are actually separate accounts (official @POTUS / personal @realDonaldTrump) but Trump-the-person has no incentive to ever use the official account (it's not "his") and so all @POTUS account does is just retweet the personal account, sort of defeating the purpose.
seems like a a waste of a hack posting some messages that are quickly deleted and forgotten with no long term gain. I would have done the eth/btc giveaway scam thing and at least made good $ off it. Its like being smart in some regard, such as hacking, but dumb in others , such as maximizing the gain from the hack.
I guess this is the "in for a penny, in for a pound" school of thought?
(If you're going to be arrested for CFAA violations, might was well throw in some financial crimes too. Make sure you're unemployable for the rest of your life.)
Doing so would make it really easy to trace it back to him, if he decides to make a trade big enough. The data of all trades on public markets is, after all, public.
There are a couple offshore companies that let you buy/sell stocks with Bitcoin semi-anonymously. The problem is you can't short, so your attack has to result in pumping the stock: "Taking Twitter private at $420 a share".
This is currently on every news channel and the content was pure trolling, no politics or agenda besides pushing some Discord channel. So seems like a win to me.
The "hacker" called AT&T and conned the call center rep into swapping Jack's SIM. It's not like they exploited a buffer overflow on Twitter's authentication service or something. They aren't smart.
Hmmm what's stopping someone from hacking Trump's twitter account and announcing things that would swing the stock market?
"I am now placing sanctions on the Bank of China and PetroChina for North Korean oil sales"
"I am now announcing Magnitsky sanctions on [insert Central Committee members here] for Xinjiang"
"The whole country of China is now subject to technology sanctions"
"I am now placing tariffs on German cars until Germany cancels Nord Stream"
"I am banning US companies who source components from China from participating in federal contracts"
or even positive news like "Tomorrow, my great friend Xi Jinping and I will announce a wonderful deal with China that lifts all tariffs, solves IP issues, and lets our great economy invest in theirs and vice versa"
This is a dumb question and want to qualify with my field is medicine, not technology: would one have the same username and password on the web facing side of a website as the backend of things (having access to servers or I have no idea what else one would do)? I have no idea how any of this works, but am curious if this would be the case.
Very frequently. Off the cuff, I'd estimate that 99% of not tech-savy users utilize the same password for everything, maybe with subtle variations according whatever service's requirements for a password.
Probably among tech savy people, the perecentage is lower, but still higher than it should be.
I myself, having been in IT for over 20 years, am guilty of this for non sensitive accounts. For significant accounts, they're randomly generated to the longest and highest degree a service allows. My gmail password, for instance is a 40 character random spread along their allowed characters. I cannot remember it.
Admins at game companies used the same password for their remote access to their game company data as they did on some other compromised site, so attackers were able to easily break into the company.
In general, you shouldn't ever reuse a password for multiple things, no matter how complex the password is (see https://xkcd.com/792/). If your password is leaked (which might not even be your fault), you don't want the attackers getting access to everything.
A large website is made up of many different complex, interconnected components, and it would be quite possible for an attacker to compromise a public account without gaining full control of the backend infrastructure is unaffected.
That was my first thought too -- it seems profound, although it's difficult to articulate why. It's not like high-profile individuals have special security protocols available to them. Just the same password/2FA like the rest of us proles.
On the other hand, it did make me consider that there are some accounts that could be compromised that would be very significant: Trump.
Although technically available to anyone, Google has an "advanced protection program" for highly targeted accounts. It has the follow (may have missed some) effects on your account:
* locked to 2fa with security keys
* limiting the set of apps that can access account data
* better scrutinized account reset - i assume this means it makes your account more resistant to phishing on Google employee's part.
Its nice that Google apparently makes this available to anyone who is willing to buy the security keys. It would be nice if all major social media services had such a program.
Not sure if this falls into the advanced protection for Google, but about a year or two ago, got a notification of a suspicious login from Moscow (I'm from the US and have never travelled out of North America). Promptly changed my password.
"there are some accounts that could be compromised that would be very significant"
Trump? I'm not really being facetious when I ask what difference it could possibly make. Of course, sometimes his tweets do appear to move the stock market, but still.
It is. The consequences of hacking e.g. @RealDonaldTrump would be disastrous (especially if the adversary is a hostile nation state whose hackers are smart enough to make plausible, but damaging statements).
Would it, in that particular case? Don’t get me wrong, I agree with your general point (imagine a police department account tweeting a photo of someone while accusing them of a crime), but given the Tweets of his that people quote I get the impression that even if Trump’s account posts open declarations of war nobody would do anything?
The official policy of the White House is that the President's tweets from @realDonaldTrump can be statements of the President in his official capacity, and therefore binding to the extent that any Presidential order or command can be. He has fired people, he has announced sweeping policy changes, made nominations, and so on through Twitter, which have then been acted on by the executive branch, Congress (which held appointment hearings for a SecDef before a formal nomination, but after a tweet), and the courts.
Of course that's the nod nod wink wink official policy - how could it be otherwise, and with any other president you would be wise to attach some weight to presidential tweets. But here's the only test you have to make: would you take real-life, consequential action based solely on a Trump tweet or would you look for verification elsewhere first? Because if it's the latter, it doesn't really matter if Trump's account gets hacked.
1. of the executive branch by and through the US Department of Defense, among other examples
2. the legislative branch, by and through committee hearings and acceptance as fact of nominations not yet formally made, among other examples
3. and the judicial branch, by and through accepting as fact the arguments of the DOJ through the solicitor general that statements by the President via Twitter are "official statements of the President", among other examples
That's not wink wink, nod nod. That's just fact. The federal government, in its three branches, accepts as fact that the President issues official edicts through Twitter.
> The federal government, in its three branches, accepts as fact that the President issues official edicts through Twitter.
Sure, but pretty much everybody in the world accepts as fact that he uses it to issue random nonsense as well. Surely you don't need examples of this.
Which comes back to my question: would you take real-life, consequential action based solely on a Trump tweet or would you look for verification elsewhere first?
He's used to to announce trade sanctions, with the tweets in question literally being cut and pasted together to form the official White house statement a few hours later.
I'll be interested to see the post-mortem on this breach for sure.
As an outsider, I would have thought that the Twitter security team would have a set of high-value users (with @jack being at the top of the list) who'd they keep very close tabs on in terms of any unusual activity.
Realistically Twitter is where announcements are made by world leaders and major corporations, control of these accounts could have repercussions, although in this case it just seems to have been a general hack...
Hopefully if that's the case, more attention will be paid to the fact that using mobile phones for 2FA or identification on high value services is a bad idea :)
Until the authenticator app which holds the TOTP secrets in clear text is on the same phone as you are using to access the website/app in question to start with. Then you'd probably be better off instead storing a token in the secure enclave in the app itself instead.
I don't think "keep very close tabs on" can prevent an attack on an account before it happens. All it can do is help clean up the damage quickly. Which is what happened here. The offending tweets were deleted in 10-15 minutes. That's a pretty good response time.
What could prevent an attack is limiting the features available to high-value users. One could imagine, for example, limiting 3rd party API access. Depending on what actually happened here, that might have prevented this. But there is a downside of reduced functionality for the owners of the accounts in question. There's always tradeoffs.
I'd agree that there are always trade offs however, you could do a number of things to detect an active attack, changes in user agent, location etc can be detected and flagged for review. Now that's not possible at scale, but for high value users,it would seem like a not outrageous countermeasure.
Why can his password even be reset remotely, and not something done by other company employees (HR, etc)?
In an enterprise setting where people work in an office I don’t see the point of allowing self-service password resets. It opens you to huge risk for very little upside compared to having to physically walk into the office (if you aren’t there already) and have HR/line manager/etc do it for you.
Self-hosting and security don't necessarily go hand-in-hand. For laypeople, self-hosting is usually worse: they don't know what threats to protect against, and even if they knew what to protect against they wouldn't know how.
I believe they do keep close tabs on high profile accounts. I happened to notice it in my feed when the news hadn't broken out yet (took a couple of screenshots out of surprise too). The team quickly took all of it down as and when they were being posted. It lasted for about 10minutes or so. The hackers were adding mentions to other accounts which were immediately suspended by the folks at Twitter too.
The psychology behind what hackers say in these high-profile attacks is far more interesting than the account takeover itself.
Some of them say racist things or speak about Hitler because they know it will attract far more attention than say: posting a link to some shady website to spread malware.
Hmm, apparently the people behind this have been behind quite a few high profile Twitter account hacks recently. They also hacked the account of a gaming YouTuber called Etika, as well as others like Shane Dawson and James Charles:
Does Twitter even permit that? If I recall correctly, it forces SMS 2FA.
In this case, Jack's account would've been compromised regardless because the tweets were sent via a third-party application that he had authorized to use his account.
It was the provider that handled the SMS gateway for posting tweets through the 40404 short code. The prevailing theory is that his account was hijacked using SIM swapping, and the hijackers tweeted through SMS. Cloudhopper is still the name of the "twitter app" that gets attribution for tweets posted through SMS.
I got some more intel on this -> unlikely sim swapped, probably just number spoofing. The "quality" of the "hackers" indicates this is the work of skiddies rather than an actual hack.
Would it really make a difference? That account is already unhinged, and few take it seriously.
It's like, we say it would be a big deal, but I think it has proven itself to not be, again and again. Precedents are being passed every day and in the end it hasn't been a scandal that sticks, catastrophe or anything..
I don't know how the account was compromised - but, I notice that Twitter's hardware U2F support is not designed to be very useable. They only allow one security key per account, whereas most users have multiple - one on the keychain, one left in the laptop, etc. So, I bet that high-risk accounts like Jack are not even using this enhanced security mode because of its poor user experience.
Compare this to Google where every employee is issued multiple hardware keys, internal systems require security keys, and they put a lot of effort into their "Advanced Protection Program" to make it useable: https://landing.google.com/advancedprotection/
I use U2F everywhere and can tell you that Twitter's usability with U2F is really poor. Can't remember why I stopped using U2F on twitter, but it's probably because of that fact that I couldn't use multiple keys.
More likely is that some Russian or Chinese hackers would make statements that tank the stock market. While setting up some short positions immediately prior.
I’m just curious how you imagine this happening. @realdonaldtrump tweeting “I HEREBY ORDER...” is not a legally binding order. Launching nuclear missiles or whatever requires authentication codes and can only be ordered via a portable radio alongside a series of codebooks, all of which is carried by a military aide who is always near the President. Another country isn’t going to start a war based on some weird tweets. It’s an extremely unlikely and weird risk.
A well crafted message that inflames followers to riot...
I'm the kind of person who, for example, doubted the Covington Kids story from the beginning. By which I mean I'm not particularly alarmist about a putative vast right-wing catastrophe taking place. But any popular leader (and he's very popular among the people he's popular with) can start incidents like that by accident.
Ok but what “riot” in human history has killed MILLIONS of people? The Rwandan genocide was pretty close, except the groundwork for inciting it was laid over the course of months via state radio and they imported machetes into the country before the message was sent to “cut down the tall trees”. A compromised Twitter account isn’t going to do it.
had escalated more, I don't think it's too far-fetched to imagine an unstable dictator sending off a nuke after being goaded on twitter.
I think it's within the realms of possibility at the very least, although very unlikely (mostly because NK hasn't got a decent delivery system, their nukes aren't very advanced/portable yet and Kim Jong Un's probably not too keen for NK to be destroyed in retaliation).
Given Trump's recent tweet of the spy satellite image, and the apparent taunting of Iran, it's also possible that type of thing could be responsible for triggering future terrorist attacks (although obviously that's not millions of people).
Terrorists and rogue dictators are often described as "unstable" or "irrational", but they tend to be rational within certain boundaries. For example, if you actually believe the nonsense about an afterlife filled with dozens of virgin concubines, suicide bombing becomes a rational decision, aside from being motivated by an irrational belief. Likewise, Kim's strategy follows the basic form of hostage-taking. If Kim actually "sent off a nuke", he would lose much of his leverage, just as a hostage taker loses leverage as soon as he starts killing hostages.
Yeah. On Twitter you can potentially impersonate the President and cause weeks/months of political chaos by calling someone the N-word or something similar.
Imagine if you were an intelligence agency and you were permitted to surveil American communications, and there was this pesky congressman who didn't want to support your organization, so you collect lewd photos of him from his phone and post them on his Twitter repeatedly.
You could effectively use the data on Twitter to control the leaders of the US. "Hey, remember that congressman who didn't like us and then accidentally tweeted his own sexts? That was hilarious. Anyway, we'd really like you to increase funds and be more permissive about what our agency can do."
> Imagine if you were an intelligence agency and you were permitted to surveil American communications, and there was this pesky congressman who didn't want to support your organization, so you collect lewd photos of him from his phone and post them on his Twitter repeatedly.
> You could effectively use the data on Twitter to control the leaders of the US. "Hey, remember that congressman who didn't like us and then accidentally tweeted his own sexts? That was hilarious. Anyway, we'd really like you to increase funds and be more permissive about what our agency can do."
182 comments
[ 8.9 ms ] story [ 259 ms ] threadhttps://twitter.com/gruber/status/859857475146854402
https://twitter.com/bhaggs/status/1090016722415845376
"I know this is an old Tweet. But are you helping out with Shrouds jacked account? Looks like whoever took over the account is using Cloudhopper to post these hateful messages on Shrouds Timeline."
https://imgur.com/a/7jm6JkE
You can see them on the web archive:
https://web.archive.org/web/20190830200105/twitter.com/jack
https://pbs.twimg.com/media/EDPrA0lWkAcFxc2?format=jpg&name=...
https://pbs.twimg.com/media/EDPrCh4XkAA3i9W?format=jpg&name=...
https://pbs.twimg.com/media/EDPrDLJWsAEySy-?format=jpg&name=...
https://pbs.twimg.com/media/EDPrDxXXkAEoeKQ?format=jpg&name=...
https://archive.is/iZusW
https://archive.is/OpOBn
On a serious note the people who hacked Jack and several others are called #ChucklingSquad. So actually be cautious of protecting your account.
https://www.treyexgaming.com/index.php/2019/08/26/how-the-sa...
These appear to have been done by the same people who compromised Jack
The fact that the account was used to spread racist & nazi propaganda should be a clue; timing it for 1pm on a Friday afternoon suggests a degree of sophistication.
1pm is sophisticated in which timezone?
You're welcome.
edit because I can't reply: for twitter you have to remove your phone number. I keep TOTP active as a backup, but might not if I had a highly followed account.
Is UTF-8 just so much U-238 in drag?
If someone is starting a war, than any tweet is fungible with another.
That would probably trigger war.
Color me skeptical, sir.
Can you imagine what would have happened if a post-9/11 Iranian leader's account had tweeted "we have successfully acquired nuclear weapons and will be attacking Washington DC and Jerusalem tonight"? Elements within the governments of the USA and Israel have been agitating for war with Iran for decades, and that could give them the cover they need to act on it.
The elevation of social media to the level of a United Nations general assembly just doesn't seem to pass muster, boss.
https://news.ycombinator.com/item?id=20842357
Regardless of that, separating "official communications" from "personal" would be really tricky. Which tweets would come as "the current president" and which as "the candidate up for re-election"?
In addition to that, there are actually separate accounts (official @POTUS / personal @realDonaldTrump) but Trump-the-person has no incentive to ever use the official account (it's not "his") and so all @POTUS account does is just retweet the personal account, sort of defeating the purpose.
(If you're going to be arrested for CFAA violations, might was well throw in some financial crimes too. Make sure you're unemployable for the rest of your life.)
https://www.marketwatch.com/story/to-catch-a-thief-how-nasda...
You use your brain a little. You prepare your positions months in advance, and hedge out market risks.
You can also use less regulated brokers in far away places and trade TWTR derivatives.
"I am now placing sanctions on the Bank of China and PetroChina for North Korean oil sales" "I am now announcing Magnitsky sanctions on [insert Central Committee members here] for Xinjiang" "The whole country of China is now subject to technology sanctions" "I am now placing tariffs on German cars until Germany cancels Nord Stream" "I am banning US companies who source components from China from participating in federal contracts"
or even positive news like "Tomorrow, my great friend Xi Jinping and I will announce a wonderful deal with China that lifts all tariffs, solves IP issues, and lets our great economy invest in theirs and vice versa"
Would you? Not unless you were completely batshit insane.
Probably among tech savy people, the perecentage is lower, but still higher than it should be.
I myself, having been in IT for over 20 years, am guilty of this for non sensitive accounts. For significant accounts, they're randomly generated to the longest and highest degree a service allows. My gmail password, for instance is a 40 character random spread along their allowed characters. I cannot remember it.
Admins at game companies used the same password for their remote access to their game company data as they did on some other compromised site, so attackers were able to easily break into the company.
I appreciate the answers here!
A large website is made up of many different complex, interconnected components, and it would be quite possible for an attacker to compromise a public account without gaining full control of the backend infrastructure is unaffected.
https://twitter.com/GossiTheDog/status/1167533000592109568
On the other hand, it did make me consider that there are some accounts that could be compromised that would be very significant: Trump.
* locked to 2fa with security keys * limiting the set of apps that can access account data * better scrutinized account reset - i assume this means it makes your account more resistant to phishing on Google employee's part.
https://landing.google.com/advancedprotection/
Its nice that Google apparently makes this available to anyone who is willing to buy the security keys. It would be nice if all major social media services had such a program.
Trump? I'm not really being facetious when I ask what difference it could possibly make. Of course, sometimes his tweets do appear to move the stock market, but still.
The official policy of the White House is that the President's tweets from @realDonaldTrump can be statements of the President in his official capacity, and therefore binding to the extent that any Presidential order or command can be. He has fired people, he has announced sweeping policy changes, made nominations, and so on through Twitter, which have then been acted on by the executive branch, Congress (which held appointment hearings for a SecDef before a formal nomination, but after a tweet), and the courts.
1. of the executive branch by and through the US Department of Defense, among other examples
2. the legislative branch, by and through committee hearings and acceptance as fact of nominations not yet formally made, among other examples
3. and the judicial branch, by and through accepting as fact the arguments of the DOJ through the solicitor general that statements by the President via Twitter are "official statements of the President", among other examples
That's not wink wink, nod nod. That's just fact. The federal government, in its three branches, accepts as fact that the President issues official edicts through Twitter.
Sure, but pretty much everybody in the world accepts as fact that he uses it to issue random nonsense as well. Surely you don't need examples of this.
Which comes back to my question: would you take real-life, consequential action based solely on a Trump tweet or would you look for verification elsewhere first?
As an outsider, I would have thought that the Twitter security team would have a set of high-value users (with @jack being at the top of the list) who'd they keep very close tabs on in terms of any unusual activity.
Realistically Twitter is where announcements are made by world leaders and major corporations, control of these accounts could have repercussions, although in this case it just seems to have been a general hack...
It's less like a 2nd factor and more like a poor man's password-protected private key authentication, but it's way better than just a password.
U2F is "great".
TOTP can be phished, whereas U2F is virtually impossible to phish.
What could prevent an attack is limiting the features available to high-value users. One could imagine, for example, limiting 3rd party API access. Depending on what actually happened here, that might have prevented this. But there is a downside of reduced functionality for the owners of the accounts in question. There's always tradeoffs.
In an enterprise setting where people work in an office I don’t see the point of allowing self-service password resets. It opens you to huge risk for very little upside compared to having to physically walk into the office (if you aren’t there already) and have HR/line manager/etc do it for you.
That control should not be solely in Twitter's hands.
Those leaders and orgs need to take a strong look at authenticity via ActivityPub self-hosted on their own namespaces.
And Twitter is where the audience is.
Some of them say racist things or speak about Hitler because they know it will attract far more attention than say: posting a link to some shady website to spread malware.
https://knowyourmeme.com/memes/events/chuckling-squad-hacks
Wonder if the affected users all used the same system in the past?
Only if they (and jack) used a FIDO U2F key would they be really safe.
In this case, Jack's account would've been compromised regardless because the tweets were sent via a third-party application that he had authorized to use his account.
So does the president
It's like, we say it would be a big deal, but I think it has proven itself to not be, again and again. Precedents are being passed every day and in the end it hasn't been a scandal that sticks, catastrophe or anything..
Compare this to Google where every employee is issued multiple hardware keys, internal systems require security keys, and they put a lot of effort into their "Advanced Protection Program" to make it useable: https://landing.google.com/advancedprotection/
I'm the kind of person who, for example, doubted the Covington Kids story from the beginning. By which I mean I'm not particularly alarmist about a putative vast right-wing catastrophe taking place. But any popular leader (and he's very popular among the people he's popular with) can start incidents like that by accident.
Imagine what effect that would have on already-pressured populations across the globe.
had escalated more, I don't think it's too far-fetched to imagine an unstable dictator sending off a nuke after being goaded on twitter.
I think it's within the realms of possibility at the very least, although very unlikely (mostly because NK hasn't got a decent delivery system, their nukes aren't very advanced/portable yet and Kim Jong Un's probably not too keen for NK to be destroyed in retaliation).
Given Trump's recent tweet of the spy satellite image, and the apparent taunting of Iran, it's also possible that type of thing could be responsible for triggering future terrorist attacks (although obviously that's not millions of people).
* Plausible so that people do not believe it is a compromise
* Offensive enough to cause action
* Not in the category that people just roll their eyes and think Trump is being outrageous on the internet again.
This is probably harder than it seems at first glance.
> * Plausible so that people do not believe it is a compromise
> * Offensive enough to cause action
> * Not in the category that people just roll their eyes and think Trump is being outrageous on the internet again.
> This is probably harder than it seems at first glance.
Is the third bullet even a thing after the whole Greenland debacle? Before then I had already thought I'd heard it all.
You could effectively use the data on Twitter to control the leaders of the US. "Hey, remember that congressman who didn't like us and then accidentally tweeted his own sexts? That was hilarious. Anyway, we'd really like you to increase funds and be more permissive about what our agency can do."
Apropos of nothing, here's an interesting interesting website: https://votesmart.org/candidate/key-votes/23162/anthony-wein...
> You could effectively use the data on Twitter to control the leaders of the US. "Hey, remember that congressman who didn't like us and then accidentally tweeted his own sexts? That was hilarious. Anyway, we'd really like you to increase funds and be more permissive about what our agency can do."
> Apropos of nothing, here's an interesting interesting website: https://votesmart.org/candidate/key-votes/23162/anthony-wein....
I may be dense but it was not clear to me what the point in linking to the votesmart site was? Is it the change between pro/against for patriot act?
He's suggesting that anthony weiner was "framed" by some 3-letter agency.