Twitter hack discussion and a way to secure internal apps
Employees can:
1) Be socially engineered into giving their credentials, even bypassing 2FA
2) Be bribed or get frustrated into "acting badly". I assume they hope to get away by making it look like they were "hacked".
A SOLUTION
- Mitigating login attacks: The idea is to prevent attackers from using the tool even if login is compromised. To achieve this, we must tie the usage of the app to a specific device for each employee[1]. Doing so will not allow any other device to login. This is OK from an employee workflow point of view since they don't switch machines anyway. It also makes it very difficult for malicious employees to fake that they were hacked.
- Mitigating insider threats: Assigning strict access controls and having sensitive actions be approved by multiple people in the organisation reduces the risk of a single point of failure.
- Logging + analytics: All actions an employee takes must be logged, making auditing easy post an attack. One can even build ML models to detect anomalous behaviour and stop bad actors in real time.
DISCUSSION
- Is anything that I have assumed wrong?
- Any thoughts on the above solutions?
- How do you think the Twitter attackers bypassed 2FA?
Thank you for your time.
---------------
[1] How to tie usage of the app to one device per employee:
- Post login, the app must allow only one alive session for that user (i.e. no new session can be created). This means that using login credentials on another browser won't work.
- No log outs allowed.
- Sessions need to be safeguarded against theft (see RFC: https://bit.ly/2ZHuPji). In case of theft, block the employee's access.
- Re-auth for every sensitive operation while maintaining the current session.
5 comments
[ 2.8 ms ] story [ 23.5 ms ] threadHardware keys probably would work. But can a key be used on different computers? If yes, then the method I have highlighted would be more secure (and cheaper). If not, then both would have the same level of security.
If I had to guess, it could be that because of remote work, the employees had to use Twitter's VPN. Because they were using it, the attackers somehow managed to get access to it which may have been required for using the internal tool.
If there was no remote work, the employees would not have had to use a VPN, which means that the attackers may not have been able to use the tool from the outside.