Twitter hack lessons learned

I’m not an twitter employee, but the recent “twitter hack” has shown some valuable lessons that everybody can learn from it.

* It is funny (and shocking) to read about how bad twitter’s security really is.
* And that TOTP-2FA cannot protect from social engineering (FIDO and/or smartcards would have)
* There is a need for “a secure line” e.g. company chat with different login for IT stuff to validate caller identity. Or to reset passwords only through an trusted (and authenticated) 3rd party (managers or hr). And the IT stuff should not simultaneously see who that 3rd party is, so that a phisher cannot simply continue to the next person.
* A 17 year old could gain access to twitter internal systems and was *not* caught because of audit logs of twitter.
* The concept “internal network” is very harmful. Systems need to be designed without the assumption of a “trusted/internal network”.
* There are always employees that fill out every phishing webpage.
* The system needs to be designed to have abuse detection.
* Inside threads are not only done by employees.
* Without an internal network there is no inside job.
* Don’t trust anyone not even your mom without validating her *and* her intend.
* Provide one and only one login portal for all of the companies portals and applications that share the same credentials. It should be a clear red flag that another url does not belong to those credentials even if the company logo is shown.
* BYOD is bad, provide all workers with secure (and usable!) notebooks (Not just remote workers, as it could be necessary to send your stuff home/remote without former notice, as covid has shown), Microsoft has a good writeup for that at https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations
* Jumpservers and VPN don’t improve security.
* There should be a corporate policy that enforces a half annual pentest *and* mandates that *all* findings are addressed before the next one.
* And finally also mandate a brute force yourself where you check all of your accounts against known password lists, check new passwords against those lists before they are committing *and* block the pattern “$Word$Number$Specialchar” esp. “$Company$CurrentYear$Specialchar”, “$Month$CurrentYear$Specailchar”, …

Leave a Reply

Your email address will not be published.