There was a time, many years ago, when Elon Musk was something of a celebrity in the technology industry, to the point where many folks were calling him the “real life” Tony Stark. This was due in no small part to his association with groundbreaking (at the time) technology companies Tesla and SpaceX and billionaire status. His cameo appearance in Iron Man 2 just stoked the nerd fandom even further. Fast forward a few more years and the bloom has come off the rose, though there are still many who defend him as a business genius, or even just a genius in general. Make no mistake, he is the richest man in the world, but apparently money can’t buy wisdom, just the marketing to cover up the lack of it.
All aboard the Twitter hate train
It’s no secret that I’m not a fan of social media. Before Musk took over Twitter it was already well on its way to becoming a haven for trolls, misinformation and hate speech, and it seemed like Twitter management at the time was only concerned about these problems when advertisers threatened to pull out of the platform. Enter Musk in 2022 who promised upon taking the company private to loosen content restrictions as well as crack down on the spam and follower bots. While there does not seem to be any noticeable change in the number of bots on Twitter, he certainly seems to have succeeded in removing whatever vestigial content moderation that had existed prior to his takeover. According to a paper published by the University of Southern California “Auditing Elon Musk’s Impact on Hate Speech and Bots,” the amount of hate speech has nearly doubled on Twitter since his purchase of the stagnating social media platform in October of 2022. For any other reasonable human being, this would not be considered a win, but Musk seems to be intent on riding this particular handbasket all the way to hell, including claiming the exact opposite, without providing any sort of backing evidence. In case it’s not immediately clear what my position on Twitter might be, any platform that blindly labels an imposter account as a certified representative of one of the largest entertainment companies in the world should not be entrusted with the level of influence Twitter still wields.
Image by Htc Erl from Pixabay
In case you happen to be ignoring the news like any sane human being, you might have missed that a certain billionaire bought Twitter about two weeks ago. Like some sort of stereotype out of an 80’s comedy, the new boss strutted into the place stating that changes were going to be made, and by golly, he made good on that promise. Among the many, possibly apocryphal, reports that surfaced on Twitter (where else?), the new boss fired lots of people, turned off a bunch of “unneeded” services and basically did his best impression of a bull in a china shop. One of the more interesting strategic choices he made was to monetize the “verification” system of Twitter which basically provided a way for celebrities, politicians, brands and journalists to “prove” they were who they said they were, for the purposes of differentiating themselves from other copy-cat Twitter accounts.
What could possibly go wrong?
Though in theory the new pay-for-verification systems was supposed to be different from the previous verification process (which was human-vetted and supposedly could not be purchased), the new leadership did not make this at all apparent and neither did the app itself, and so as expected, thousands of trolls lined up with $8 for their “verified” accounts, which then could be renamed to resemble any of the thousands of actual verified Twitter accounts. First to make headlines was comedian Kathy Griffin who used the new service to impersonate Twitter’s new owner for the purposes of doing what she is well known for: heckling famous people online. Said owner immediately flexed his boss powers and banned her and in the same breath issued a new proclamation – parody accounts must label themselves as such. Sensing an opening, the internet did what it does “best” and followed Ms. Griffin’s suit. Numerous celebrities, politicians and brands were “parodied,” and the results were variously hilarious, pointed, vulgar and in the case of at least one brand, actually financially damaging.
At the moment, this story continues to evolve. The new chief of Twitter is not backing down in his bold claims that Twitter will be remade under his leadership, while continuing to be called out by experts and (ex)employees for unsubstantiated claims and tweeting churlish reactions to the thousands of Twitter trolls ready for fresh meat – something the platform was infamous for long before the new king bought his latest crown. Something you can’t hide, however, is when real businesses put their money where their mouth is, or in this case, take that money elsewhere.
There are so many reports of this nature that I literally can’t even. My vacation can’t come soon enough, but in reality I’m just going to be worrying about all of you staying safe in the face of widespread negligence and malfeasance. Read on if you dare:
AT&T employees took bribes to plant malware on the company’s network
TLDR: Pakastani hackers bribe ATT employees $1M+ over the course of 5 years to unlock phones and install malware and rogue devices on ATT networks.
More N.S.A. Call Data Problems Surface as Law’s Expiration Approaches
TLDR: Remember all that secret data collection the NSA got caught doing a few years back? They were supposed to delete that data, but Oops! they didn’t.
Yelp is Screwing Over Restaurants By Quietly Replacing Their Phone Numbers
TLDR: Yelp set up a shady deal with GrubHub to redirect customer calls through their hub instead of dialing the restaurant direct. Restaurants get charged a marketing fee for this sleight-of-hand.
Twitter may have shared your data with ad partners without consent
TLDR: Twitter may have inadvertently shared data on your viewing habits that it collected without authorization. And then used that data to show you more ads. “Oops.”
Democratic Senate campaign group exposed 6.2 million Americans’ emails
TLDR: Dumb campaign staffer puts unsecured spreadsheet online in 2010. Emails have been exposed for nearly 10 years.
Image courtesy of TAW4 at FreeDigitalPhotos.net
Today’s headline alludes to a concept perhaps as old as civilization itself. Plato expressed it as, “Quis custodiet ipsos custodes?” Who will watch the watchers? In a spectacular demonstration of what a well-executed hack can do, an unknown hacker has virtually imploded the operations of a digital surveillance company known (ironically now) as Hacking Team. Despite the rather colorful name, this Italian security company has contracts with dozens of government agencies from all over the world, including the United States. Their product? Essentially spyware for conducting remote surveillance and other covert digital operations. The unknown hacker taunted the company and its employees by taking over Hacking Team’s Twitter account and began sharing extremely sensitive internal files through tweets purportedly coming from the company itself. Once the breach was discovered, Hacking Team contacted its clients and strongly recommended they cease using any of the company’s software. Given the general public distaste for Hacking Team’s type of software and the amount of daylight this shines on its customers, its highly likely that very few contracts will be renewed, leaving the company’s future in very uncertain terms.
What this means for you:
Unless you happened to be on the list of Hacking Team customers, there’s not a lot you need to worry from your own organization’s perspective. However, as a citizen of a supposedly democratic nation, you should be concerned about how our government agencies conduct themselves. Should law enforcement agencies be allowed to break the law in order to do their jobs? Who will watch the watchers? Are those people (I’m talking about Congress now) qualified to make proper decisions when they barely understand how the Internet works? To translate this into more relatable (and actionable) terms, do you understand enough about your own organization’s security and technology to make informed decisions on what to buy, what to use, and who to hire? In the case of Hacking Team, it appears that the hacker breached the company through the personal computers of its own system administrators, an irony within an irony. Are you adhering to the security standards to which you hold your own employees accountable?
Confirming something that many of us already suspected, Twitter has revealed in its most recent SEC filing that almost 9% of all Twitter accounts aren’t used by actual humans. Given the social media’s 271 million accounts, that’s nearly 23 million Tweeters posting content at the behest of some form of automation or algorithm.
It’s an unfortunate but not unexpected state of affairs that hackers continue to take advantage of our voracious appetite for news. As has been happening with hot news stories for at least a year or more, malware links are cropping up to exploit the media frenzy surrounding missing Malaysian Flight MH370. Taking advantage of the viral nature of sharing prevalent on Facebook and Twitter, fake links promise “shocking video” revealing the fate of the missing flight. Clicking them takes you to a counterfeit survey designed to look like the Facebook surveys many app-makers use to gather info on users before granting access to their app or content. Instead of course, you are giving your info to hackers on a fake website which will undoubtedly be used to annoying, or worse, nefarious ends.
What this means for you:
If I’ve said it once, I’ve said it 1000 times: don’t click links in Twitter, Facebook or email, doubly so if the source isn’t someone you trust or recognize, and you can’t clearly see the destination URL. Most links shared on Twitter use a URL shortener which obscures the final destination, a technology designed originally to compress long URLs into tiny ones and now used as a trick by spammers and hackers to lure you to a fake website. All it takes is a simple page load (no typing or filling in forms required) for an out-of-date browser or OS to be compromised, and once they have a toe in the door, it’s all down hill from there.
From this point forward, you should expect hackers will exploit hot news items to take advantage of our natural curiousity. If part of your online brand-building, either professionally or personally, includes re-sharing or retweeting internet links, be careful you don’t inadvertently share a fake news item to your friends and followers.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
In case you are feeling like the only one under constant cyber attack, Microsoft has recently admitted that the Syrian Electronic Army has successfully hacked some of its employee email accounts, apparently in pursuit of documents pertaining to ongoing law enforcement surveillance requests. As is typical with these types of breaches, Microsoft has yet to determine if any customer data was exposed, and so far is saying very little in that regard. This comes on the heels of it’s the Microsoft Office blog being defaced only days prior, as well as successful attacks on high-profile Twitter accounts and blogs used by other Microsoft divisions.
What this means for you:
The Microsoft employees who were hacked were compromised through nothing more sophisticated than the ole “phishing” tactic. In case you still don’t know what that is, I’ll describe it in brief:
- You receive a legitimate-looking email, warning that your account at a popular service has been compromised, or your password has been reset, or that some other urgent action is required. Other popular phishing tactics include packages (or money) awaiting delivery, important faxes being held, etc.
- The email directs the recipient to a website that may be designed to look legitimate, but is not. The hacker owns that website, and any data typed into it.
- In all cases, the hacker is trying to get the recipient to volunteer specific information about themselves, usually things like user IDs, passwords, Social Security numbers, addresses, anything that could be used to compromise and possibly steal your ID.
- On top of tricking you into entering your important data, the website will often attempt to install other malware on your computer, resulting in severe infections and further data theft if it’s not caught quickly. This can even happen if don’t enter any information on the website. Visiting that first page is often all it takes to get a bad malware infection.
If you haven’t figured out why it’s called “phishing”, the hackers are the fishermen, the email is the bait (and hook), and you are the fish. “Spear phishing” is when specific groups of recipients are targeted (as was probaby the case with the Microsoft incident above), and “whaling” is when high-profile executives or critical employees are specifically targeted with carefully crafted emails tailored for the individual coupled with other social engineering tactics to lend legitimacy to the attack. And don’t think that you are immune to whaling attacks just because you aren’t a high-powered executive. Analysts are even now investigating possible AI-generated whaling attacks that being generated based upon information gathered on the internet from sites like Facebook and Linkedin, making it harder and harder to spot the fakes in your email.
An Islamist hacktivist going by the moniker “Mauritania Attacker” claims to have hacked and accessed the entire database of Twitter accounts. As proof of this exploit, he has published details on 15,000 accounts that included access tokens users have generated for other applications that use Twitter either as an authentication source, or as a means to publish data from or to the microblogging service. According to representatives from Twitter, no accounts have been compromised, and the account details released by the hacker did not contain passwords (hashed, encrypted or otherwise). Security analysts suspect that it may be possible to use the exposed security tokens to gain limited access to publish through the associated Twitter account via third party app (which is what the tokens are for in the first place) if a hacker could ascertain for which app a specific token was created.
What this means for you:
If you use Twitter, you should do two things:
- Enable login verification by going to your Twitter settings -> Account -> Login Verification. This basically sends out a confirmation to your mobile device that must be entered in order to log into your Twitter account.
- Revoke permissions to Twitter-enabled apps. You can do this by going to your Twitter settings -> Apps and clicking “Revoke Access” next to every app on the list, even the ones you might use frequently. Then, you can go back to your favorite apps and reauthenticate. This way, you can recreate the access tokens, and not have to worry about the possibility that your access tokens were among the ones shared by the Mauritania Attacker.
In a rare public admission, Apple has indicated that some of its own internal Macintoshes have been compromised in a cyberattack that security researchers believe similar to the one that breached Facebook last week. Announcements from Apple of this type are very rare, as Apple has long touted one of the strengths of its platform was how “unhackable” it was compared to Windows. In this particular case, Apple has little to lose, as it’s pointing the finger of blame for the hack at Java and a vulnerability that was taken advantage of to gain access to Apple employee computers.
What this means for you:
Apple’s recent breach is just one more notch in cybercrime’s belt that includes a long list of illustrious companies like the Wall Street Journal, Twitter, Facebook, Jeep, and Burger King, not to mention the numerous intrusions of government agencies and countless hacks of businesses that go unnoticed and un-reported. In the case of the Apple and Facebook breaches, the source has been tied to a mobile development website that both company’s employees accessed, and according to both companies, there appeared to be no evidence that customer data was compromised in the attacks. As I’ve maintained all along, the business world is now entering a new age of security unknowns as serious criminals continue to exploit technology to serve their needs, and are able to outspend and outgun the average small and medium size business. Before the age of computers and the internet, your odds of being targeted by a criminal organization were minute compared to today, where organized crime can now “crowd-source” affiliate-based networks that pay anonymous hackers in any number of a dozen untraceable ways to rent out zombified computers and webservers by the hour for a handful of dollars, and use pre-scripted attacks to launch massive, shot-gun targeted campaigns that only need to snag a small percentage of victims in order to be profitable. This is not some imaginative, cyberpunk movie plot – it’s happening right now, as you read this article. Moving forward, the only way to combat this growing threat will be a combination of vigilance and smart investments in security technology, policy and training.