Saturday, Aug 08, 2020 | Last Update : 09:21 AM IST

136th Day Of Lockdown

Maharashtra49026232728117092 Tamil Nadu2850242275754690 Andhra Pradesh2069601204641842 Karnataka164924842322998 Delhi1427231282324082 Uttar Pradesh113378668341981 West Bengal89666630601954 Telangana7525753239601 Bihar7179446294400 Gujarat68855517922604 Assam5549737225132 Rajasthan4941835186763 Odisha4255028698292 Haryana4005433444467 Madhya Pradesh3729827621962 Kerala3170019147103 Jammu and Kashmir2392716218449 Punjab1901512491462 Jharkhand140705199129 Chhatisgarh10109761369 Uttarakhand8008484795 Goa7075511460 Tripura5520367528 Puducherry4147253758 Manipur301818147 Himachal Pradesh2879171013 Nagaland24056594 Arunachal Pradesh179011053 Chandigarh120671520 Meghalaya9173305 Sikkim7832971 Mizoram5022820
  Opinion   Oped  24 Jul 2020  Twitter lessons: Relook security strategy, rules on social media

Twitter lessons: Relook security strategy, rules on social media

Published : Jul 24, 2020, 5:02 pm IST
Updated : Jul 24, 2020, 5:02 pm IST

In the polarised political climate that engulfs India, such a creative use of a Twitter hack is very much within the realm of possibility

A seed capital of $100,000 or less can be used to do widespread harm by hacking into social media sites. Representational Image
 A seed capital of $100,000 or less can be used to do widespread harm by hacking into social media sites. Representational Image

A future world war might as well be started with a seed capital of $100,000 or less. That is the sobering reality of the Twitter security breach incident compromising a swathe of prominent people, from former US President Barack Obama to Elon Musk.

In a matter of hours, Twitter had shut down most of its verified Twitter handles and launched an active investigation into the breach.

 

A seed capital of $100,000 or less can be used to do widespread harm by hacking into social media sites that seem innocuous but are now vehicles of a new kind of warfare.

On April 23, 2013, the world saw what a Twitter hacking can do. The official Twitter handle of Associated Press tweeted a breaking story -- “Two explosions in the White House and Barack Obama is injured”. The tweet came at 1.07 pm and AP’s two million followers on Twitter started retweeting the issue in a matter of seconds.

In his book Future Crimes, author and former policeman Marc Goodman estimated that in just three minutes, that tweet had wiped out $136 billion from the stock markets.

 

A little-known hacking group, Syrian Electronic Army (SEA), admitted it had hacked into AP’s official Twitter handle. The SEA caused massive economic damage without even spending any major resources, and it did not even target a US official website or system.

Just the hack into the Twitter handle of a major private news organisation was enough to cause significant damage.

This is how social media has emerged as a tool of modern warfare, It is free to access, has vast reach, consumes very little resources, and makes the world a target. The current Twitter hacking raises two major obvious issues.

One, the social media has to be seen from the lens of national security and the threats they pose. Second, India needs to revisit some of its regulations around the social media and bring them up to date with current realities.

 

While it is not clear whether the current hack into Twitter was done through social engineering or by paying off Twitter employees, it brings forth another question: how did the hackers know who in the social media corporation had access to these internal tools?

It even managed to reset emails as well as bypass two-factor authentication, even for high-profile accounts including a US presidential candidate and targeted them precisely to achieve their goals.

The compromised insider is not a first for the social media. In 2017 a Twitter employee temporarily deactivated the US President’s Twitter account and two Twitter employees spied on activists for the Saudi government.

 

Both these incidents show the power that site reliability engineers (SREs) hold inside the tech company, and how they can be targeted by simply looking at SRE Meetups held in Meetup.com, an online service that hosts regular meetups.

It is then a matter of time to recruit one of them to spy on a critic that a nation state dislikes, or to convince them to give access to internal tools to post a message declaring war on another state, using the head of state’s Twitter account.

As the US Navy Chief of Naval Operations put it so eloquently, “social media literacy is national security too”. It is possible that after this incident, this statement has to be retold as “social media SRE is national security too”.

 

Closer home, in December 2016 Congress leader Rahul Gandhi and many colleagues found their Twitter handles compromised.

According to Indian government sources, this was done by hackers who managed to get domain-level access to the Indian National Congress’ emails, leading to a cascade of hacks including their Twitter handles.

No FIRs were filed, and few paid attention to the national security threat such a hack poses.

What if the hack was done by an inimical power to create political chaos in India?

In the polarised political climate that engulfs India, such a creative use of a Twitter hack is very much within the realm of possibility.

 

Indians still don’t know what happened to Facebook when their data was found to be compromised by Cambridge Analytica.

And the US intelligence community is convinced the Russians successfully used Facebook to influence the 2016 US elections, propelling Donald Trump to an unexpected victory.

An unforeseen side effect of this incident would also be a relook on the safe harbour protections that social media companies enjoy. In India the Supreme Court’s Shreya Singhal ruling allows social media companies to indemnify themselves against any risk posed by content posted by one of their users.

The latest Twitter hack raises difficult questions for India and its safe harbour protections for social media companies.

 

If a single compromised employee can hijack a former US President or a presidential candidate’s account and post messages on bitcoins, does it not imply that the social media platform is no longer an intermediary and now has the power to create content?

Accepting that will be a paradigm shift for India’s regulatory landscape for big tech and especially social media companies.

Would we also eventually end up in a situation where SREs with access to sensitive accounts will need a security clearance from the intelligence arm of nation states to avoid an enemy state hijacking the head of state’s account?

It is quite possible it might, and therein lies the significance of this incident. Social media platforms’ internal processes, systems and their engineers might be subjected to public scrutiny in the same way as that of critical infrastructure systems like nuclear plants, power grids and major transport systems.

 

 

Anand Venkatanaryanan is a cybersecurity researcher and Saikat Datta is a founding partner of CSDR Consulting LLP

Tags: twitter hack, twitter warfare