Exclusive: More than 1,000 people at Twitter had ability to aid hack of accounts
Exclusive: More than 1,000 people at Twitter had ability to aid hack of accounts
By Joseph Menn, Katie Paul and Raphael Satter
作者:約瑟夫·曼、凱蒂·保羅和拉斐爾·薩特
SAN FRANCISCO (Reuters) - More than a thousand Twitter employees and contractors as of earlier this year had access to internal tools that could change user account settings and hand control to others, two former employees said, making it hard to defend against the hacking that occurred last week.
路透舊金山8月23日電-逾千人推特兩名前員工表示,從今年早些時候開始,員工和承包商可以訪問內部工具,這些工具可能會更改用户賬户設置,並將控制權交給其他人,這使得防禦上週發生的黑客攻擊變得困難。
Twitter Incand the FBI are investigating the breach that allowed hackers to repeatedly tweet from verified accounts of the likes of Democratic presidential candidate Joe Biden, billionaire philanthropist Bill Gates, Tesla Chief Executive Elon Musk and former New York Mayor Mike Bloomberg.
推特公司和聯邦調查局正在調查黑客反覆使用民主黨總統候選人Joe·拜登、億萬富翁慈善家比爾·蓋茨等人的認證賬户發推文的事件。特斯拉首席執行官埃隆·馬斯克和前紐約市長Mike·布隆伯格。
Twitter said on Saturday that the perpetrators "manipulated a small number of employees and used their credentials" to log into tools and turn over access to 45 accounts. https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html On Wednesday, it said that the hackers could have read direct messages to and from 36 accounts but did not identify the affected users.
Twitter上週六表示,肇事者“操縱了一小部分員工,並利用他們的憑證”登錄了工具,並交出了訪問45個賬户的權限。Https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html週三表示,黑客可能讀取了36個賬户之間的直接消息,但沒有確定受影響用户的身份。
The former employees familiar with Twitter security practices said that too many people could have done the same thing, more than 1,000 as of earlier in 2020, including some at contractors like Cognizant.
熟悉Twitter安全做法的前員工表示,太多人可能會做同樣的事情,到2020年早些時候,已經有1000多人,其中包括Cognizant等承包商的一些人。
Twitter declined to comment on that figure and would not say whether the number declined before the hack or since. The company was looking for a new security head, working to better secure its systems and training employees on resisting tricks from outsiders, Twitter said. Cognizant did not respond to a request for comment.
Twitter拒絕對這一數字發表評論,也不願透露這一數字是在黑客攻擊之前還是之後下降的。Twitter表示,該公司正在尋找一名新的安全主管,致力於更好地保護其系統,並培訓員工抵禦外部人的詭計。Cogizant沒有回覆記者的置評請求。
"That sounds like there are too many people with access," said Edward Amoroso, former chief security officer at AT&T. Responsibilities among the staff should have been split up, with access rights limited to those responsibilities and more than one person required to agree to make the most sensitive account changes. "In order to do cyber security right, you can't forget the boring stuff."
該公司前首席安全官愛德華·阿莫羅索表示:“這聽起來像是有太多人有權限了。”AT&T。工作人員之間的責任應該分開,訪問權限僅限於這些責任,需要一個以上的人同意進行最敏感的賬户更改。“為了把網絡安全做好,你不能忘記那些無聊的事情。”
Threats from insiders, especially lower-paid outside support staff, are a constant worry for companies serving large numbers of users, cyber security experts said. They said that the greater the number of people who can change key settings, the stronger oversight must be.
網絡安全專家表示,內部人員的威脅,特別是薪酬較低的外部支持人員的威脅,是服務於大量用户的公司的持續擔憂。他們説,能夠改變關鍵設置的人越多,監管就必須越強。
STUMBLES
跌跌撞撞
The former employees said that Twitter had gotten better about logging the activity of its people in the wake of previous stumbles, including searches of records by an employee accused last November of spying for the government of Saudi Arabia.
這些前員工表示,在之前的失誤之後,Twitter在記錄員工活動方面已經變得更好了,其中包括去年11月被控為沙特阿拉伯政府從事間諜活動的一名員工搜索記錄。
But while logging helps with investigations, only alarms or constant reviews can turn logs into something that can prevent breaches.
但是,儘管日誌記錄有助於調查,但只有警報或持續的審查才能將日誌轉化為可以防止入侵的東西。
Former Cisco Systems Chief Security Officer John Stewart said companies with broad access need to adopt a long series of mitigations and "ultimately ensuring that the most powerful authorized people are only doing what they are supposed to be doing."
原思科系統首席安全官約翰·斯圖爾特表示,擁有廣泛訪問權限的公司需要採取一系列緩解措施,並“最終確保最有權勢的授權人員只做他們應該做的事情”。
Who exactly pulled off the hacking spree isn't clear, but outside researchers such as Allison Nixon of Unit 221B say the incident appears linked to a cluster of cybercriminals who regularly traded in novelty handles – especially rare one-or-two character account names – that are treated a bit like the vanity license plates of the online world.
目前還不清楚到底是誰發動了黑客攻擊,但221B部隊的艾利森·尼克松等外部研究人員表示,這起事件似乎與一羣網絡犯罪分子有關,他們經常交易新奇的用户名--尤其是罕見的一兩個字符的賬號名稱--這些用户名被視為網絡世界的虛榮車牌。
Although the public evidence tying the hacking to those was circumstantial, ultra-short Twitter handles were among the first to be hijacked.
儘管將黑客攻擊與這些攻擊聯繫在一起的公開證據是間接的,但超短的Twitter賬號是首批被劫持的用户之一。
In addition, the forums where those hackers were active have long been replete with boasts about having access to Twitter insiders, according to Nixon and Nick Bax, an analyst with StopSIMCrime, a group that lobbies for greater protection against "SIM swapping" – a phone number hijacking technique often used by these kinds of hackers.
此外,尼克松和StopSIMCrisis分析師尼克·巴克斯(Nick Bax)表示,這些黑客活躍的論壇長期以來一直充斥着關於能夠接觸到Twitter內部人士的吹噓。StopSIM犯罪是一個遊説組織,旨在遊説加強對“SIM交換”的保護。“SIM交換”是這類黑客經常使用的一種電話號碼劫持技術。
Bax said he had seen reference on forums to "Twitter plugs" or "Twitter reps" – the terms used to describe cooperative Twitter employees – since as far back as 2017.
巴克斯説,早在2017年,他就在論壇上看到有人提到“推特插件”或“推特代表”--這是用來描述推特合作員工的術語。
The potential involvement of low-level cybercriminals has particularly alarmed professionals because of the implication that a hostile government might be able to cause even greater havoc.
低級別網絡罪犯的潛在參與尤其令專業人士感到震驚,因為這意味着敵對政府可能會造成更大的破壞。
Access to accounts for national leaders was limited to a much smaller number of people after a rogue employee briefly deleted President Donald Trump's account two years ago. That could explain why Biden's account was hijacked but not Trump's.
兩年前,在一名流氓員工短暫刪除總裁唐納德·特朗普的賬户後,國家領導人的賬户訪問權限被限制為極少數人。這可以解釋為什麼拜登的賬户被劫持,而特朗普的賬户沒有被劫持。
Twitter should expand the number of protected accounts, said former Twitter security engineer John Adams. Among other things, accounts with more than 10,000 followers should at least need two people to change key settings.
Twitter前安全工程師約翰·亞當斯表示,Twitter應該擴大受保護的賬户數量。此外,粉絲超過1萬人的賬户至少需要兩個人才能更改密鑰設置。
Security experts said they were worried that Twitter has too much work to do and too little time before the campaign for the Nov. 3 U.S. election intensifies, with potential inference domestically and from other countries.
安全專家説,他們擔心Twitter有太多的工作要做,而距離11月3日美國大選的競選活動加劇的時間又太少了,這可能會對國內和其他國家產生影響。
Said Ron Gula, a cybersecurity investor who co-founded network security company Tenable, "The question really is: Does Twitter do enough to prevent account takeovers for our presidential candidates and news outlets when faced with sophisticated threats that leverage whole-of-nation approaches?"
網絡安全投資人羅恩·古拉是網絡安全公司TEnable的聯合創始人,他説:“真正的問題是:當我們的總統候選人和新聞媒體面臨複雜的威脅時,Twitter是否採取了足夠的措施來防止他們的賬户被接管?”
On a call to discuss company earnings on Thursday, Twitter Chief Executive Jack Dorsey acknowledged past missteps.
在週四討論公司收益的電話會議上,Twitter首席執行長多爾西(Jack Dorsey)承認了過去的失誤。
"We fell behind, both in our protections against social engineering of our employees and restrictions on our internal tools," Dorsey told investors.
多爾西告訴投資者:“我們落後了,無論是在我們對員工進行社會工程的保護方面,還是在對我們內部工具的限制方面。”
(Reporting by Joseph Menn and Katie Paul in San Francisco and Raphael Satter in Washington. Editing by Greg Mitchell and Grant McCool)
(Joseph Menn和Katie Paul舊金山,Raphael Satter華盛頓報道編輯:Greg Mitchell和Grant McCool)
譯文內容由第三人軟體翻譯。