“We’ve seen no evidence to corroborate this claim, including from the article published in the Netherlands today. We proactively implemented account security measures for a designated group of high-profile, election-related Twitter accounts in the United States, including federal branches of government.”
This doesn't make sense to me. Twitter has the IP addresses of all logins, so they absolutely know whether this happened or not. "we've seen no evidence..." is a senseless thing to say and implies they are being evasive about something.
You're the one not making sense. "We've seen no evidence..." clearly implies they haven't logged any successful login after multiple attempts from a foreign IP or the Netherlands specifically as described, plus their other measures weren't triggered either.
I had some doubts about veracity and while still in two minds but https://www.vn.nl/trump-twitter-hacked-again/ provides enough details that if it does turn out to be bs then they are easy enough to prove or refute - " After logging in, he emailed US-CERT". But I agree with your sense of hesitancy since the sources of the story mostly originate from Yahoo News, a Dutch marketing company called DPG Media, TechCrunch rather than the usual broader sources.
It will be interesting to see how Victor Gevers responds.
They can, but reading about Gevers shows a track record. It’s worth being skeptical, but keep his record in mind.
Apply the same skepticism to Twitter too, they haven’t got a great record.
This is the only screenshot that the researcher posts as 'evidence' of gaining access to Trump's account. I'm afraid that this one can be easily faked with browser tools. The fact that White house officials have extra security measures on their accounts it is this only screenshot that makes it less convincing that this is true, unless the researcher publishes multiple screenshots or video evidence of logging into the account themselves.
Otherwise it can be easily dismissed as a fake screenshot, even if he 'did it' in the past.
Which is trivial to fake by going to your own profile and using your browser's inspector to swap out a few images and change a few text boxes.
I kind of think it's a toss-up if this is true. I can believe Trump would use a very weak password and not apply 2fa, but I'm very surprised that Twitter's additional guard-rails for important accounts didn't prevent this.
The source article is linked to on the story, and it says screenshots were taken. My parsing interprets it as saying that they showed these screenshots to security researchers.
“screenshots were shared with de Volkskrant by the monthly opinion magazine Vrij Nederland. Dutch security experts find Gevers’ claim credible.”
Also, the guy has a history (well, both do). Gevers has got into numerous other accounts before, and uncovered some disturbing stuff - tracking of Chinese Muslims via facial recognition stuff in China for example.
If you follow the references they provide, you'll see that the person responsible is a respected security researcher with a history of similar discoveries. He also posted screenshots, and suggests that he was responsible for Trump's recent tweet praising a satirical Babylon Bee article.
Gevers comes up with a plan to make sure that this time the White House responds. He refuses to say what he did exactly, but in a tweet that has now been removed, he alludes to the fact that he was the one to post the Babylon Bee tweet in Trump’s name. Shortly after, he posted a tweet in his own name, tagging Trump and Team Trump, saying the Babylon Bee-tweet could now be removed, as it had served its purpose.
“I am not saying I did it. But what if I was the one to post the tweet? Then Trump will need to either admit to never having read the Babylon Bee article and posting this bullshit tweet, OR he will need to acknowledge that someone else posted the tweet.”
Breaking into a Twitter account to prove it is poorly secured is one thing, posting a tweet is another. “I took things further this time because our previous report obviously didn’t have any effect”, says Gevers. “I hope that everything will now be resolved soon, and that mister Trump sends us a message. ‘Thank you for your work/report.’ That should suffice and will round up things for both cases.”
Two economists were walking down the street. The first one says: “Isn’t that a $20 bill?” The second one says: “Can’t be. If it were, somebody would have picked it up already.”
I mean who knows how many intelligence agencies are reading his DM's. If I knew Trumps password I wouldn't do anything that would make it clear that I knew it.
It's not happening independently, it's cargo-culted. There's lots of "security advice" out there recommending doing exactly this.
Plus, if you're missing a requirement when trying to set your password, the easiest thing to do is just append the missing requirement at the end. Especially if it's punctuation, which naturally goes at the end of words/sentences anyway.
I've taken to using random passwords for signup and password reset for each login, since that's what password guidelines eventually force me to do anyway.
One of my huge pet peeves is when sites have really idiosyncratic password requirements, like they require the use of at least 1 punctuation characters (but it's from a limited subset of available punctuation characters), or uncommon requirements on length (I've seen both can't be longer than 10 characters and must be longer than 12).
And yet, none of these requirements are visible on the login page! So I have no freaking clue what my password might actually be, and thus my typical login flow for these lesser used accounts is always going through the password reset flow. It's a joke.
Actually this is interesting, I did this myself growing up. But I seem to remember that it arose because of slowly changing password requirements. Like I remember having a password in my teens for Myspace and other web services, and one day when signing up for a new service I was prompted with "your password must contain at least one number". So I just took the same old password and put a number on the end of it. Then a few years later the same thing happened with special characters: "Your password must contain at least one number and a special character". So then "okay, just tack a special character on to the password I already know" and voila <word><number><special char> is now my password.
Since many companies must follow the rules set by one compliancy or another and these have demanded passwords to contain 3 of the 4 different groups of characters AND require changing said passwords every 3 months, most employees have been trained to use a number scheme along the lines of:
<word> <special char> <number>
Whereby word & special character are set in stone (easy to remember) and the number just increments with every change.
If only there was a way to allow more flexible demands on passwords within MS AD, things would improve so much.
Password > 14 characters and NOT listed in Pwned Passwords == allow for passphrase to be used "forever"
Password < 14 characters OR listed in Pwned Passwords == demand (regular|immediate) change.
wait, really? there is no two factor auth on his account? Actually, someone observed that while he was debating last time with Biden his account was tweeting. So it is sort of make sense - the password is likely shared which makes two factor auth hard.
That was my first thought, too. The student who "hacked" Sarah Palin's email account (he reset her password by answering her security questions using publicly available information) was convicted of a felony and spent a year and a day in jail.
If all you intend to do is get in, nothing else, then it is probably not a crime. The CFAA prohibits "knowingly and with intent to defraud, accesses a protected computer without authorization". There's also a clause about not accessing govt computers (but this was Twitter's server) and not forwarding any secrets you find.
All this guy did was get in and then called the authorities, so he probably didn't 'intend to defraud'. If he tweeted something, which he alludes to in some articles, that might be a felony.
Regardless of whether this is real or not, it sounds like it's long past time that Twitter implemented proper user controls for the use-case of multiple securely-authorized users who have the ability to control one high-visibility Verified account. Sharing passwords and TOTP creds between a dozen or so actual people seems massively failure-prone.
I would not know what to do with this power had it been me guessing the password.
Another “covfefe” perhaps? An innocent “ALL CAPS DAY” maybe? Or just a simple “;)”? And these are harmless examples. A targeted reference to certain prophets or Winnie the Pooh would have vast consequences.
I could have set the world alight for laughs.
And to think no extra measures were put in place by Twitter is shocking.
IMO anyone using internet must be taught about Passwords and how non guessable strong password can prevent(to some extent) these kind of attacks (cracking the account).
> Gevers said the ease with which he accessed Trump’s account suggested the president was not using basic security measures like two-step verification.
I am gobsmacked that Twitter allowed his account to continue without some kind of additional security measures like 2FA or geo-IP checking. This is a guy that could literally start World War III by sending a tweet like, "Eat shit, China! Missiles on their way!" And Twitter didn't think it should be locked down beyond a simple password!?!
2FA would be ideal, but GeoIP restriction requires no action on the part of the end-user. If implemented properly, Twitter should have been alerted that something was fishy when an IP from the Netherlands sent a successful login password and prevented it, then e-mailed the user to ask if the login attempt was legitimate. It saved my butt once when Gmail prevented an IP originating in India from logging into my account and alerted me.
I realize the circumstances of the world have somewhat changed over the past several months, but its not implausible that the US President might travel.
> I am gobsmacked that Twitter allowed his account to continue without some kind of additional security measures like 2FA or geo-IP checking. This is a guy that could literally start World War III by sending a tweet like, "Eat shit, China! Missiles on their way!" And Twitter didn't think it should be locked down beyond a simple password!?!
I mean remember how bitcoin scammers got access to Twitter admin panels recently? I don't think security is Twitter's biggest concern... My old Twitter account has been hacked by a Russian spammer despite having 2FA, I just decided to close it, it became a liability.
This seems to be completely implausible. Whatever email is tied to this account would have been instantly notified about a "suspicious login".
There is absolutely no evidence in the article (not even links or screenshots of his tweet reaching out to the White House).
Furthermore I can't believe Trump's account is even going through regular authentication mechanisms. It should be trivial to restrict access to an account to certain address ranges of a government VPN.
That is what likely happened:
"A day after he gained access, Gevers noticed that two-step verification had been activated on Trump’s account. Two days later, the Secret Service got in touch. According to De Volkskrant, they thanked him for bringing the security problem to their attention."
There's been repeated claims that Trump has - up until recently - used personal Android and iPhone devices to make calls and tweet. Not clear if that's true or not.
I was so certain that Twitter handles his account with special attention and some bells and whistles like IP white-/blacklisting etc. It seems like neither Twitter cared about his account's safety nor the secret service. What ... the ... fuck.
The Trump-tie aside, does anyone have a good reason why 2FA isn't absolutely enforced on all verified accounts?
I can't really see a situation where the need for "authenticity" of a person/account meets the bar for needing verification, but not be considered important enough for basic security practices.
A somewhat educated guess: Probably the "cost-to-serve" metrics that Twitter considers when making these changes.
Force 2FA on your most high-profile customers, and your support costs skyrocket as a steady stream of these customers who didn't want this new and (relatively) complicated measure forget or lose their 2FA setup, and you find yourself constantly resetting it or changing it, which probably in the long term reduces the effectiveness of it since it becomes a routine for your support operation and it's easier for bad actors to fake it.
I've stumbled upon enough verified accounts that had their display name and photos changed to Elon Musk's and pretended to give away Bitcoins that I believe it's a worthy sacrifice to make.
You and me both, but Twitter is a public company with fiduciary responsibilities to shareholders above all else (including the public good), so here we are.
Until these kinds of problems affect their brand enough to cause financial harm, don't hold your breath for higher security and accountability measures by default.
People lose or break their phones often enough. It is a routine thing in an organisation of just 120 people. Now imagine that instead of an educated and selective group, you are dealing with a pool of desperately partying, drunk globetrotting influencers, political figures with Neanderthal technical skills or other walking security disasters.
How often do you think account recovery due to lost 2FA would be triggered?
For proper protection you need hardware 2FA, and for usability reasons you really need the NFC enabled Yubikey so the same second factor can be neatly enforced on a mobile phone too. But you can't have just one. If the access is for anything non-trivial or of high importance, you need at least two such devices. Preferably three.
That's a lot of Yubikeys you need to subsidise, because most people sure as hell are not buying them out of their own pocket.
I'm not talking about all accounts though, just the ones which have been verified by twitter.
I would expect that if the identity of the account owner has already been verified, the account recovery process in this situation would be much more straight forward than a non-verified user.
I've seen several verified accounts say that 2FA was required when they got the verification, but apparently they still have the option to disable it later.
As the "great hack" is destroying my trust in bloomberg, this article is destroying my trust in the guardian. There's no chance the password was "maga2020!"
This is the same guy who wandered around, maskless, unnecessarily having close personal contact with people, during a pandemic, and ended up in hospital on experimental drugs. Why would you assume he’d take security precautions?
I wouldn't have trusted bloomberg either way, but the guardian deserves respect. There was a spectacular chance that his password was maga2020
I'll never understand how some of the brightest minds of our generation can end up following this guy. I understand we're seeing confirmation bias => brainwashing en mass, but people on this site should be smart enough to break out of the cycle
Sorry, I just can't believe that the first person to guess Trump's (surely the most valuable target in the world for hackers) password as 'maga2020' would be a white hat. This looks like a hoax to me.
What if somebody logged in from a public computer while disguised and with no phone on themselves to trace etc and messed with Trump's account? Could he be identified by any means?
Completely made up. Three submissions, ~50, ~100 and ~150 points in HN. Everyone having a laugh, no one cares for site rules. No moderation in sight. Everyone knows it's fake, no one cares. Rinse and repeat about three times a day over four years. Some of them make it into HN, each one makes in into the minds of thousands. But dare to defend truth and the cavalry is there in seconds.
Pretty bold statement coming from someone with a post history as dubious as yours. There's actually some healthy skepticism in this thread and rational conjecture, which I assume you won't be taking part in.
With such a simple password, how many people have been in there monitoring direct messages and the president's activities on the platform? This is unbelievable.
No capital letters, though. It is important to follow all security rules. Weakest link and such. If only his password was Maga2020!, it would be impossible to hack.
“We’ve seen no evidence to corroborate this claim, including from the article published in the Netherlands today. We proactively implemented account security measures for a designated group of high-profile, election-related Twitter accounts in the United States, including federal branches of government.”
https://techcrunch.com/2020/10/22/dutch-hacker-trump-twitter...