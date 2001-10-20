from the how-secure-are-the-systems-you-work-with? dept.
After breach, Twitter hires a new cybersecurity chief – TechCrunch:
Following a high-profile breach in July, Twitter has hired Rinki Sethi as its new chief information security officer.
Sethi most recently served as chief information security officer at cloud data management company Rubrik, and previously worked in cybersecurity roles at IBM, Palo Alto Networks and Intuit.
In the new role at Twitter overseeing the company’s information security practices and policies, Sethi will report to platform lead Nick Tornow, according to her tweet announcing the job move.
[...] Twitter had left the role of chief information security officer vacant since the departure of its previous security chief, Mike Convertino, who left in December to join cyber resilience firm Arceo.
Musk, Obama, Biden, Bezos, Gates—bitcoin scam hits Twitter in coordinated blitz:
Twitter accounts of the rich and famous—including Elon Musk, Bill Gates, Jeff Bezos, and Joe Biden—were simultaneously hijacked on Wednesday and used to push cryptocurrency scams.
As of 3:58 PM California time, the wallet address used to receive victim’s digital coin had received more than $118,000, though it wasn't clear all of it came from people who fell for the scam. It The bitcoin came from 356 transactions all occurred over about a four-hour span on Tuesday. The wallet address appeared in tweets from at least 15 accounts—some with tens of millions of followers—that promoted fraudulent incentives to transfer money.
“I’m giving back to all my followers,” one now-deleted tweet from Musk’s account said. “I am doubling all payments sent to the Bitcoin address below. You send 0.1 BTC, I send 0.2 BTC back!” A tweet from the Bezos account said the same thing. “Everyone is asking me to give back, and now is the time,” a Gates tweet said. “I am doubling all payments sent to my BTC address for the next 30 minutes. You send $1,000, I send you back $2,000.
Other hijacked accounts belonged to Barack Obama, Apple, Kanye West, and a raft of cryptocurrency entrepreneurs.
[...] That so many social media accounts were taken over in such a short time and remained hijacked for so long is extraordinary if not unprecedented.
[...] As the hijackings continued, Twitter said that while it investigated, it was suspending the ability of many but not all Twitter users to tweet or respond to tweets. Accounts belonging to verified users were unable to use the platform except to send direct messages. Instead they got a message that said: "This request looks like it might be automated. To protect our users from spam and other malicious activity, we can’t complete this action right now. Please try again later." Unverified accounts worked normally.
Changes are coming to the Twitter API that should encourage new 3rd-party and bot development.
XDA-Developers reports:
As you may know, Twitter's API has caused a lot of friction for 3rd-party app developers. Numerous popular Twitter clients have been pulled from the Play Store in the past due to reaching the controversial 100,000 token limit. Back in 2018, Twitter made changes that removed key features from 3rd-party developers. Those changes went into effect later that year despite a campaign from the developers of popular apps. Some of those key features will finally be made available to developers again with API v2.
Here's Twitter's brief explanation of what's new in API v2:
- A cleaner API that's easier to use, with new developer features like the ability to specify which fields get returned, or retrieve more Tweets from a conversation within the same response.
- Some of the most requested features that were missing from the API, including conversation threading, poll results in Tweets, pinned Tweets on profiles, spam filtering, and a more powerful stream filtering and search query language.
The last bullet point is what fans of 3rd-party Twitter apps should be most excited about. It's pretty crazy to think that a 3rd-party client wasn't allowed to show polls, thread conversations, or show pinned tweets. These are basic features of the social media platform that anyone would expect to see in a Twitter client, and it only harmed the Twitter experience for users who weren't using the official app. We're glad to see Twitter has opened these features up.
The new API will replace the Standard (free), Premium (self-serve paid), and Enterprise tiers with product tracks titled "Standard," "Academic Research," and "Business." Each track will also include Basic, Elevated, or Custom access levels. The new product tracks are meant to remove restrictions and limitations imposed on developers by the older pricing model. Twitter expects the changes will encourage a resurgence of "fun little Twitter tools and bots" within the new Standard track that were harmed by the old pricing model and rate limits.
No pricing is available at this time, but the free Standard track is has already launched while the Business and Academic/Research tracks will arrive "soon." There is a public roadmap posted on Trello for those and developers interested in testing the new features can apply here.
Hackers Tell the Story of the Twitter Attack From the Inside:
A Twitter hacking scheme that targeted political, corporate and cultural elites this week began with a teasing message between two hackers late Tuesday on the online messaging platform Discord.
"yoo bro," wrote a user named "Kirk," according to a screenshot of the conversation shared with The New York Times. "i work at twitter / don't show this to anyone / seriously."
He then demonstrated that he could take control of valuable Twitter accounts — the sort of thing that would require insider access to the company's computer network.
[...] Despite global attention on the intrusion, which has shaken confidence in Twitter and the security provided by other technology companies, the basic details of who were responsible, and how they did it, have been a mystery. Officials are still in the early stages of their investigation.
But four people who participated in the scheme spoke with The Times and shared numerous logs and screen shots of the conversations they had on Tuesday and Wednesday, demonstrating their involvement both before and after the hack became public.
The interviews indicate that the attack was not the work of a single country like Russia or a sophisticated group of hackers. Instead, it was done by a group of young people — one of whom says he lives at home with his mother — who got to know one another because of their obsession with owning early or unusual screen names, particularly one letter or number, like @y or @6.
The Times verified that the four people were connected to the hack by matching their social media and cryptocurrency accounts to accounts that were involved with the events on Wednesday. They also presented corroborating evidence of their involvement, like the logs from their conversations on Discord, a messaging platform popular with gamers and hackers, and Twitter.