A couple of weeks ago, I blogged about a Twitter hack that made numerous celebrities appear to be offering $2,000 to anyone foolish enough to send them $1,000 in Bitcoin first. I quoted a lawyer who said that authorities were pretty good about tracing Bitcoin transactions, despite that currency’s reputation for enabling anonymous transactions, and that chances were good for an early solution to the case.
Turns out he was apparently right. On Friday, July 31, the state attorney’s office in Tampa, Florida arrested Graham Ivan Clark, a 17-year-old, and will prosecute him as an adult, as Florida laws allow in such cases. Authorities in California, where Twitter is based, announced that two others, Mason Sheppard of England and Nima Fazeli of Orlando, Florida, are being charged in the case as well. Fazeli is 22 and Sheppard is 19.
There are now a few more details about how the hack was done. Somehow the alleged criminals obtained phone numbers for several Twitter employees. In a technique called “spear phishing”, they then tricked someone into calling what probably sounded like a legitimate help desk, where the caller persuaded the employee to give them credentials that allowed them into Twitter’s critical control systems via targeted spear-phishing attacks on other employees.
One can imagine this playing out rapidly in a movie: the scene switches back and forth between a teenager’s cluttered bedroom in Tampa to the cool, sophisticated environment of a Silicon Valley mega-corporation where the kid hoodwinks staffer after staffer, and at last he types something on his laptop and yells: “We’re in!” But Mr Clark may not have gotten his ideas from a movie. Just being a teenager may have been enough.
Brain researchers have found that the teenage brain is an odd mixture of sophistication and poorly controlled impulses. In a Time article by Alexandra Sifferlin, we read that the brains of teenagers are about as big as they’re going to get, but not nearly as interconnected as those of people in their late 20s and older.
In particular, the prefrontal cortex, where planning and forethought occur, is not yet well connected to the limbic system, which deals with emotions and goes through a growth spurt beginning by age 12. So all the pieces of the adult brain are there, but they aren’t connected as well as they will be in an adult.
Add to this fact that certain kinds of mental activity turn out to be easy for clever teenagers and even children, while other kinds of mentally-challenging work isn’t. For example, the world has known of many child prodigies in math (Blaise Pascal was writing proofs on the wall with a piece of coal by age 11) and music (Mozart). But there haven’t been any child-prodigy novelists or statesmen. I’m not saying Clark is another Pascal, not by a long shot. But programing and its illegal subset of criminal hacking are activities that smart young people can easily master on their own without undergoing a long apprenticeship.
So couple that native ability with the poor impulse control of a teen brain, and you get situations like the one Graham Clark is in. Yes, he did a clever thing that got him a lot of publicity and some money. But now he’s facing criminal charges (a laundry list of 30 felonies) that could put him in jail for much of his natural lifespan.
In this case, anyway, crime didn’t pay. But how about Twitter, and how apparently easy it was for the three hacketeers to spoof and spear-phish their way into one of the most prominent Silicon Valley social media companies?
This kind of thing is an IT security specialist’s nightmare. Despite all the encryption, coding precautions, and other software and hardware security you can throw around, any organisation of any size relies on interactions among people who trust each other. And unless all the people work in one room and know each other’s names and behaviors (an increasingly rare situation in these COVID-19 times), there is always a chance that a properly informed hacker could impersonate someone in the organisation to steal credentials or other critical data.
It’s hard to think of a way to prevent this kind of thing absolutely, but I bet Twitter is reviewing its IT security rules right now to prevent another such attack. This is a lesson that engineers, and really anybody involved in dealing with confidential information, can benefit from.
For some of us, it might not be anything more important than a credit-card number, though having your credit card hacked is no picnic (it’s happened to me several times).
For organisations such as Twitter that have extremely valuable credentials to protect, it’s hard to say what policies would prevent hacks like the one masterminded by Clark. Whatever they might be, they would have to partake of a kind of rigidity that goes against the Silicon Valley grain.
For example: I once heard of a restaurant whose management held so highly the safety and well-being of their customers, that if any of the people who laid out the silverware on the table was caught touching a fork anywhere above the handle so as to get their fingers on something that would later go into a customer’s mouth, that person was fired on the spot. Excessive? Probably. But it bespoke a kind of integrity and seriousness that may be in short supply these days. Nevertheless, such an attitude might go far, if turned into data-protection protocols, toward preventing the kind of thing that happened to Twitter.
Twitter recovered, after some embarrassing publicity. The alleged culprits were caught, and now people can follow the Kardashians or whoever without fear of getting spurious tweets from them. So maybe the price of an occasional hack is worth the laid-back atmosphere that allowed a 17-year-old to make a fool out of a famous social-media company. To prevent hacks like this in the future, organisations like Twitter may have to implement rules that are inconvenient or even harsh. But with great privileges come great responsibilities, and that may be a lesson a lot of us have yet to learn.
This article has been republished, with permission, from the Engineering Ethics blog. Karl Stephan’s ebook Ethical and Otherwise: Engineering In the Headlines is available in Kindle format and also in the iTunes store.