After a ransomware infection, the United States Conference of Mayors unanimously voted to stop paying ransoms to hackers in July 2019. Cybersecurity experts heralded the decision, and numerous companies have also taken a stance that a ransom should never be paid – as doing so will only likely result in future attacks from bad actors.

Twitter ignored calls to pay a ransom after the theft of data belonging to hundreds of million of its users. This week the details of more than 200 million accounts were posted to a hacker forum. Sundar Piichai and Donald Trump Jr. are just a few of the well-known names and entities.

The database contained account names, handles, creator dates, followers count and email addresses. The data may have been used by hackers to access Twitter user accounts. Researchers also warned it could be used for “doxxing”, social engineering, or other purposes.

Notable is the fact that attention is not paid to this breach.

David Maynor (senior director of Threat Intelligence, cybersecurity company Cybrary) said that it is tempting to just shrug off and think “that’s normal life in big cities.” How many of the people affected by this Twitter data breach have their data made public for the first-time? Based on the number of breaches that my data was exposed, I am eligible for free credit monitoring throughout my life.

API Issue

Knowing the significance of the incident requires that you understand how it occurred and what the users can expect in the future.

Sammy Migues (principal scientist, Synopsys Software Integrity Group) stated that API security was the main story.

Application Programming Interface is basically the interface that allows two or more computers to talk with each other. For any API that is public, security is crucial. To make the API more secure, users will need to have an API key. Services won’t be able serve your data without this key.

Twitter was not able to do that.

Migues noted that cloud-native apps are becoming more popular, as well as the world of refactoring monolithic applications into thousands and hundreds of APIs and microservices.

It is just another example of an API that is unsecured and developers have created to work. Security is a matter of sight, not mind.

Jamie Boote from Synopsys Software Integrity Group, an associate security consultant for software security said that humans are bad at protecting what they cannot see.

Problem is, this is happening faster than there are application architects skilled enough to craft secure API and zero trust architectures.

Migues warned that “it’s growing faster than there are time to do threat modelling and skilled security testing.”

This is also the path that Twitter took in the past.

Boote stated that “in 2021, people discovered the Twitter API could also be used to divulge email addresses from other sources. Also leak some semi-public data like tying Twitter handles with this email address.” Many groups used the leaked email dumps to create seed material …read more

Source:: Social Media Explorer

Author: Aaron