Privileged access
Last week's devastating breach of Twitter's security raises serious questions about its approach to managing privileged access to internal systems and information. Twitter says its investigations show "attackers targeted certain Twitter employees through a social engineering scheme". But detailed reporting suggests there has been long-term targeting of Twitter workers (some involving threats of violence), and a number of the attacks resulted in their co-operation. Respected reporter, Brian Krebs, explains how one hacker boasted of "a direct connection to one or more people working at Twitter." Reuters reports that, as of earlier this year, more than 1,000 Twitter employees and contractors had access that could change user account settings and give control to others. There appear to have been no effective controls on what they could do with this access. Twitter has now revealed that the attackers were able to download detailed information for up to eight of the 130 hijacked accounts, and direct (i.e. private) messages for up to 36 of them.