A couple of weeks ago, I blogged about a Twitter hack that
made numerous celebrities appear to be offering $2,000 to anyone foolish enough
to send them $1,000 in Bitcoin first. I
quoted a lawyer who said that authorities were pretty good about tracing Bitcoin
transactions, despite that currency’s reputation for enabling anonymous
transactions, and that chances were good for an early solution to the case.
Turns out he was apparently right. On Friday, July 31, the state attorney’s
office in Tampa, Florida arrested Graham Ivan Clark, a 17-year-old, and will
prosecute him as an adult, as Florida laws allow in such cases. Authorities in California, where Twitter is
based, announced that two others, Mason Sheppard of England and Nima Fazeli of
Orlando, Florida, are being charged in the case as well. Fazeli is 22 and Sheppard is 19.
There are now a few more details about how the hack was
done. Somehow the alleged criminals
obtained phone numbers for several Twitter employees. In a technique called “spear phishing,”
they then tricked someone into calling what probably sounded like a legitimate
helpdesk, where the caller persuaded the employee to give them credentials that
allowed them into Twitter’s critical control systems via targeted spear-phishing
attacks on other employees.
One can imagine this playing out rapidly in a movie: the scene switches back and forth between a
teenager’s cluttered bedroom in Tampa to the cool, sophisticated environment of
a Silicon Valley megacorporation where the kid hoodwinks staffer after staffer,
and at last he types something on his laptop and yells, “We’re
in!” But Mr. Clark may not have
gotten his ideas from a movie. Just
being a teenager may have been enough.
Brain researchers have found that the teenage brain is an
odd mixture of sophistication and poorly-controlled impulses. In a Time article by Alexandra
Sifferlin, we read that the brains of teenagers are about as big as they’re going
to get, but not nearly as interconnected as those of people in their late 20s
and older. In particular, the prefrontal
cortex, where planning and forethought occur, is not yet well connected to the
limbic system, which deals with emotions and goes through a growth spurt beginning
by age 12. So all the pieces of the
adult brain are there, but they aren’t connected as well as they will be in an
Add to this fact that certain kinds of mental activity turn
out to be easy for clever teenagers and even children, while other kinds of
mentally challenging work isn’t. For
example, the world has known of many child prodigies in math (Blaise Pascal was
writing proofs on the wall with a piece of coal by age 11) and music (Mozart). But there haven’t been any child-prodigy
novelists or statesmen. I’m not saying
Clark is another Pascal, not by a long shot.
But programming and its illegal subset of criminal hacking are
activities that smart young people can easily master on their own without
undergoing a long apprenticeship.
So couple that native ability with the poor impulse control
of a teen brain, and you get situations like the one Graham Clark is in. Yes, he did a clever thing that got him a lot
of publicity and some money. But now
he’s facing criminal charges (a laundry list of 30 felonies) that could put him
in jail for much of his natural lifespan.
In this case, anyway, crime didn’t pay. But how about Twitter, and how apparently
easy it was for the three hacketeers to spoof and spear-phish their way into one
of the most prominent Silicon Valley social media companies?
This kind of thing is an IT security specialist’s
nightmare. Despite all the encryption,
coding precautions, and other software and hardware security you can throw
around, any organization of any size relies on interactions among people who
trust each other. And unless all the
people work in one room and know each other’s names and behaviors (an
increasingly rare situation in these COVID-19 times), there is always a chance
that a properly-informed hacker could impersonate someone in the organization to
steal credentials or other critical data.
It’s hard to think of a way to prevent this kind of thing
absolutely, but I bet Twitter is reviewing its IT security rules right now to
prevent another such attack. This is a
lesson that engineers, and really anybody involved in dealing with confidential
information, can benefit from. For some
of us, it might not be anything more important than a credit-card number,
though having your credit card hacked is no picnic (it’s happened to me several
For organizations such as Twitter that have extremely
valuable credentials to protect, it’s hard to say what policies would prevent
hacks like the one masterminded by Clark.
Whatever they might be, they would have to partake of a kind of rigidity
that goes against the Silicon Valley grain.
For example: I once
heard of a restaurant whose management held so highly the safety and well-being
of their customers, that if any of the people who laid out the silverware on
the table was caught touching a fork anywhere above the handle so as to get
their fingers on something that would later go into a customer’s mouth, that
person was fired on the spot.
Excessive? Probably. But it bespoke a kind of integrity and
seriousness that may be in short supply these days. Nevertheless, such an attitude might go far,
if turned into data-protection protocols, toward preventing the kind of thing
that happened to Twitter.
Twitter recovered, after some embarrassing publicity. The alleged culprits were caught, and now
people can follow the Kardashians or whoever without fear of getting spurious
tweets from them. So maybe the price of
an occasional hack is worth the laid-back atmosphere that allowed a
seventeen-year-old to make a fool out of a famous social-media company. To prevent hacks like this in the future,
organizations like Twitter may have to implement rules that are inconvenient or
even harsh. But with great privileges
come great responsibilities, and that may be a lesson a lot of us have yet to