Accused Twitter Hackers Arrested

A couple of weeks ago, I blogged about a Twitter hack that made numerous celebrities appear to be offering $2,000 to anyone foolish enough to send them $1,000 in Bitcoin first.  I quoted a lawyer who said that authorities were pretty good about tracing Bitcoin transactions, despite that currency's reputation for enabling anonymous transactions, and that chances were good for an early solution to the case.

Turns out he was apparently right.  On Friday, July 31, the state attorney's office in Tampa, Florida arrested Graham Ivan Clark, a 17-year-old, and will prosecute him as an adult, as Florida laws allow in such cases.  Authorities in California, where Twitter is based, announced that two others, Mason Sheppard of England and Nima Fazeli of Orlando, Florida, are being charged in the case as well.  Fazeli is 22 and Sheppard is 19.

There are now a few more details about how the hack was done.  Somehow the alleged criminals obtained phone numbers for several Twitter employees.  In a technique called "spear phishing," they then tricked someone into calling what probably sounded like a legitimate helpdesk, where the caller persuaded the employee to give them credentials that allowed them into Twitter's critical control systems via targeted spear-phishing attacks on other employees.

One can imagine this playing out rapidly in a movie:  the scene switches back and forth between a teenager's cluttered bedroom in Tampa to the cool, sophisticated environment of a Silicon Valley megacorporation where the kid hoodwinks staffer after staffer, and at last he types something on his laptop and yells, "We're in!"  But Mr. Clark may not have gotten his ideas from a movie.  Just being a teenager may have been enough.

Brain researchers have found that the teenage brain is an odd mixture of sophistication and poorly-controlled impulses.  In a Time article by Alexandra Sifferlin, we read that the brains of teenagers are about as big as they're going to get, but not nearly as interconnected as those of people in their late 20s and older.  In particular, the prefrontal cortex, where planning and forethought occur, is not yet well connected to the limbic system, which deals with emotions and goes through a growth spurt beginning by age 12.  So all the pieces of the adult brain are there, but they aren't connected as well as they will be in an adult. 

Add to this fact that certain kinds of mental activity turn out to be easy for clever teenagers and even children, while other kinds of mentally challenging work isn't.  For example, the world has known of many child prodigies in math (Blaise Pascal was writing proofs on the wall with a piece of coal by age 11) and music (Mozart).  But there haven't been any child-prodigy novelists or statesmen.  I'm not saying Clark is another Pascal, not by a long shot.  But programming and its illegal subset of criminal hacking are activities that smart young people can easily master on their own without undergoing a long apprenticeship.

So couple that native ability with the poor impulse control of a teen brain, and you get situations like the one Graham Clark is in.  Yes, he did a clever thing that got him a lot of publicity and some money.  But now he's facing criminal charges (a laundry list of 30 felonies) that could put him in jail for much of his natural lifespan.

In this case, anyway, crime didn't pay.  But how about Twitter, and how apparently easy it was for the three hacketeers to spoof and spear-phish their way into one of the most prominent Silicon Valley social media companies?

This kind of thing is an IT security specialist's nightmare.  Despite all the encryption, coding precautions, and other software and hardware security you can throw around, any organization of any size relies on interactions among people who trust each other.  And unless all the people work in one room and know each other's names and behaviors (an increasingly rare situation in these COVID-19 times), there is always a chance that a properly-informed hacker could impersonate someone in the organization to steal credentials or other critical data. 

It's hard to think of a way to prevent this kind of thing absolutely, but I bet Twitter is reviewing its IT security rules right now to prevent another such attack.  This is a lesson that engineers, and really anybody involved in dealing with confidential information, can benefit from.  For some of us, it might not be anything more important than a credit-card number, though having your credit card hacked is no picnic (it's happened to me several times). 

For organizations such as Twitter that have extremely valuable credentials to protect, it's hard to say what policies would prevent hacks like the one masterminded by Clark.  Whatever they might be, they would have to partake of a kind of rigidity that goes against the Silicon Valley grain.

For example:  I once heard of a restaurant whose management held so highly the safety and well-being of their customers, that if any of the people who laid out the silverware on the table was caught touching a fork anywhere above the handle so as to get their fingers on something that would later go into a customer's mouth, that person was fired on the spot.  Excessive?  Probably.  But it bespoke a kind of integrity and seriousness that may be in short supply these days.  Nevertheless, such an attitude might go far, if turned into data-protection protocols, toward preventing the kind of thing that happened to Twitter.

Twitter recovered, after some embarrassing publicity.  The alleged culprits were caught, and now people can follow the Kardashians or whoever without fear of getting spurious tweets from them.  So maybe the price of an occasional hack is worth the laid-back atmosphere that allowed a seventeen-year-old to make a fool out of a famous social-media company.  To prevent hacks like this in the future, organizations like Twitter may have to implement rules that are inconvenient or even harsh.  But with great privileges come great responsibilities, and that may be a lesson a lot of us have yet to learn.   

Sources:   The Associated Press article by Kelvin Chan on the arrest of Clark and company was carried by several news outlets, including https://www.boston.com/news/crime/2020/07/31/florida-teen-charged-in-massive-twitter-hack-bitcoin-theft.  I also referred to an an article at https://www.usnews.com/news/business/articles/2020-07-31/twitter-says-hackers-used-phone-to-fool-staff-gain-access.  The detail about Pascal's proof in coal dust is from Wikipedia's "List of child prodigies" and the Time article on teenage brains can be found at https://time.com/4929170/inside-teen-teenage-brain/.