Twitter Will Be Fun Today - The College Kids Who Hacked Into Twitter
Today's guests. His Hip Awan CEO of Afani. Secure and private cell phone service locum his Heeb. Thank you Laura for home. You'll show. You were one of the investigators in touch with the young people who hacked twitter last week and gain control of prominent accounts, including those of Joe. Biden Obama Elon Musk and others as well as those of crypt companies like coin, base and finance, and when they had control those accounts, they were soliciting bitcoin from twitter users. How did you get in touch with the hackers? So Laura be in like. four-time itself, so then after I was so pissed off that angry that I said I need to solve this problem, and so I've entered into a form that relates how they have those accounts holiday getting pretty much all the ring of how they operate so. When you say that they had had your twitter account, nor they have my Sim Sark four times. Okay, and when you say Sim, swaps just described that in case, listeners does up. Does improper pretty much. What happened is like someone will take the form so the underground market like think about Ebay, but like I knew democracy with information. So you said your name, your information social security number your call logs your life, your life, location or anything on you. If I say hey, I need to find out for Laura Shane telephone number, and they'll give me telephone number will give me a call loss to give you. An everything comes through telephone numbers of numbers unique, and then if I say. Say Hey. I need to take the phone number 'cause I need so they will just prophet abuse him that I control, and I need to pay them few hundred dollars now. Your formula not work anymore because I had control of Sim card, so then I use that telephone number to get into a g mail, facebook and twitter, so if you go on twitter, new likely rescinded to email our number. If it's telephone number you've got. Someone's adopted very common technique deployed across US for a long time. So. The twitter hack twitter said that their employees had been socially engineered, and that's how these hackers gained control the systems. Are you saying that? Some twitter employees have their account. Sim swapped like how how does that you or Simspon tried? These people relate to the twitter Hack Greg? You wanted to ask me like how to get in touch with them so I'm trying to understand. You, that of analysis himself, so started going into the industry into this form than trying to see how they operate and to Dodd funny, so which will provide the made acadia that probably that cannot be Simpson's. That's what we did an offer that. VINCI START GETTING customers. Have you would actually getting a lot of attempts to do so? You would getting Dempsey pretty much every week that someone prior to himself or customer, trying to like hack into our system and mend the failed. I got in contact David Mayhew call, they would email method you and they will do all kinds of attacks. You know they'll try to let pen to pen tests. The everything did and obviously in one of the cases restocked immunity stopping messing around it right I know what you're up to. And after I got in touch with him to signal and author that the lake. Not I won't say that become a friend, but I told them why you're doing this. Thank you know you should not do this multiple hackers and they said okay. If you don't have anything to do pretty much, does it okay? Why don't you get a job? He said job, and then they start feeding the all information to proved at. Legit than a lot of information and how I was getting information from a lot of talk of the vote. And when it all this happened that you got in touch with him and had it happened late four five months ago. Okay They were diverging to me not just for this hot, but for other purposes to ride like a kid discount. Lot of databases beach everyday, so they wanted to see that a hey. If I'm interesting in the database, just wanted to work pretty much. is not money. It's also about ego that they wanNA prove something that they would do something so. So Mike Context for not hacking, but they'll be into the songs that they had access to. That follows A. Up I didn't want to. Excessive today were passing me. Hey, today. This is for sale to do sports on tomorrow. This person's so on the deal stood attack. I got a message that will be fun today, and when this message I thought he'd be like a distributor barks. Like scam scams, and but after why? That's all the kind. We got attacked ten. Finance Accounting Noble at depth one time. I taught that it's just a third party API like you know you have like you know where your schedule. The in everything I thought that may be compromised, and that's how they got author. Riley said No. We have everything. A screen chart I tweeted screen shot, and after that is blue. Well and so, who are these people? who were the people involved in the actual twitter hack? The difficult to identity like frankly I don't know I can speculate, but obviously because someone security and privacy I don't want to speculate but I can tell you wanting like college. Kids are maybe like someone between eight, eighty, twenty, one, twenty, two, and they are video gamers. They'd metaphor armed, and they found fascinating for them. Dislike a game like you go into video game on you killing you do stuff for them. It's like that. They, probably living in some way or radio patterns right now in basement. Who does not even know anything? and. They just do it for fun. Obviously, money's there, too, but most of fun for them is just a today. And so originally. The way you got in touch with them was they were targeting these different cell phone accounts, and what does motivation and taking over the different cell phone accounts so for account you can actually to when people take account, they can actually destroy you financially emotionally ended up recently, though by financial I can say they can get into your county bank accounts ticket by Tiptoe through that they can buy a lot of levels of securities financially they can do. obviously going to facebook in an email to, and then they donor all information from your facebook, and then they start blackmailing you that. Hey, likely when a lot you have done this like you know you have this. And you have to pay me this information out there and a lot of people would have to pay them the money because they don't pay the money. They looted operation right so and then third party. They just become Parson Mike is the word processing me. blender used to take my county new. They cannot get anything, but they wanted to talk to me. Just fun for them like people. Some people are sick. Like how did they pick you out of all the different people that they could torture also the league, if not just me like everyday hundreds of people to get them soft, though I'm just one of them on average, every second medical become victim of since up, not himself but cybercrimes so. But I had the impression that this was primarily targeting crypto currency people, but you're saying it's any bundled nor I think eighty percent of people who was himself to an entrepreneur L.! And the new in the cases of those people is it like personal vendettas that they're trying to? You can make more money by a hacking Lord cell than anything else you know. is one thing but Lloyd is like one number one target Loyd and has professionals league doctor medical doctor then. In Lord other number one targets in suffers, and what is the motivation for targeting lawyers Don. Money don't happen. How do they monetize that Yeah, so I tell you doctors, basically busy less tech, savvy and rich. It's that easy to find out any doctor information. You can find out who the best doctor in the city and you consume. Stop Him. And once you get into that account, you can transfer money between accounts who can be that people have been? Going into the count, Simpson calling the bank making via transfer, and then just checking accounts. That's pretty common. For for doctors to clinics have a lot of money. If you'RE GONNA clinic, instead he did even like five hundred hundred million dollar distorted the front because Alaska. Election for them. Okay, so let's go back to the twitter hack. They were some names that were identified of people who are involved these names. In The New York Times article that quoted you as a source one was kirk. There were some other people ll and ever so anxious. Who were these people? And how did they know each other? So they don't. Know the Best Birdie. They just hang out on rooms like chatting channels lake similar people on developed talked with you. The pirates channels. We had people a go if they WANNA have information to the document industry for finding information. If I want someone associated Gordon dissipates on one. Don't get call for these people trade information. And you asked about like a leg. Imagine your lawyer and you are fighting for my open kiss. We begin go to the website by that long since he will. They are who they're talking to the day can. Make some delays on them. That's one thing but other than that. These people are just a game as they would play like you know different video games and kick the die, who was basically a source of the rate industry rock says they'll be extra agents, and they are in room for longtime and David. Obviously you want you want something you don't trust the new guy. The new guy who is basically the main culprit punching the entity because multiple reasons, but the main guidance, the just which had A. Reputation. If you say you want a username of Laura at Laura, Shannon inactive. You may not trust kick, so you can do this. Middle Diane Tell Them Hey, can you hold the money for because you have a good relation? Because like Ebid forums generally have a petition systems. You know so then you ve into this guy like you know every inch it He went to care. Concur depended he the credit employees but I. Don't think he was employees. And, then he gave him the concert start building. So this is just a middleman. He was just broken deals. You tell them what you want. He was just keep his car and transfer the money. The is completed that fall. And so so kirk was was saying that he was a twitter employees, but as you said, you don't think that he was, and he was essentially selling valuable twitter accounts, and if people didn't trust, Kirk, they would use ever so anxious as their middleman to get the different twitter handles that they wanted. Is that what happened? That's correct. Good Gig, only unharmed on in July of. July it was very recently. that. He actually came so obviously not trust someone admit. That soon. July seventh in the New York Times article are. Limited okay, but all right so but ever so anxious. How to longer reputation and. And that was who people are transacting with. And so then. How did BITCOIN come into this? All. On these things happen through Bitcoins, so the way it started was they were selling. This twitter handles four bitcoin and then later. How did the scam change? So I. Personally is what I personally think. That kid was in touch with the employees who was giving these accounts. For a few thousand dollars. And then. Either bribed him. Architects. Social Engineering Him. Legs because like hey can do. This is my. This is purely my speculation that you're working for so long. He warned the trust. Any may have said Hey, can you log in forbid I wanNA see how it looks like something that he made it something so the guy is pasta on. Hey, just do it, but don't do anything crazy. You Know Butt kicked. Decide Okay, man I can just go on or can also go online with I can do it I can. Can also go on like you know. All those accounts crazy. That's what I okay, but you're just speculating. You don't have any proof that or or do you know what? I don't have any proof of that I don't approve. Have critic probably do it? And Kirk? Is probably a guy called coup, which is on a farm for a long time, so he speculated that he someone that was in the industry for wide, but not. Approved that. Kicked it, but from all the action than everything it all points to cook. Irene so in a moment we're gonNA. Talk a little bit more about what happened. Exactly I, in sight, twitter and scam, but First a quick word from the sponsors who make this show possible. How much in fees are you paying? CRYPTO purchases now crypto dot com as waving the three point five percent credit card fee. When you buy crypto apart from crypto purchases, you can also get a great deal on food and grocery shopping with crypto dot. COM Get up to ten percent back when you pay with their. Visa Card no card use the crippled dot com to buy gift cards for up to twenty percent pack download the Crypto Dot com today, and enjoy these offers until the end of September. Looking to connect with thought, leaders, innovators and blockchain enthusiasts welcome to T- forum a weekly virtual series about all things tasers. Equal, feature presentations about the latest advancements that healthy ecosystem grow together. Interested in speaking at t quorom, submit your presentation ideas and the tasers community will vote on who comes to the podium next sign up and learn more about the virtual series at t quorum dot com. Back to my conversation with his Heeb Awan. So, we don't know exactly how. Kirk got into twitter's internal systems. However Once. He or she did then what'd he do or or she do with their power? So. Kirk than they went to buy I think. Start with by notes I'm coin base. And the see your finance and he made it account Egypt first of all. What did it was did with other? Account. Okay, which means when you log in, it asks you to do a second type of security, which is hopefully. If you're in the crypto space, you have used something like Hugo, authenticate or key, and you're not using text message based second factor authentication. Where they sent a code your phone because otherwise if he gets swaps than than having no. Buyer so. Removed that and then keep going good thing. They added wall a secondary second. You know Autodata so now. I'll give example like you have my username seep, so they moved to a FE, and they're also removed. Jane, Email. And then they. Did possible reset. So the new email guard, the chain deposited garden the account. and. tweeted whatever they wanted. Well, and what were they tweeting? So, they were tweeting that you know. About Co. Ed Nineteen I believe like you know because of Covid, we like helping people. I don't remember the wording. Health Has Something and they said Back. And this is video any comments in YouTube. Actually they were so good that frankly sometime I get like you know Oh my God like the able to make it like a secondary thing. That's real you know and like, but this happens pretty commonly, and and it's happening for almost two years now i. It, really is the kind of thing where people think it's real I honestly. Had created a question for you, which is who are the people who are savvy enough to own bitcoin and know how to send it, but not savvy enough to spot. What to me seems like an obvious scam. Actually went on the Internet and are tweeted out this thing same thing I said like who are those people who can have sophisticated enough to buy Bitcoin, but knowledge to. Send. Bitcoin but I think leap Dick's everything. Like I agree people think okay. Let's give it a chance. You know it's like a lottery ticket. You know people may be, but they think what if this is true and other than that. If you like an must happening there, actually flaunted, be efforts on twitter. All the time with people are donating money on twitter, but they don't ask for anything they say hey, can you give me your Alfred Egland who this every day, so he will dollars to off fifty dollars for every person everyday. You'll say. Retreat this. I'll give you this money. So this happens right now and obviously As hit audible, read like you know when viewed come in people, people forget everything that you know. We have so many Ponzi scheme like so many scattered that happened that exist today could if I come to unity Laura investment scheme, which is a pretty good you know. He hit all the MACHIDA. But it only gives you five percent. You may not listen to that. Say Hey, Lord the Child who may tennis money tomorrow. You may skip everything. Cocaine is thousand and ten dollars tomorrow. Okay I'll take the risk from doing that. Hopefully I'm sure my listeners are savvy enough to know if it sounds too good to be true. But people do that I. Think I have estimated that around like maybe I. Just in this journal given us cam like. He put a lot of tens of millions of dollars and well not last week, but no, not over time overtime. Yeah, yeah, we'll be sending money, so there are enough food. I guess yeah over I mean for last week. The hackers did net about a little over thirteen bitcoin, which was about one hundred twenty thousand dollars, although analysts said that about twenty, thousand of it seems to have come from a suspicious address that they actually think controlled by the hackers to kind of make it look like this was legit and people were actually sending money. But then also by the way they could have netted more. However, Cuevas said that it did prevent more than one thousand customers from sending about two hundred and eighty thousand dollars worth of Bitcoin to the twitter hackers so oriented, so let's talk a little bit also about just what happened in twitter which was? Twitter blog posts. Hackers a targeted. Thirty accounts for forty five of those they reset the password and sent tweets from those accounts for eight of them. They actually downloaded that counts data, and then for thirty sixty legitimate direct message inbox, including one elected official from the Netherlands, and it was who. What do you think they could do with such information? I think it's A. Black, man that I've been talking to you about what happened with sin sopping. Let's think about it if you have first all that fool Phoolan that why didn't put? It wasn't like planned. I don't believe it was just like in the move in the heat of happened. BANDAIDS slaves. They clearly guy who just got drunken pretty might do everything but I think if you have access to like anyone, social media, proper social media like I have been I've received. Messages. And I but I don't believe that I think we have forged around. Believe the electoral, so, but if you have someone should media that maybe confidential information that can be misused by Stacey when leg if you do about it on dedic messages, a you know that's not confident that even with the journalist visceral broads. You know so I. Don't know who the information was. What fast, but that's video very very concerning and I believe this may happen on facebook or other social media from his. Because to same. Attack Factor. Yeah I definitely think that this is. One of those cases where it makes you want to just use encrypted social messaging APPS. Such as like signal or something, maybe what's up? So, let's just also talk a little bit about what we said before about how the hackers were able to remove two factor authentication on these accounts. Well, actually what they did I was. They changed the email address. And then the chain Laras Oh, actually bid on a there was A. There was an email. There was a blog post by somebody who had the at six twitter account, and they said they believed that the hackers change the address, but that when that happened, it did not send a notification to the original email address, but not I don't know if this person was surmising, you know six hundred interest in history, those belong to a hacker. Their the community of Hackers Gobi Twenty six hundred. That's like a court for hackers right. Not a quarterback, just like community for hackers and you were the hacker who ended up homeless anywhere. They will do attack into I think he would to. And he went into multiple you as homeless, but he was a hacker. And oxygen community belong to sixty name. Is this secretly off? I believe his name. And, but yes, but I think the first drift was removed and then. moved. To the letter. Control of it now thought it was the reverse, but either way. In Like for any of us who are in the crypto space who have been? Keeping up with our security and using things like Google. or UB and avoiding. Text message based to a or or any kind of to a based on our phone number. What? Can we take away from this like? Is there any advice that you have for Crypto? People on how they can protect themselves if the services that we use have loopholes like this. Let's not that'll be biased in obviously you know. Will. Finding here, but that's what we do, right. We work, but a lot. Actually I am surprised at how many a compromise them security argue out stocking some customer yesterday and they do You know an extra seat is probably the most I can tell you I know. We are making like a faces, but at same part exit. She's most prominent used offer manager for probably ninety ninety nine percent of the word. What would you recommend instead? Use a password manager, anything manager pretty much everything in the top five six. It stood, you know. Don't cheat on family plan. out on like those like a caveman. This company go with a better company. Even if you don't go the final leg, that's fine at least hell better company like Dourthouse I'm plan because no fan mace. You make you very vulnerable to now you're putting your own life on risk, but everyone who is in the time is. You know and the third party. Don't give out your telephone. Number molasses everywhere. You know like. Don't go to like you. Know have different email address if you want to. And you let you. At Google. Authentic get off your. There's something at one time I have statistics, said ninety five percent of people who are like major changes. Do not have to a fait. Sms I'm talking more to a and I think ninety nine percent of those are what you estimates to say. The people who've been additives Everyday I have started I deal with at least two or three people who get up everyday and came and we had some of the to affair, and I can get into that lot of people into the spark that they were not believe enough not to change it. please. Don't please don't be those people, but I can tell you like I've spent people and I said do this. Man How much time did it like five minutes six league. Logistics you Donald and APP, you know. have to familiar face. You know if you are very cautious, taken for a number, but I can tell you that Khomeini would make this mistake. Ordering will end and it you know, and in the end I did lose industry learn. That's was part. There was still use the same SMS to a fait. The dating did not happen to them. Again happened again. Because if it happens to once, you become more, you know your motorcycle getting out again. If they have found something and something, they just do for fun, and and you know what I because obviously I'm. Biased in a way that the. Customer. Time I've been a victim four times a feed Logar they can. What would you do? Please please please setup. SMS elected more music episodes into gear and please get family plan these I. Know You're saving their ten twenty dollars per months, but in the end you know if you call it a, it's like insurance. You can live without insurance to. But like you know. The one day you need insurance when you need it.