Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/7/2019
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Twitter & Trend Micro Fall Victim to Malicious Insiders

The companies are the latest on a long and growing list of organizations that have fallen victim to users with legitimate access to enterprise systems and data.

Two separate incidents reported this week have once again highlighted how insiders with legitimate access to systems and data can be far more dangerous to enterprise security than external attackers.

On Thursday, the US Department of Justice announced indictments against two former Twitter employees for allegedly accessing private information tied to Twitter accounts belonging to several individuals of interest to the government in Saudi Arabia. A third individual based in Saudi Arabia was also indicted on related charges.

US national Ahmad Abouammo (age 41) of Seattle and Aliz Alzabarah (35) of Saudi Arabia are accused of using their Twitter employee credentials to collect information that helped Saudi officials identify individuals critical of the regime in the country. They are alleged to have provided the information — which included email addresses, phone numbers, IP addresses, and dates of birth — to officials working on behalf of the Saudi government and the Saudi royal family.

The charging documents described Abouammo as a former media partner manager at Twitter responsible for the Middle East and North Africa region.

In that role, he was involved in assisting notable Twitter accounts in the region — including those belonging to brands, journalists, and celebrities — with content and Twitter strategy as well as sharing best practices. Alzabarah was a site reliability engineer, with no authorized access to the Twitter account data. Even so, he is alleged to have accessed nonpublic data associated with more than 6,000 accounts, including 33 accounts for which Saudi officials had previously pressed Twitter for more information.

Abouammo allegedly received a luxury watch valued at more than $20,000 and hundreds of thousands of dollars in cash in return for the information. He was arrested in Seattle on November 5 and made his first court appearance today.

Alzabarah fled the country for Saudi Arabia after Twitter officials confronted him about his illegal activities. A federal warrant has been issued for his arrest and also that of a third individual, Ahmed Almutairi, 30, a Saudi-based individual who is alleged to have facilitated meetings between Saudi officials and the two former Twitter employees.

In a statement, a Twitter spokesman said the company is committed to protecting the privacy of individuals who use its platform to advocate for human rights, equality, and individual freedom. "We recognize the lengths bad actors will go to try and undermine our service," the spokesman said. "Our company limits access to sensitive account information to a limited group of trained and vetted employees."

Meanwhile, in a separate development, cybersecurity vendor Trend Micro on Wednesday said one of its employees had illegitimately accessed personal data belonging to about 68,000 of the company's 12 million customers.

According to the security vendor, one of its employees used "fraudulent means" to access a customer support database containing names, email addresses, support ticket numbers, and, in some cases, the phone numbers of customers. He is alleged to have sold that information to a third-party malicious actor who then used it to attempt to scam Trend Micro customers. 

Trend Micro was alerted to the data theft in August after some customers of its consumer security products reported receiving scam calls for people purporting to be the security vendor's support personnel. It wasn't until October, however, that the company was able to identify the source of the leak. The employee has been terminated.

A Long-Standing Problem
Trend Micro and Twitter are the latest in a long and constantly growing list of victims of insider abuse — a problem that many security experts say poses at least as big a risk to enterprise security as external attacks. Twenty percent of the security incidents that Verizon's breach response group handled in 2018, and 15% of the actual breaches it investigated, involved insiders. Nearly half of those incidents (47.8%) were motivated by financial gain and a surprisingly high 23.4% by people seeking "pure fun."

Insider threats present a special challenge because most security is focused at protecting incoming traffic, says Warren Poschman, senior solutions architect at comforte AG. Internal, properly authorized users are expected to be able to access data because it is part of their job functions.

"The premise of 'you can't deny what is granted' applies in that if an insider has legitimate access, then it is difficult to determine if a behavior is allowable," Poschman says. True intent can be hard to determine until after damage is done because legitimate user behavior can often be erratic, he adds.

Several tools are available to address insider threats, including user behavior analytics and risk-based authentication products. Data-centric measures such as tokenization and format-preserving encryption can also help by limiting access to sensitive data for all users regardless of the permissions they have, Poschman says.

Terry Ray, senior vice president at Imperva, says trying to proactively restrict all employees to just the data they need can be complex and even next to impossible for enterprise security organizations. Even a zero-trust approach — where every access request to a network or app is vetted for trustworthiness — has limitations when it comes to malicious insiders, he says. "The only aspect of zero trust that might have benefited Trend Micro would be least privileged access — the idea that each individual should only have access to what they need for their role," he says.

To be effective, insider controls have to be based on a continuous monitoring of all user access to protected data. To spot unusual behavior, organizations need to be constantly analyzing who accesses data, what they access, how they access it, from where, and whether they should they have access to it.

"Monitoring user activity on corporate data is not only fully accepted, it's assumed by employees," Ray says.

Few, though, implement full data monitoring, and when they do, typically only the regulated data is monitored. The reality is that unregulated data is becoming more relevant at companies as well. "Unregulated data may still be highly monetized by attackers and can have negative impact on organizations," Ray notes, "regardless of a lack of regulatory fines."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What a Security Products Blacklist Means for End Users and Integrators."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16200
PUBLISHED: 2019-11-20
GNU Serveez through 0.2.2 has an Information Leak. An attacker may send an HTTP POST request to the /cgi-bin/reader URI. The attacker must include a Content-length header with a large positive value that, when represented in 32 bit binary, evaluates to a negative number. The problem exists in the ht...
CVE-2019-15073
PUBLISHED: 2019-11-20
An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15072
PUBLISHED: 2019-11-20
The login feature in "/cgi-bin/portal" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15071
PUBLISHED: 2019-11-20
The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail syste...
CVE-2019-6176
PUBLISHED: 2019-11-20
A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service.