Twitter から始まる Class Break

Someone compromised the entire Twitter network, probably by stealing the log-in credentials of one of Twitter’s system administrators.

In the Twitter case this week, the hacker’s tactics weren’t particularly sophisticated. We will almost certainly learn about security lapses at Twitter that enabled the hack, possibly including a SIM-swapping attack that targeted an employee’s cellular service provider, or maybe even a bribed insider. The FBI is investigating.

In addition to our efforts behind the scenes, shortly after we became aware of the ongoing situation, we took preemptive measures to restrict functionality for many accounts on Twitter - this included things like preventing them from Tweeting or changing passwords. We did this to prevent the attackers from further spreading their scam as well as to prevent them from being able to take control of any additional accounts while we were investigating. We also locked accounts where a password had been recently changed out of an abundance of caution. Late on Wednesday, we were able to return Tweeting functionality to many accounts, and as of today, have restored most of the accounts that were locked pending password changes for their owners.

This kind of attack is known as a “class break.” Class breaks are endemic to computerized systems, and they’re not something that we as users can defend against with better personal security. It didn’t matter whether individual accounts had a complicated and hard-to-remember password, or two-factor authentication. It didn’t matter whether the accounts were normally accessed via a Mac or a PC. There was literally nothing any user could do to protect against it.

Class breaks are security vulnerabilities that break not just one system, but an entire class of systems. They might exploit a vulnerability in a particular operating system that allows an attacker to take remote control of every computer that runs on that system’s software. Or a vulnerability in internet-enabled digital video recorders and webcams that allows an attacker to recruit those devices into a massive botnet. Or a single vulnerability in the Twitter network that allows an attacker to take over every account.

技術が進むと標準化が進み、脆弱性が増える。同じ機能を持つ部分すべてを破壊する「クラスブレーク」が可能になるのだ（p.133）

システムがあまりに複雑になり技術的に高度になった結果、セキュリティが劣るかもしれない新しいものを使うより、クラスブレークのおそれがあっても実績のあるものを使い続けたほうがいいことが多くなったのだ（p.158）

画一的なシステムはクラスブレークをうけやすく、剛性が高い。多様な場合にもクラスブレークは可能だが、難しくなる。可能なかぎり多様性を選んだほうがいいのだ。画一性自体がセキュリティリスクになるが、そのリスクは、確立されていない方法を選んだ場合よりも小さいことが多い（p.176）

Imagine a government using this sort of attack against another government, coordinating a series of fake tweets from hundreds of politicians and other public figures the day before a major election, to affect the outcome. Or to escalate an international dispute. Done well, it would be devastating.

In a sense, class breaks are not a new concept in risk management. It’s the difference between home burglaries and fires, which happen occasionally to different houses in a neighborhood over the course of the year, and floods and earthquakes, which either happen to everyone in the neighborhood or no one. Insurance companies can handle both types of risk, but they are inherently different. The increasing computerization of everything is moving us from a burglary/fire risk model to a flood/earthquake model, which a given threat either affects everyone in town or doesn’t happen at all.