I promise I’ll stop writing about Twitter as soon as Twitter stops giving me things to write about. I want to clarify some things before I begin, though. I have no real agenda against Twitter or Elon Musk. I’ve written more posts about Twitter in the last week than I’ve written Tweets in my life. Twitter continues to give me a springboard to discuss cybersecurity concepts, so I continue writing about it.
This week in Twitterish news, a “verified” account crashed the stock of a multibillion-dollar company.
I wrote a post the other day about the issues with the new verification system and why we should consider blocking t.co. I followed that up with a post showcasing this already happening; however, I didn’t consider the impact these false verifications could have on the global market.
Twitter users pretending to be Lockheed Martin (notice the account is @lockheedmartini) announced that they were halting sales to Saudi Arabia, Israel, and the US. This caused an immediate crash in their stock to the tune of billions in value.
The same thing happened to Eli Lilly, a drug store company after a “verified” Twitter post mentioned that insulin would be free.
The company’s stock fell by 4.37% or roughly $30 Billion. The stock has yet to recover even after the “verified” tweet was proved fake.
The CIA Triad
I haven’t talked about the CIA triad before on this blog, but it’s a general term in cybersecurity. The CIA triad is three core principles that we focus on.
- Ensure the things we want private stay private
- Ensure that things we want accurate stay accurate
- Ensure that things we want available stay available
This is a nutshell version of the triad, and I’m not going to deep dive into this right now. One concept that loosely falls under integrity is the concept of non-repudiation. This concept is the idea that you can prove definitively that someone sent a specific message. If we abstract this a bit we can say that Twitter’s previous verification system provided non-repudiation as we could prove that the real Lockheed Martin tweeted a message; however, now that system is more difficult.
Twitter still has a source of non-repudiation with the Twitter handle. Twitter handles are globally unique and there can only be one @LockheedMartin on Twitter but this method requires users to do more digging to figure out what the correct Twitter handle is for Lockheed Martin.
Although not confirmed Twitter suspended sign ups for Twitter Blue probably because of these two instances. It’s one thing when users are pushing crypto scams by pretending to be Twitter but it’s a completely different matter when Twitter’s policies cause multi-billions in loss to major companies. I expect there will be lawsuits in the future from Lockheed Martin and Eli Lilly over the lost valuation.
Twitter rolled out, then removed, then re-rolled out a new “Official” verification status. This new verification status is supposed to be used to identify notable persons and businesses. If Twitter actually rolls out a new “Official” status that will be a good first step; however, it will still take time before your average user (the ones who aren’t following all the Twitter drama) learn to stop associating trust with the blue checkmark.
For that reason, as I stated in the first post, block t.co until this all settles down.