Tag Archives: Twitter

Security News Bites for the Week Ending July 17, 2020

Microsoft’s LinkedIn Sued for Abusing Clipboard Access

Apple’s Universal Clipboard allows you to share data between devices. According to the lawsuit, LinkedIn reads the data without notifying the user. However, LinkedIn is not alone. More than 50 apps, apparently, do that. Now that they have been sued, they are changing their app. Credit: Reuters

When is 10 million actually 140 million?

Apparently MGM resorts is not great at counting. In February ZDNet reported that hackers stole info on 10 million guests. Apparently the number is actually 142 million. How we know this is not because MGM said so but because a hacker is selling that much data. Credit: ZDNet

340 GDPR Fines Totaling 158 Million Euros Issued Since 2018

The smallest fine was 90 Euros. The largest fine was 50,000,000 Euros.

France, Italy and Germany represent 73% of all of the fines.

While fines issued by France total 51 million Euros, fines issued by the UK were just over a half million Euros.

While GDPR has been in force for around two years, that is just a blip when it comes to the legal world. Stay tuned for the next two years. Credit: Helpnet Security

The Same Senate That is Trying to Ban Encryption is Asking Why Twitter isn’t Encrypting DMs

While the Senate debates the EARNIT Act, which would require companies like Twitter to implement encryption back doors or the LEAD Act which FORCES judges to make companies decrypt data if the cops ask the judge to do it with no judicial descretion, that same body is asking why Twitter isn’t encrypting Direct Messages (DMs). Sounds kind of bizarre to me, but that is reality. Credit: Security Boulevard

Beware of VPNs That Keep No Logs

UFO VPN (first clue: based in Hong Kong) says this about their security practices:

UFO VPN does not collect, monitor, or log any traffic or use of its Virtual Private Network service, under any circumstances, on any platform

Which makes it hard to explain how 894 GB of log data, including encryption keys, was stored on an elastic search server with no password. This represents 20 million users logs.

If you care about your privacy, check out any VPN provider that you plan to use carefully. Credit: Hack Read

OMG – Twitter Hacked!

The details are a bit sketchy, but a number of high profile Twitter accounts were hacked on Wednesday. Among the accounts hacked were Apple, Elon Musk and Joe Biden. Other accounts include Kim Kardashian West, Jeff Bezos, Bill Gates, Barack Obama, Wiz Khalifa, Warren Buffet, YouTuber MrBeast, Wendy’s, Uber, CashApp and others.

Read to the end to find the OMG part.

In this particular case, all the scammer wanted was money.

The scam went like this: If you send me a $1,000 in bitcoin, I will send you back $2,000. Only doing this for 30 minutes said Joe Biden’s account.

Needless to say, Biden did not send the Tweet, nor did fools who believed this too-good-to-be-true story get their money doubled.

Twitter acknowledged the problem just before 3PM Pacific Time on Wednesday, saying that they had a little problem.

Now comes the OMG part.

As Twitter tried to get their arms around how many accounts were compromised and how it happened, they locked down a number of high-profile accounts. Those accounts COULD NOT TWEET. WHAT IS THE WORLD COMING TO?

Later in the afternoon Twitter said that things were getting back to normal, but they reserved the right to lock down more accounts if they needed to.

Just in case this is not obvious, this is not a case of a user picking a bad password.

Based on conversations others have had with hackers, backed up by screen shots, it appears this was an inside job. This is only speculation at this point.

The scam itself is pretty vanilla. What is brazen is hacking all of these high profile Republican, Democratic, multiple presidential candidates and other so-called “verified accounts”.

The Bitcoin account in question had racked up over a hundred grand by mid afternoon and going up quickly.

What if, instead of a stupid scam that no one SHOULD believe, the hackers instead Tweeted that the President had been assassinated or that China had launched a nuke aimed at Miami, Dallas and pick your least favorite city?

Mass panic.

Financial chaos.

Ultimately, it boils down the speed that social media moves at and the trust that some people place in news pushed by social media.

Even if Jack Dorsey figures out what happened and I think it is likely that he will, it may be impossible to stop this from happening again.

This is definitely an example of “Buyer Beware”. Credit: Tech Crunch

A Little more information has come out but not a lot. Twitter is saying that rather than their employees being crooks, they are just stupid and were duped by the hackers. Not sure which is worse.

Apparently, Twitter has an internal tool that allows an employee to do things like change the email associated with an account with no notification and no validation.

Some people posted screen shots of the internal Twitter tool. Twitter’s solution to this “problem” was to delete those tweets and disable those accounts. Apparently, they don’t understand how the Internet works because with Google and 30 seconds, you can find ten copies of those pictures. We are still waiting for Twitter to come clean. That may have to wait for the lawsuits. After all, people did lose thousands of dollars each. Credit: Brian Krebs.

Here are some out of the box thoughts. – What if this was an effort by the North Koreans or Chinese? What if this was just a test run? What if this happened the day of the presidential elections? What if the hackers said that candidate [pick one] dropped out of the race, so don’t bother voting. If people are willing to send thousands of dollars of Bitcoin to a stranger in response to a Tweet, the above is not so far fetched.

Here is another thought. We the direct messages of all of those compromised accounts stolen? Are we going to see those DMs made public. Say right before the election. Shades of Russia/2016 election. Stay tuned.

Security News for the Week Ending November 22, 2019

Huawei Ban – Is It A National Security Issue or Bargaining Chip?

Back in May, President Trump issued a ban on US companies buying from or selling to Huawei (see here).  Since then, the government has issued an extension to the ban 90 days at a time and the government just issued another extension.  They are doing this at the same time that they are trying to get US allies to not use Huawei products in the rollout of those country’s 5G networks.   This tells China that we are not serious about this and don’t really think Huawei is a security risk – whether it is or not.

There are two problems with the ban.  The first is that US telecom carriers currently use lots of Huawei gear and it will cost billions to replace it.   Second, US companies and likely Republican donors make billions selling parts to Huawei, so the administration is reluctant to stop that flow of money into the country.

Congress is considering a bill to fund $1 billion over TEN YEARS as a down payment on removing Huawei gear from US networks.  If the US actually implements the Huawei ban, then those companies will no longer get software patches, The Chinese might even announce the holes so hackers can attack US networks.  In addition,  if the equipment breaks, carriers won’t be able to get  it fixed.   Life is never simple.

Carriers that have to spend money replacing Huawei will have to delay their 5G rollouts, turning the US into even more of a third-world cellular network than we already are.   Source: ITPro

Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies

The hacker or hacker group Phineas Fisher has offered up a bounty of $100,000 for other hackers who break into “capitalist institutions” and leak the data.  The group said that hacking into corporations and leaking documents in the “public interest” is the best way for hackers to use their skills for social good.  That is not a great message for businesses who are trying to defend themselves.

Phineas Fisher has a long track record of breaking into companies and publishing embarrassing data, so this is not just an idle threat.  Source: Vice

Russian Hacker Extradited to the United States May Be High Value Asset

We see from time to time that hackers are not too bright or act in not so bright ways.  In this case, a Russian hacker, wanted by the US was arrested when he entered Israel in 2015.  The US says that he ran the underground credit card mart CARDPLANET which sold over a hundred thousand stolen cards.  Why a Russian hacker would think that visiting Israel would be safe seems like he thought, maybe, no one knew who he was or that he is not very smart.

After Israel arrested him at the request of the US, the Russians tried to bargain him back to Russia under the guise of trying him there.  When the Israelis told them thanks, but we will handle this ourselves, Russia convicted a young Israeli woman on trumped up drug charges and she is serving a 7 year sentence in Russia.  Even that did not sway Israel to return him.  In the mean time, the Israelis have turned him over to us and he waiting trial here.

Some people say that Russia wants him back because he has first hand knowledge of Russian interference in the 2016 US elections, but the White House doesn’t even admit that Russia hacked the elections, so I am guessing they are not going to press on that issue, but who knows  – stay tuned.  Source: Brian Krebs

When It Affects the Boss, Well, Just Fix It

A few weeks ago Jack Dorsey, Twitter’s CEO, had his Twitter account hacked.

Up until yesterday, you had to provide Twitter with a phone number for two factor authentication and they would send you a text  message.  You could change the method later, but you had to initially give them a phone number.  HIS account was hit by a SIMJacking account (so apparently he did not change his authentication method).

As of November 21, you can now set up a Twitter account WITHOUT SMS as the second factor.  I strongly recommend that you change your Twitter 2FA method.  Source: Tech Crunch

Apple Tells Congress That You’ll Hurt Yourself if You Try to Fix Your iPhone

Congress pressed Apple on why you or a repair center (that doesn’t pay Apple a licensing fee) should not be allowed to repair your iPhone because, they say, doing such repairs could be dangerous.

They also said it costs them more money to repair iPhones at Apple stores than they charge, which is probably the best reason ever to let other people repair them.  Of course, that is not the way Apple sees it.  They said that you might leave a screw out or something.  Of course, if they provided manuals, that wouldn’t be a problem.

Apple would like you and Congress to believe that their repair monopoly is good for you as a consumer.  Apple also said that they don’t stop consumers from getting repairs from a shop of their choice, even though they modified the iPhone software to disable the phone’s touchscreen if they do get their phone repaired outside the Apple ecosystem.  Read more details here.

 

Wendy’s, Cici’s, Twitter – The Attacks Keep Coming

In January 2015 Wendy’s disclosed, after many banks already announced, that it’s point of sale system was breached.  For months Wendy’s refused to provide any details, only saying that they were investigating things.

In May, when it released it’s first quarter earnings report, it said that fewer than 300 restaurants  were compromised and all of them were franchisees.  None of the compromised systems were at company owned stores.  The NCR Aloha POS system, installed at many locations and planned to be deployed at all locations soon, was not compromised, but 50 other stores were compromised with other forms of malware.

Some people are saying the size of the breach is limited, but banks are saying that the hackers are being very effective at using the compromised cards and the banks are having a hard time controlling their losses.

Wendy’s appears to be really struggling with this.

On June 9th, they admitted that the breach was worse than they admitted in May.  The new locations, for which they have not announced a number, had a variant of the original malware, which the original forensics firm did not detect.

What this may mean is that Wendy’s is still bleeding credit cards.  The banks certainly seem to think so.

Hopefully at some point, we will find out the real damage, but Wendy’s does not seem to be able to effectively get to the bottom of it.  In the mean time, class action lawsuits have been filed.

In the meantime, Cici’s Pizza appears to have been hacked.  A little over a million card numbers seem to be available on the dark web.  While Cici’s gave reporter Brian Krebs a total runaround, the POS vendor, Datapoint, said that this appears to be related to the TeamViewer hack that has been in the news lately and that multiple POS vendors are affected.  TeamViewer, a remote access tool, has been in the news lately as many people say that their systems, which have TeamViewer Installed, have been compromised.  TeamViewer insists that they have not been hacked, but so did Wendys for quite a while.

There have been a number of POS attacks which were completed by compromising the remote control software that was used by the third party to manage the POS systems in the stores.  Brian Krebs is reporting that the attack on Cici’s may have been assisted, at least in part, by people pretending to be technicians for the POS company and socially engineering store employees into giving them access.  If so, this is a classic attack method  – using store employees as their foil.

Both the Cici’s and TeamViewer attacks are relatively new, so we have not had any official news – other than the typical denial – from either company.

Interestingly, Brian Krebs said that when he went to the Datapoint web site, Google says Datapoint’s site was compromised and that it was once used by hackers to promote Viagra clones.  He has a screen shot of the Google alert on his web site.

Now on to Twitter.  This has not been a good week for Twitter. Over the week, the accounts of many celebrities including Mark Zuckerberg, Katy Perry and the NFL, among a number of others, were hacked.

Twitter says that some number of accounts have been compromised and their owners – as well as the hackers – have been locked out, on purpose.  Media sources say that number is 33 million.

Twitter says that their servers were not hacked.  Some sources are suggesting that the list of 33 million accounts may have been aggregated by combining data from other hackers – like the 100+ million records taken from LinkedIn, since people seem hell bent on reusing passwords.

One thing that everyone needs to seriously consider is to start using two factor authentication.  All major websites offer it and while it is a bit of a pain, it really is a requirement, not an option.  For users that have two factor authentication turned on, the real owner will get an alert on their phone and the hacker will have to figure out how to get that 6 or 8 digit number to log in.  That will effectively keep the attacker out, even though they have your password.

As businesses and users continue to insist on convenience over security, the hackers continue to win.  At some point, the cost of being hacked will outweigh the convenience of reusing passwords, using passwords like 123456 and other not-so-smart things.

However, I recommend that you not hold your breath waiting.

Information on the Wendy’s breach came from eWeek.

Information on the Cici’s breach came from Brian Krebs.

Information on the Twitter attack came from The Guardian.