Tag Archives: Twitter

Security News for the Week Ending November 22, 2019

Huawei Ban – Is It A National Security Issue or Bargaining Chip?

Back in May, President Trump issued a ban on US companies buying from or selling to Huawei (see here).  Since then, the government has issued an extension to the ban 90 days at a time and the government just issued another extension.  They are doing this at the same time that they are trying to get US allies to not use Huawei products in the rollout of those country’s 5G networks.   This tells China that we are not serious about this and don’t really think Huawei is a security risk – whether it is or not.

There are two problems with the ban.  The first is that US telecom carriers currently use lots of Huawei gear and it will cost billions to replace it.   Second, US companies and likely Republican donors make billions selling parts to Huawei, so the administration is reluctant to stop that flow of money into the country.

Congress is considering a bill to fund $1 billion over TEN YEARS as a down payment on removing Huawei gear from US networks.  If the US actually implements the Huawei ban, then those companies will no longer get software patches, The Chinese might even announce the holes so hackers can attack US networks.  In addition,  if the equipment breaks, carriers won’t be able to get  it fixed.   Life is never simple.

Carriers that have to spend money replacing Huawei will have to delay their 5G rollouts, turning the US into even more of a third-world cellular network than we already are.   Source: ITPro

Phineas Fisher Offers $100,000 Bounty to Hack Banks and Oil Companies

The hacker or hacker group Phineas Fisher has offered up a bounty of $100,000 for other hackers who break into “capitalist institutions” and leak the data.  The group said that hacking into corporations and leaking documents in the “public interest” is the best way for hackers to use their skills for social good.  That is not a great message for businesses who are trying to defend themselves.

Phineas Fisher has a long track record of breaking into companies and publishing embarrassing data, so this is not just an idle threat.  Source: Vice

Russian Hacker Extradited to the United States May Be High Value Asset

We see from time to time that hackers are not too bright or act in not so bright ways.  In this case, a Russian hacker, wanted by the US was arrested when he entered Israel in 2015.  The US says that he ran the underground credit card mart CARDPLANET which sold over a hundred thousand stolen cards.  Why a Russian hacker would think that visiting Israel would be safe seems like he thought, maybe, no one knew who he was or that he is not very smart.

After Israel arrested him at the request of the US, the Russians tried to bargain him back to Russia under the guise of trying him there.  When the Israelis told them thanks, but we will handle this ourselves, Russia convicted a young Israeli woman on trumped up drug charges and she is serving a 7 year sentence in Russia.  Even that did not sway Israel to return him.  In the mean time, the Israelis have turned him over to us and he waiting trial here.

Some people say that Russia wants him back because he has first hand knowledge of Russian interference in the 2016 US elections, but the White House doesn’t even admit that Russia hacked the elections, so I am guessing they are not going to press on that issue, but who knows  – stay tuned.  Source: Brian Krebs

When It Affects the Boss, Well, Just Fix It

A few weeks ago Jack Dorsey, Twitter’s CEO, had his Twitter account hacked.

Up until yesterday, you had to provide Twitter with a phone number for two factor authentication and they would send you a text  message.  You could change the method later, but you had to initially give them a phone number.  HIS account was hit by a SIMJacking account (so apparently he did not change his authentication method).

As of November 21, you can now set up a Twitter account WITHOUT SMS as the second factor.  I strongly recommend that you change your Twitter 2FA method.  Source: Tech Crunch

Apple Tells Congress That You’ll Hurt Yourself if You Try to Fix Your iPhone

Congress pressed Apple on why you or a repair center (that doesn’t pay Apple a licensing fee) should not be allowed to repair your iPhone because, they say, doing such repairs could be dangerous.

They also said it costs them more money to repair iPhones at Apple stores than they charge, which is probably the best reason ever to let other people repair them.  Of course, that is not the way Apple sees it.  They said that you might leave a screw out or something.  Of course, if they provided manuals, that wouldn’t be a problem.

Apple would like you and Congress to believe that their repair monopoly is good for you as a consumer.  Apple also said that they don’t stop consumers from getting repairs from a shop of their choice, even though they modified the iPhone software to disable the phone’s touchscreen if they do get their phone repaired outside the Apple ecosystem.  Read more details here.

 

Facebooktwitterredditlinkedinmailby feather

Wendy’s, Cici’s, Twitter – The Attacks Keep Coming

In January 2015 Wendy’s disclosed, after many banks already announced, that it’s point of sale system was breached.  For months Wendy’s refused to provide any details, only saying that they were investigating things.

In May, when it released it’s first quarter earnings report, it said that fewer than 300 restaurants  were compromised and all of them were franchisees.  None of the compromised systems were at company owned stores.  The NCR Aloha POS system, installed at many locations and planned to be deployed at all locations soon, was not compromised, but 50 other stores were compromised with other forms of malware.

Some people are saying the size of the breach is limited, but banks are saying that the hackers are being very effective at using the compromised cards and the banks are having a hard time controlling their losses.

Wendy’s appears to be really struggling with this.

On June 9th, they admitted that the breach was worse than they admitted in May.  The new locations, for which they have not announced a number, had a variant of the original malware, which the original forensics firm did not detect.

What this may mean is that Wendy’s is still bleeding credit cards.  The banks certainly seem to think so.

Hopefully at some point, we will find out the real damage, but Wendy’s does not seem to be able to effectively get to the bottom of it.  In the mean time, class action lawsuits have been filed.

In the meantime, Cici’s Pizza appears to have been hacked.  A little over a million card numbers seem to be available on the dark web.  While Cici’s gave reporter Brian Krebs a total runaround, the POS vendor, Datapoint, said that this appears to be related to the TeamViewer hack that has been in the news lately and that multiple POS vendors are affected.  TeamViewer, a remote access tool, has been in the news lately as many people say that their systems, which have TeamViewer Installed, have been compromised.  TeamViewer insists that they have not been hacked, but so did Wendys for quite a while.

There have been a number of POS attacks which were completed by compromising the remote control software that was used by the third party to manage the POS systems in the stores.  Brian Krebs is reporting that the attack on Cici’s may have been assisted, at least in part, by people pretending to be technicians for the POS company and socially engineering store employees into giving them access.  If so, this is a classic attack method  – using store employees as their foil.

Both the Cici’s and TeamViewer attacks are relatively new, so we have not had any official news – other than the typical denial – from either company.

Interestingly, Brian Krebs said that when he went to the Datapoint web site, Google says Datapoint’s site was compromised and that it was once used by hackers to promote Viagra clones.  He has a screen shot of the Google alert on his web site.

Now on to Twitter.  This has not been a good week for Twitter. Over the week, the accounts of many celebrities including Mark Zuckerberg, Katy Perry and the NFL, among a number of others, were hacked.

Twitter says that some number of accounts have been compromised and their owners – as well as the hackers – have been locked out, on purpose.  Media sources say that number is 33 million.

Twitter says that their servers were not hacked.  Some sources are suggesting that the list of 33 million accounts may have been aggregated by combining data from other hackers – like the 100+ million records taken from LinkedIn, since people seem hell bent on reusing passwords.

One thing that everyone needs to seriously consider is to start using two factor authentication.  All major websites offer it and while it is a bit of a pain, it really is a requirement, not an option.  For users that have two factor authentication turned on, the real owner will get an alert on their phone and the hacker will have to figure out how to get that 6 or 8 digit number to log in.  That will effectively keep the attacker out, even though they have your password.

As businesses and users continue to insist on convenience over security, the hackers continue to win.  At some point, the cost of being hacked will outweigh the convenience of reusing passwords, using passwords like 123456 and other not-so-smart things.

However, I recommend that you not hold your breath waiting.

Information on the Wendy’s breach came from eWeek.

Information on the Cici’s breach came from Brian Krebs.

Information on the Twitter attack came from The Guardian.

Facebooktwitterredditlinkedinmailby feather