Subscribe to this bi-weekly newsletter here!
Welcome to the third edition of Pardon The Intrusion, where we explore the wild world of security.
Almost everyone agrees that two-factor authentication (2FA) is the holy grail when it comes to keeping our accounts safe from breaches. Still, it’s unbelievable how many companies screw this up, like Twitter did earlier this month.
The social media platform recently disclosed it “accidentally” used email addresses and phone numbers provided for account security purposes to target ads.
2FA can be implemented with SMS (the weakest way), an authenticator app, biometrics, or even a hardware security key that you plug into your device to sign-in to, say, a service like Google.
But Twitter’s egregious use of this information explicitly meant for one thing for something else entirely is not only a clear-cut case of a privacy violation, they also made phone numbers mandatory, even if you want to use an authenticator app for verification.
So, deleting a phone number from your Twitter settings all but withdraws your account from Twitter 2FA. Other major sites, including Google, Facebook, and GitHub, don’t make this a prerequisite.
Cybersecurity expert Matthew Green summed up this fuck up pretty well:
In all seriousness: whose idea was it to use a valuable advertising identifier as an input to a security system. This is like using raw meat to secure your tent against bears.
— Matthew Green (@matthew_d_green) October 8, 2019
Oof!
The sooner Twitter decouples the phone number requirement from 2FA, the better.
Now, onto more security news.
What’s trending in security?
- Motherboard’s Joseph Cox wrote about MPC, a phone company run by drug traffickers that sells custom-engineered phones capable of sending encrypted emails and messages. [Motherboard]
- Planting spy chips inside hardware equipment can cost as little as $200. But don’t get any ideas… [Wired]
- ESET researchers discovered an advanced malware strain — dubbed “Attor” — that’s been deployed to spy on diplomats and Russian-speaking users in Eastern Europe. [ESET]
- Researchers discovered a new malware strain called “Reductor” that allows hackers to manipulate HTTPS traffic by tweaking a browser’s random numbers generator, used to ensure a private connection between the client and server. [Kaspersky]
- A hacking group named “FIN7” is back on the scene after a short period of no activity. They’re now packing new evasion techniques to thwart traditional antivirus detection. [FireEye]
- The researchers over at McAfee concluded their deep dive that links the Sodinokibi/REvil ransomware — the same strain that was behind the coordinated Texas cyberattacks — to GandCrab, detailing their business model. [McAfee Labs]
- The Magecart cybercrime syndicate has been linked to Dridex — a banking Trojan that’s been employed in the theft of online banking credentials — and a threat group known as Carbanak. [MalwareBytes]
- Adware shows no signs of slowing down. Snaptube, a popular video downloader app for Android, was caught generating fake ad clicks and unauthorized premium purchases that users were forced to pay for. The app’s developer, Mobiuspace, blamed a third-party, called Mango SDK, for the fraudulent subscriptions and ad clicks. [Secure-D]
- Popular Android browser UC Browser has been downloading a third-party App Store app called 9Apps to devices over unsecured channels. [Zscaler ThreatLabZ]
- This new Mac “Tarmac” malware targets users via online malvertising (malicious advertising, get it?) campaigns that gather info about a victim’s hardware setup and send the details to a remote server. [ZDNet]
- Private equity firm Thoma Bravo intends to buy cybersecurity firm Sophos in a $3.9B deal, adding to its portfolio which already has McAfee, Barracuda Networks, Veracode, Imperva, and ConnectWise. [Sophos]
- There is a new kind of “jackpotting” malware attack that make ATMs eject all of the money inside them. [Motherboard]
- It’s India vs. WhatsApp: the government and Facebook-owned messaging platform are arguing over decrypting private messages for national security reasons. [Reuters]
- Attackers are banking on users’ trust in privacy and security related apps to install malware. In the latest instance, the malware disguised itself as Tor browser to collect some $40K in Bitcoin from Russian-speaking victims on the dark web. [ESET]
- Cozy Bear sounds cute, but it’s not: this Kremlin-backed hacking group suspected of breaching the Democratic National Committee ahead of the 2016 US elections, has evolved its tactics with new spyware in a campaign ESET calls ‘Operation Ghost’ targeting high-value victims in 3 different countries in Europe. [ESET]
- Researchers demonstrated a new way third-party apps on Echo and Google Home smart speakers can surreptitiously eavesdrop on users and phish for their passwords. It exploits a flaw in both Alexa and Google Home that renders the devices silent upon encountering the character “�” (U+D801, dot, space), making it seem like they had terminated while the apps were still running. [SR Labs]
Data Point
A survey — commissioned by HP as part of National Cybersecurity Awareness Month — has found that more than 70% of people across the US, UK, and Canada feel inevitable that their personal information will be compromised at least once in their life, with over 75% polled acknowledging it’s only going to get harder to protect their information.
Takeaway: Have to say, this is one helluva depressing statistic. We’ve reached a point where most of us have simply learned to accept data breaches as a fact of life, and move on. This desensitization sets a scary precedent because it reduces the pressure on organizations that handle our private data to do better.
Tweet of the week
Today the @nytimes chose to eliminate my role, stating that there is no need for a dedicated focus on newsroom and journalistic security. I strongly believe in what I do (and what we did), and to say I’m disappointed would be an understatement. (1/3)
— Runa Sandvik (@runasand) October 22, 2019
I’m grateful for the 3.5 years of collaboration and helping support brilliant journalists; it’s been amazing and exciting; I remain a fierce advocate for the mission of protecting reporters & sources, and I’m very disappointed to see this chapter brought to a sudden close. (2/3)
— Runa Sandvik (@runasand) October 22, 2019
I’ve already had an outpouring of questions and support – thank you! I’m going to take a little time off, and then look for how and where I can provide the greatest impact to help people see and hear the stories which need to be told, without compromising sources. (3/3)
— Runa Sandvik (@runasand) October 22, 2019
Securitip
[In this section, we ask security professionals about their top privacy and stips.]
This week, we asked Troy Hunt, noted security expert and operator of Have I Been Pwned, to share the one password security tip he swears by:
My number one tip in this space is to get a password manager. I use 1Password and every single password I use these days is randomly generated and stored securely. It’s the single best thing consumers can do to improve their security, plus it actually makes things easier as it’ll autofill logins on both my PC and mobile devices. It’s a win-win.
That’s it. See you all in two weeks. Stay safe!
Ravie x TNW (ravie[at]thenextweb[dot]com)
[Enjoyed this newsletter? You can sign up for it right here.]
Get the TNW newsletter
Get the most important tech news in your inbox each week.