- The co-founder and chief executive of Twitter had his own account on the service briefly taken over by hackers.
- A group referring to itself as the Chuckling Squad said it was behind the breach of Jack Dorsey’s account.
- The profile, which has more than four million followers, tweeted out a flurry of highly offensive and racist remarks for about 15 minutes.
- Twitter says its own systems were not compromised, instead blaming an unnamed mobile operator.
- A source at the company confirmed to the BBC the hackers had used a technique known as “simswapping” (or “simjacking”) in order to control Mr Dorsey’s account.
- This is a technique whereby an existing phone number – in this case one associated with Mr Dorsey’s account – is transferred to a new Sim card, usually after attackers trick or bribe customer support staff at a mobile provider.
- By taking control of the number, the attackers were able to post tweets via text message directly on to Mr Dorsey’s Twitter account.
- While nowadays the overwhelming majority of users use mobile apps to tweet, Twitter’s early days were built around texting in updates – hence the character limit – and Twitter has kept this method, in part because of its use in developing countries with high data costs.
- The offensive messages – some posted directly by the @jack account, and others retweeted from other accounts – used the n-word and made anti-Semitic comments referencing the Holocaust.
- One post suggested there was a bomb at the social media company’s headquarters.
- A chat channel on Discord, a separate website, was apparently set up by the group to discuss and joke about the attack – but was quickly shut down.
- While the security lapse appears to have happened outside the company, it is still an embarrassing incident for Twitter, a service which hosts the world’s most powerful leaders.
*Source: BBC News, August 31 2019
- Google has confirmed that it is rolling out an emergency update to the Google Chrome web browser over the coming days to fix a high-severity vulnerability that could allow attackers to take control of your Windows, macOS or Linux system.
- Neither Android nor iOS versions of the browser are affected by this vulnerability.
- However, the 2 billion people who use Chrome should be vigilant and ensure that their browser does update.
- In a security advisoryposted on August 27, the Center for Internet Security revealed how the vulnerability in Google Chrome could allow an attacker to achieve remote arbitrary code execution.
- The advisory also warns that most at risk are large and medium government and business entities.
- Home users are still considered to be at risk, but this risk has been assessed as being low rather than high.
- “This vulnerability is a use-after-free vulnerability in Blink that can be exploited if a user visits, or is redirected to, a specially crafted web page,” the advisory stated, “successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions, or cause denial-of-service conditions.”
- An emergency update has already started to be rolled out, and users on all desktop platforms are advised to check their browser versions to ensure that the update has been installed.
*Source: Forbes, August 15, 2019
- Microsoft says that users who enable multi-factor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks.
- The recommendation stands not only for Microsoft accounts but also for any other profile, on any other website or online service.
- If the service provider supports multi-factor authentication, Microsoft recommends using it, regardless if it’s something as simple as SMS-based one-time passwords, or advanced biometrics solutions.
- With over 300 million fraudulent sign-in attempts targeting Microsoft cloud services every day, enabling a multi-factor authentication solutions blocks 99.9% of these unauthorized login attempts, even if hackers have a copy of a user’s current password.
- The 0.1% number accounts for more sophisticated attacks that use technical solutions for capturing MFA tokens, but these attacks are still very rare when compared to the daily hum of credential stuffing botnets.
- Microsoft’s boast that using MFA blocks 99.9% of automated account takeover (ATO) attacks isn’t the first of its kind.
- Back in May, Google said that users who added a recovery phone number to their accounts (and indirectly enabled SMS-based MFA) were also improving their account security.
*Source: ZDNet, August 27, 2019
- British travel company Teletext Holidays has suffered a data breach in which some 212,000 customer call audio files were left unprotected on an online server for three years, exposing customer names, email addresses, home addresses, phone numbers and dates of birth.
- Verdictdiscovered the files – which have since been removed – on an unsecured Amazon Web Services server.
- The calls took place between the 10 April 2016 and 10 August 2016.
- They range from a few minutes to up to an hour and, based on accents, appear to involve UK customers.
*Source: Information Security Buzz, September 02, 2019
- An unknown number of Lexington County School District One students were among the many thousands of nationwide victims of a data breach earlier this year, the district revealed Friday.
- Pearson, a London-based educational software maker and one of the largest publishers of print and digital textbooks, notified Lexington County School District One about a “data security issue” that it had with one of its products, district spokeswoman Mary Beth Hill announced via email to local news media and parents Friday afternoon.
- The student data affected is limited to only students’ first and last names. No other student data such as birth date, middle names, home addresses, schools, or social security numbers were included.
- A Wall Street Journal article that broke the story earlier this year indicated the breach was limited, but said a significant portion of students nationwide also had their birth dates and email addresses stolen.`
- The Sunreached out to Hill Friday evening for more details on the breach, but has yet to receive a reply.
- Pearson itself learned of the breach from the FBI in March of this year.
- Pearson began notifying educational institutions at least a month ago about the breach before Friday’s announcement by Lexington One.
- Based on information from the FBI and Pearson, as many as 13,000 schools and universities, mostly in the United States, were affected by the hack.
- Pearson said that, to its knowledge, none of the accessed student data has been misused and the chances of the data being misused are low since no financial data was accessed.
- The hack centered on a Pearson product called AIMSweb, a student-assessment tool used by Lexington One from 2010–2016, according to Hill.
- After Pearson notified Lexington One of the issue, the district worked with the company to understand the specific details related to the district’s data, according to Hill.
- Though the incident is considered “very low risk,” the district has encouraged parents to take advantage of the complimentary credit monitoring provided by Pearson for affected students through Experian.
*Source: Lexington Sun News, August 31, 2019