Twitter Now Has Better Two-Factor Authentication, So Use It
Credit to Author: Brian Barrett| Date: Sat, 23 Nov 2019 14:00:00 +0000
A hacking bounty, right to repair, and more of the week's top security news.
Last weekend, Iran shut off the internet for nearly all of its citizens in an attempt to quell demonstrations. The government was able to do so in part because it had already spent years consolidating power over ISPs. Not only were the country's 80 million people cut off from each other and the rest of the world, Iranian-Americans found themselves unable to contact family and friends. As of Friday afternoon, the internet was still mostly unavailable.
Iranian hackers also took the spotlight, as new research into state-sponsored group APT33 shows that they've recently—and worryingly—focused on industrial control systems. And notorious ICS hackers Sandworm have gone the other direction, according to new research from Google, planting malware in legitimate Android apps. And while people's Disney+ accounts are getting taken over, Disney itself wasn't hacked; attackers are using "credential stuffing," which takes advantage of reused passwords. (Get a password manager!)
Someone left 1.2 billion records exposed in a server online, including personal information and social media accounts. Websites are taking more permissions than they should when you visit. Thieves really are using Bluetooth scanners to decide which cars to steal from. DuckDuckGo has a new tool that automatically sends you to the encrypted version of millions of pages around the web. And take a minute this weekend to control what health and fitness data your phone or wearable collects, and what they do with it.
Finally, while Facebook has recently touted its anti-revenge porn tools, Katie Hill's ongoing ordeal shows just how far it still has to go.
And there's more. Every Saturday we round up the security and privacy stories that we didn’t break or report on in-depth but which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.
Twitter was relatively slow to offer its users two-factor authentication, and even when it did, it required you to hand over your phone number in order to use it. Security experts have warned for literally years about the dangers of linking 2FA with SMS messaging, chiefly because it exposes you to so-called SIM swap attacks, where hackers divert your phone number to a different device and use it to take over your accounts. Finally Twitter has relented, allowing you to get started with two-factor authentication straight from an authenticator app or Yubikey, no phone number required. To do so, go to Twitter on the web, and click Settings & Privacy > Account > Security > Two-Factor Authentication. And for more on why you should, head here.
As of July 2020, all smartphones, computers, and smart TVs sold in Russia must have Russia-made software preinstalled. They can also have non-Russian apps and programs, but the requirement still raises concerns over surveillance, and speaks to Russia's continuing attempts to lock down the technology its citizens have access too.
Many large companies have so-called bug bounties, in which they pay outside security experts who discreetly share flaws in their software. Well-known hacker Phineas Fisher has turned that idea on its head, offering up to a six-figure payout for hackers who successfully target companies and share whatever documents they find with the public. It's an effort to spark a new wave of hacktivism, albeit an explicitly illegal one.
Right to repair issues affect everyone from Apple customers to farmers. But as US Marine Corp logistics officer Elle Ekman wrote in The New York Times this week, it impacts the military as well. She recounts how Marines often aren't allowed to repair their own equipment, having to send it back the manufacturer instead. That deprives them of valuable experience that they may someday need on the battlefield. The process of fixing things is broken, even for those whose lives can depend on the ability to do so.