What does this mean for users?
Two-Factor Authentication and its Implications for Social Networks and Mobile Phones in the United States, Europe, and Brazil
While historically a popular form of 2FA, we have seen phone-number based 2FA being used by bad actors. Unless you’re a Twitter Blue subscriber, we will no longer allow accounts to enroll in the text message/sms method of 2FA.
This second piece of information helps to prove that the person logging in is actually you. While billions of passwords have been compromised online, the 2FA code is often delivered to or created by the device that is in your pocket. It is better to have any kind of two-factor authentication turned on. However, it isn’t entirely foolproof. For years, security researchers have warned that SMS-based two-factor authentication isn’t as secure as other 2FA options.
There is only a blue area in the US, Canada, Australia, New Zealand, Japan, Saudi Arabia, France, Germany, Italy, Spain, India, Indonesia, and Brazil. The company says that it will expand.
Twitter is “chaotic”: Why phone number-based two factor authentication is better than nothing — or is SIM-swapping safer?
This announced change to the platform is just the latest in a series of decisions causing serious upheaval at the social media company following Elon Musk’s takeover last year.
Twitter says the reason for this move is due to phone number-based two-factor authentication being “abused by bad actors.” But the planned move has riled up many users, concerned about wider implications.
In an email to NPR, she called this decision another one of Musk’s “chaotic moves.” She has been critical of recent actions by Twitter following Musk’s takeover of the company.
Gavan Reilly, a reporter in Ireland, tweeted that Twitter Blue isn’t even available in his country yet, “so there is literally no option to maintain the current choice of security.”
She noted that telling people to use authenticatorapp is nice, but what if the app is blocked by the government or it gets banned from the app store?
And there are apps, like Duo, that won’t work in certain countries if a user’s IP address originates in a region sanctioned by the the U.S., including Cuba, Iran, Syria, and areas in Ukraine controlled by Russian forces.
It’s considered “better than nothing,” but she notes it’s actually one of the least secure measures to use. That’s “because of a relatively simple attack called a ‘sim swap’ that has become more and more common.”
“An attacker can trick your phone company into giving them your phone number and cause them to send a 2 factor code to themselves”, she said.
If you’re looking for ways to protect your online accounts from being taken, 2FA is a good option. 2FA will require you to sign in with your password and usernames and use another piece of information to verify the account is legit. The temporary code is generated or sent to you in real time.
That’s because SIM-swapping attacks, where phone numbers are compromised by attackers, let criminals access 2FA messages and break into accounts. Put simply: Using another 2FA option, even if it is slightly less convenient, is your best option.
Instead of sending your six-digit authentication code via SMS message, authenticator apps are constantly generating the codes themselves and are synced with the services you use. Authenticator apps list all the websites you have registered with them and display the codes you need to enter to log in. These codes refresh every 30 seconds. The authenticator app will give you the verification code after you sign up for a website or app. It is helpful if your phone does not have internet.
Physical security keys are one of the most secure methods of multi-factor authentication. They also are for logging in to other websites. You can use a physical key to get into the phone in just a few steps. There are more security issues that iPhone users need to worry about. Research published this week details a new class of bugs that affected Apple’s iOS and macOS that could have potentially allowed an attacker to access a target’s message, photos, and call histories. Updating to the latest version of those operating systems is a must.
U.S. Military Email Leak: Why China isn’t a Good Friends of Silicon Valley, despite How Russia Attacks Ukraine
If anyone knows what it’s like to be targeted by hackers, it’s Ukraine. Over the past year, the country’s systems have faced an unprecedented Russian bombardment of data-destroying “wiper” malware, according to multiple cybersecurity firms. Researchers claim that Russia unleashed more attacks on the Ukraine than it has ever done against the neighbor. The only upside—if you can call it that—is that the newly discovered wipers are less destructive than earlier Russian wipers, especially compared to NotPetya, which Russia unleashed on Ukraine in 2017. $10 billion in damage was done by the malware around the world.
In addition to cyberattacks, Russia’s war has also severely impacted Ukraine’s electric grid, which has caused blackouts and internet outages. To keep themselves online and connected to each other and the world, Ukrainians have increasingly turned toward high-capacity lithium-ion batteries to keep cell phone towers online when Russia attacks Ukraine’s electric grid.
Elsewhere in the world, China hawks in the US Congress continue to gather support for a nationwide ban on TikTok, which is owned by China-based ByteDance. Some are wondering why TikTok is the focus of so much attention when it comes to American privacy when compared to US-based tech firms. The answer? China isn’t a good friend of Silicon Valley.
That notion doesn’t always ring true. Mozilla researchers this week say they found rampant inaccuracies in the privacy claims app developers make on Google Play’s Data Safety labels. Facebook received a “poor” grade from Mozilla, while Google’s YouTube, Gmail, and Google Maps apps ranked as “needs improvement.”
Source: https://www.wired.com/story/us-military-email-leak/
Breaking the News: Cryptanalysis of a Leaked Server of Internal Pentagon e-mails on Microsoft’s Azure Platform
But that isn’t the only thing. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.
On Tuesday, TechCrunch reported that the US Department of Defense had secured an unprotected server that had been leaking internal US military emails to anyone who knew where to look. terabytes of internal military emails were stored in an internal government mailbox system which was hosted on the Microsoft’s Azure platform. The server had a simple misconfiguration that let anyone with the server’s internet protocol address access sensitive data using a web browser.
The exposed server was discovered by security researcher Anurag Sen, who provided the details to TechCrunch. The data had been exposed for two weeks, but it’s unclear if anyone other than Sen accessed it while it was available.