Twitter employees required to use security keys after 2020 hack

Twitter employees required to use security keys after 2020 hack

Twitter rolled out security keys to its entire workforce and made two-factor authentication (2FA) mandatory for accessing internal systems following last year’s hack.

The company migrated all of its employees from legacy 2FA using SMS or authenticator apps to security keys in less than three months, according to Twitter’s Senior IT Product Manager Nick Fohs and Senior Security Engineer Nupur Gholap.

“Over the past year, we’ve accelerated efforts to increase the use of security keys to prevent phishing attacks,” they said.

“We’ve also implemented security keys internally across our workforce to help prevent security incidents like the one Twitter suffered last year.”

After the July 2020 hack, Twitter revealed that the attackers took control of dozens of high-profile accounts after stealing Twitter employees’ credentials following a phone spear-phishing attack on July 15, 2020.

Graham Clark, the 17-year-old who pleaded guilty to fraud charges after coordinating the hack, sold access to those accounts and, later, used verified Twitter accounts of companies, politicians, executives, and celebrities he took over to run a cryptocurrency scam.

He was arrested following a joint operation coordinated by the FBI, the IRS, and the Secret Service (court documents here).

Security keys and 2FA on Twitter

Twitter continuously upgraded and improved the platform’s 2FA support throughout the last few years, with a clear focus on security keys as the primary 2FA method.

It first added security keys as one of several 2FA methods on the web in 2018 and included support for using them by 2FA-enabled accounts when logging into mobile apps two years later, in December 2020.

Support for security key was later upgraded to the WebAuthn standard, which delivers secure authentication over the web and makes it possible to use 2FA without a phone number.

In 2021, Twitter added support for using multiple…


Facebook wants to turbo-charge smart glasses. Researcher wonders if it can do it right

Facebook wants to turbo-charge smart glasses. Researcher wonders if it can do it right

A computer security and privacy researcher who also is an investor in augmented reality took a look at Facebook’s latest smart-glasses project and found biometric-identifier concerns for the recordable world as well as for the recorder.

In an opinion article published by The Conversation, Indiana University computer science professor Apu Kapadia compares Facebook’s Ego4D project with what he and his IU team have learned in studying sociological facets of people walking the Earth with AI-supported recording and reporting devices on their faces.

The Ego4D dataset can be used for algorithmic training, from biometric recognition to robotics performance in unstructured environments. Facebook is keen to facilitate development that would make smart glasses almost a new external lobe of the human brain.

Kapadia writes that biometric privacy concerns and AI ethics demand that Facebook executives frame in their own minds how dangerous and socially disruptive smart glasses will be if treated as another revenue-producing app.

(The researcher is an investor in Snap Inc., owner of augmented-reality social media service Snapchat. He also has been funded by the National Science Foundation, the Department of Defense and Microsoft Research; and had twice received Google’s faculty research award.)

It is good advice and timely as Facebook defends itself against insider accusations that leaders allegedly have chosen profits over the safety and health of their own subscribers, some of whom are children.

And, earlier this fall, the company had to disable an AI algorithm said to be the source of photos of Black men labeled “primates.”

Ego4D, is an egocentric, or first-person, video dataset available to the public, with benchmarks. The video and audio data, totaling 3,025 narrated hours of mostly “unscripted” content, was collected by 855 participants in nine countries as they went about their lives wearing smart glasses for up to 10 hours a day.

Privacy concerns by and angry reaction of people seeing that they are being recorded by smart glasses are well-reported, spawning the term glasshole for wearers of Google’s Glass. And that was before an increase in…


Most of auto industry, including vehicles themselves, vulnerable to hacking

As cyber threats increase, automakers and regulators are scrambling to safeguard an automotive industry as interconnected as the vehicles being produced.

A wave of thefts of luxury vehicles in Ontario shows that hackers are finding openings. In Ottawa, nearly one of every four stolen vehicles is a Lexus or high-end Toyota, taken by thieves who hack the vehicles and then drive those vehicles to Montreal for shipment across the world, say police. The thefts have prompted increases in security.

But while those thefts get attention, security experts warn that much of the industry’s exposure lies below the surface.

“People need to be aware that it’s possible to hack a vehicle, to hack the infrastructure, to hack manufacturers and their supply chains — that’s all possible to do right now, today,” said François Couderc, a Quebec City based cybersecurity specialist with the defence contractor Thales Group.

Companies are reluctant to say they’ve been hacked, fearing repeat attacks and customer and shareholder anxiety, Couderc said.

However, nearly one-third of suppliers responding to a survey by KPMG and the Automotive Parts Manufacturers’ Association (APMA) reported suffering a cyber breach in the past year. Phishing attacks — in which an employee clicks on an email link that spreads malware throughout a poorly secured network — are an easy way in.

“Given the move to people working remotely, given the move to working in the cloud, this didn’t surprise me,” John Heaton, a partner in KPMG’s cybersecurity practice, told Automotive News Canada.

More concerning, Heaton said, was a finding that just 32 per cent of respondents have an enterprise-wide cyber strategy. In an intertwined industry with its vast range of entry points, trouble can spread fast.


“It’s a global market,” Heaton said. “You source globally, and you’ve got a supply chain that is quite transparent. The [automaker] shares with the Tier 1, who shares with the Tier 2 … but that sharing of data and that [vehicle] product, which is ultimately a moving computer, creates a lot of places to attack.”

A “Closing the Cybergap” plan issued in February by…


FBI Raids Chinese Point-of-Sale Giant PAX Technology – Krebs on Security

U.S. federal investigators today raided the Florida offices of PAX Technology, a Chinese provider of point-of-sale devices used by millions of businesses and retailers globally. KrebsOnSecurity has learned the raid is tied to reports that PAX’s systems may have been involved in cyberattacks on U.S. and E.U. organizations.

FBI agents entering PAX Technology offices in Jacksonville today. Source:

Headquartered in Shenzhen, China, PAX Technology Inc. has more than 60 million point-of-sale terminals in use throughout 120 countries. Earlier today, Jacksonville, Fla. based reported that agents with the FBI and Department of Homeland Security (DHS) had raided a local PAX Technology warehouse.

In an official statement, investigators told WOKV only that they were executing a court-authorized search at the warehouse as a part of a federal investigation, and that the inquiry included the Department of Customs and Border Protection and the Naval Criminal Investigative Services (NCIS). The FBI has not responded to requests for comment.

Several days ago, KrebsOnSecurity heard from a trusted source that the FBI began investigating PAX after a major U.S. payment processor started asking questions about unusual network packets originating from the company’s payment terminals.

According to that source, the payment processor found that the PAX terminals were being used both as a malware “dropper” — a repository for malicious files — and as “command-and-control” locations for staging attacks and collecting information.

“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”

KrebsOnSecurity reached out to PAX Technology’s CEO on Sunday. The company has not yet responded to requests for comment.

The source said two major financial providers — one in the United States and one in the United Kingdom — had already begun pulling PAX terminals from their payment infrastructure, a claim that was verified by two different sources.

“My sources say that there is tech proof of the…