Tag: required | Page 2

Twitter employees required to use security keys after 2020 hack

October 27, 2021/in Computer Security

Twitter rolled out security keys to its entire workforce and made two-factor authentication (2FA) mandatory for accessing internal systems following last year’s hack.

The company migrated all of its employees from legacy 2FA using SMS or authenticator apps to security keys in less than three months, according to Twitter’s Senior IT Product Manager Nick Fohs and Senior Security Engineer Nupur Gholap.

“Over the past year, we’ve accelerated efforts to increase the use of security keys to prevent phishing attacks,” they said.

“We’ve also implemented security keys internally across our workforce to help prevent security incidents like the one Twitter suffered last year.”

After the July 2020 hack, Twitter revealed that the attackers took control of dozens of high-profile accounts after stealing Twitter employees’ credentials following a phone spear-phishing attack on July 15, 2020.

Graham Clark, the 17-year-old who pleaded guilty to fraud charges after coordinating the hack, sold access to those accounts and, later, used verified Twitter accounts of companies, politicians, executives, and celebrities he took over to run a cryptocurrency scam.

He was arrested following a joint operation coordinated by the FBI, the IRS, and the Secret Service (court documents here).

By obtaining employee credentials, they were able to target specific employees who had access to our account support tools. They then targeted 130 Twitter accounts – Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.

— Twitter Support (@TwitterSupport) July 31, 2020

Security keys and 2FA on Twitter

Twitter continuously upgraded and improved the platform’s 2FA support throughout the last few years, with a clear focus on security keys as the primary 2FA method.

It first added security keys as one of several 2FA methods on the web in 2018 and included support for using them by 2FA-enabled accounts when logging into mobile apps two years later, in December 2020.

Support for security key was later upgraded to the WebAuthn standard, which delivers secure authentication over the web and makes it possible to use 2FA without a phone number.

In 2021, Twitter added support for using multiple…

Source…

Constant Vigilance Required to Defeat Continually Evolving Phishing Threats

March 24, 2021/in Mobile Security

It’s been a year since states first enacted shelter in place orders, most employees began working outside their office networks at home. In 2020, phishing attacks grew 42%, according to new data in SlashNext’s State of Phishing 2021 report. The average cost of a corporate breach was $2.8 million, making phishing an urgent issue.

What was once spray and pray bulk phishing attacks, easily recognized for their lousy grammar and poor-quality logos, is now replaced by mass quantities of high quality, highly targeted spear-phishing attacks simulating messages from trusted sources. Bad actors became far more sophisticated at using automation, AI, and behavioral targeting to launch spear-phishing attacks aimed at harvesting our personal and corporate information from the same devices.

Phishing attacks moved faster than defenses, automated across people’s digital footprints. Short-lived phishing URLs gather valuable personal information and move on within 40-45 minutes to evade detection. Attacks generating 20,000+ subpages in 36 hours were too fast for human forensics to stop.

One of the most dangerous aspects of all this is that phishing attempts often come from legitimate infrastructures such as Google, Adobe, and Microsoft domain names. Cybercriminals used a variety of strategies to evade traditional phishing defenses, including compromised pages on legitimate infrastructure such as Google, Adobe, or Microsoft domain name, which made them difficult to detect.

Targeting Microsoft Users

Even before the sudden shift to a distributed work environment, Microsoft 365 was a popular phishing target. Instead of being limited to email, bad actors launched attacks on OneDrive, Teams, and other Microsoft communication channels.

These malicious users can be very targeted using specific information relevant to each channel. So, not only have we detected a dramatic increase in attacks targeting Microsoft users, but the success of these attacks has been unprecedented.

Companies rely on first-generation tools to defend against phishing attacks, whether securing their email gateway, proxies, firewalls, or other endpoints. Even some of the newer security solutions have been…

Source…

Twitter finally upgrades its 2FA security feature. Mobile number no longer required!

November 24, 2019/in Computer Security

Hundreds of millions of Twitter users now have an improved way to better safeguard their accounts from being compromised.

Graham Cluley

15,000 private webcams left open to snooping, no password required

September 20, 2019/in Computer Security

Once again concerns are being raised about the sorry state of IoT security, after a security researcher discovered over 15,000 private webcams that have been left wide open for anyone with an internet connection to spy upon.

Read more in my article on the Bitdefender BOX blog.

Graham Cluley

Tag Archive for: required

Security keys and 2FA on Twitter