Twitter’s Support account published the following announcement on Tuesday: We recently found that some email addresses and phone numbers provided for account security may have been used unintentionally for advertising purposes. This is no longer happening and we wanted to give you more clarity around the situation: https://t.co/bBLQHwDHeQ — Twitter Support (@TwitterSupport) October 8, 2019 Then, in the linked post, they proceeded not to give a lot of clarity. “We recently discovered that when you … More
The post Twitter 2FA phone numbers “inadvertently” used for advertising purposes appeared first on Help Net Security.
When Twitter CEO Jack Dorsey’s account was hacked for roughly 20 minutes, we all got a glimpse of corporate identity theft, and why it matters. While the takeover was by no means a major cyberevent (and the account was quickly recovered), the fact remained that the CEO of a major company lost control of his account on a service that he literally controls.
Around the same time, an Instagram phishing scheme was circulating where users were prompted via a spoofed Instagram email to enter their logins and passwords after they were sent a 2-Factor authentication code. Instead of logging into their actual Facebook-hosted accounts, they found themselves on a replica of a legit Instagram page hosted in the Central African Republic. It was exactly the kind of attack that makes hacks like the one perpetrated against Jack Dorsey possible, and, more to the point, it’s why they happen literally every day.
Need more evidence? How about the unnamed CEO who was recently scammed to the tune of a couple hundred thousand dollars thanks to an audio deepfake that convincingly mimicked the voice of his boss–the CEO of a parent company–including the most subtle nuances of his German accent. The money was wired to Hungary, quickly transferred to Mexico and then dispersed amongst an untraceable number of other accounts.
Getting hacked is a fact of life, right up there with death and taxes. If you think you’re somehow above this third certainty in life, you’re all the more imperilled.
I could provide countless other examples, but they all boil down to a lesson that businesses are learning the hard way and what their customers already know: it’s easier to fall prey to identity theft than it is to prevent it.
The Goals of Business Identity Theft
If stealing an individual’s identity is lucrative, stealing a company’s identity can be the motherlode. Even a midsized company often have in their possession the data of thousands of customers, contacts, and contractors; a single official-looking email can open the door to innumerable types of fraud, both internally and externally.
The attack doesn’t need to focus directly on monetary prizes: the hijacking of Twitter’s CEO’s account garnered a lot of the wrong kind of publicity–and there is such a thing as bad publicity. In the hacking world, the prestige of making Jack Dorsey look foolish for twenty minutes most likely exceeds an anonymous hack of 100,000 accounts. Reputation is a powerful currency, and compromising the leadership of any company with an online presence represents a potent boost.
Consider what would happen were someone to hire that hacker to compromise a more important account–for saying’s sake, President Trump’s account. That control could actually affect world markets. The same could be said for hacks of any major leader in the public or private sectors. There is a huge financial upside to such hacking. It is crucial to bear this in mind at every moment of the day, and behave accordingly.
That said, data leaks, account takeovers and breaches start to look positively quaint in light of the potential sabotage represented by deepfakes.
People wire money on the basis of a phone call all the time. The harm caused by a phony corporate communication to shareholders or the general public could represent a catastrophic loss of money and confidence. Erratic behavior in the C-Suite can tank stock prices (just ask Elon Musk), and even crudely faked videos have gone viral (just ask Nancy Pelosi or Mark Zuckerberg).
We’ll be seeing deliberate attempts to damage the reputations of businesses and their leadership as deepfake technology becomes more ubiquitous, and with that in mind it’s time to level up.
What Businesses Can Do:
My advice for businesses faced with having their identities hijacked is similar to my advice for individuals–practice The Three Ms.
Minimize Your Risk of Exposure: Put resources into training your staff to recognize phishing scams and to practice good cyber hygiene. Vet contractors and vendors based on their security practices to minimize supply chain risk. Consider requiring employees to log in to a VPN (virtual private network), especially if they’re connecting to the company network remotely. It’s often the sloppiest of mistakes that give hackers access to your business. Training and sound cybersecurity policies can fill in the gaps where technology often fails.
Monitor Everything: Establish a policy at your business about transferring funds; in the era of deepfakes, it’s important to know who is likely to request access to money, and how it should be handled. Always double check by getting confirmation on the phone. All systems can introduce vulnerabilities, especially the introduction of new technology. Create a culture where employees know that if they see something, they will be rewarded for saying something. Cybersecurity is a team sport.
Manage the Damage: When it comes to a compromise of your company’s identity, honesty is the best policy. Own up to a data breach as quickly as possible (especially if you are subject to the GDPR’s 72 hour requirement), be transparent about lapses in security, and review any policies that allowed the compromise to occur in the first place. Jack Dorsey’s Twitter hack may have been embarrassing, but the company moved quickly to close the security loophole that allowed it to happen. Perhaps most important, have some empathy. Cyber-fails are scary. Remember, your news might be more traumatic for your customers or clients than it is for you, and act accordingly.
The post Companies Can Have Their Identities Stolen, Too. Here’s What to Do About It. appeared first on Adam Levin.
A new tool in the fight against online disinformation has been launched, called BotSlayer, developed by the Indiana University’s Observatory on Social Media. The software, which is free and open to the public, scans social media in real time to detect evidence of automated Twitter accounts – or bots – pushing messages in a coordinated manner, an increasingly common practice to manipulate public opinion by creating the false impression that many people are talking about … More
The post BotSlayer tool can detect coordinated disinformation campaigns in real time appeared first on Help Net Security.
Should Google really be helping the FBI with a bank robbery? What’s the story behind the Twitter CEO claiming there’s a bomb in their offices? And how much does your car really know about you?
And we mourn the loss of Doctor Who legend Terrance Dicks…
In the wake of the CEO of Twitter having his account hijacked the site has disabled the option to tweet via SMS.
Twitter co-founder Jack Dorsey had his account hijacked, after his mobile phone provider allowed someone else to seize his number.
It was another bumper 'Patch Tuesday', with Microsoft releasing security updates for 93 security vulnerabilities, including 31 which are 'critical' rated in Windows, Server 2019, IE, Office, SharePoint and Chakra Core.
- Cybersecurity Firm Imperva Discloses Breach
- Eurofins Scientific Cyber-attack leads to a backlog of 20,000 UK Forensic Samples
- Serious Cyber Attack could trigger full NATO response, says Jens Stoltenberg
- TfL takes the Oyster system offline after Customer Accounts accessed
- TGI Fridays frantically warn customers to urgently change app passwords
- French ‘Cybercops' dismantle Pirate Computer Network
- Twitter boss Jack Dorsey’s account hacked sending out a stream of offensive messages
- BioStar 2 Database Leaked One Million Fingerprints and Facial Recognition Data
- Capital One accused 'breached 30 other organisations’
- A Researcher uses GDPR’s Right of Access to steal others’ personal information
- 700,000 Choice Hotels Customer Records Compromised
- Honda Motors Company databases leaked 40GB of employee data
- North Korea took $2 billion in Cyberattacks to fund weapons program according to a U.N. report
- Pearson Data Breach Impacts thousands of University Accounts
- Google finds 'indiscriminate iPhone attack lasting years'
- Microsoft Patches 93 Vulnerabilities, including 31 Critical for Windows, Server2019, IE, Office, SharePoint & ChakraCore
- BlueKeep-like RCE flaws in RDP among 93 Vulnerabilities Patched by Microsoft
- Adobe Releases Fixes at least 76 ‘important’ Vulnerabilities in Acrobat and Acrobat Reader
- Intel Rolls Out Security Updates for Seven Products lines, three rated as High
- Critical Patches released for Adobe Photoshop
- Cisco issues multiple product updates, fixes critical flaws in small business switches
- U.S. renews temporary license allowing companies to sell to Huawei, adds 45 to blacklist
- Huawei confident UK will resist 'politically motivated' pressure from US over 5G
- MegaCortex variant redesigned a self-executing, incorporates features of the previous version
- Record Future Research: Hacktivism activity and chatter has markedly dropped since 2016
- Exabeam Survey: Red/Blue team exercises show defensive Shortfalls
- Risk-Based Security 2019 MidYear QuickView Data Breach Report: 4 Billion Records Exposed
- Cloud Atlas Threat Group Updates Weaponry with Polymorphic Malware
- New Saefko Trojan focuses on Stealing Credit Card details and Crypto wallets
- LokiBot Malware now hides its source code in Image Files
The past few weeks have proven to be wins for family safety with several top social networks announcing changes to their policies and procedures to reduce the amount of hateful conduct and online bullying.
Twitter: ‘Dehumanizing Language Increases Risk’
In response to rising violence against religious minorities, Twitter said this week that it would update its hateful conduct rules to include dehumanizing speech against religious groups.
“Our primary focus is on addressing the risks of offline harm, and research shows that dehumanizing language increases that risk . . . we’re expanding our rules against hateful conduct to include language that dehumanizes others based on religion,” the company wrote on its Twitter Safety blog.
Twitter offered two resources that go in-depth on the link between dehumanizing language and offline harm that is worth reading and sharing with your kids. Experts Dr. Susan Benesch and Nick Haslam and Michelle Stratemeyer define hate speech, talk about its various contexts, and advise on how to counter it.
Instagram: ‘This intervention gives people a chance to reflect.’
Instagram announced it would be rolling out two new features to reduce potentially offensive content. The first, powered by artificial intelligence, prompts users to pause before posting. For instance, if a person is about to post a cruel comment such as “you are so stupid,” the user will get a pop-up notification asking, “are you sure you want to post this?”
A second anti-bullying function new to Instagram is called “Restrict,” a setting that will allow users to indiscreetly block bullies from looking at your account. Restrict is a quieter way to cut someone off from seeing your content than blocking, reporting, or unfollowing, which could spark more bullying.
These digital safety moves by both Instagram and Twitter are big wins for families concerned about the growing amount of questionable content and bullying online.
If you get a chance, go over the basics of these new social filters with your kids.
Other ways to avoid online bullying:
Wise posting. Encourage kids to pause and consider tone, word choice, and any language that may be offensive or hurtful to another person, race, or gender. You are your child’s best coach and teacher when it comes to using social apps responsibly.
Stay positive and trustworthy. Coach kids around online conflict and the importance of sharing verified information. Encourage your child to be part of the solution in stopping rumors and reporting digital skirmishes and dangerous content to appropriate platforms.
Avoid risky apps. Apps like ask.fm allow anonymity should be off limits. Kik Messenger, Yik Yak, Tinder, Down, and Whisper may also present risks. Remember: Any app is risky if kids are reckless with privacy settings, conduct, content, or the people they allow to connect with them.
Layer security. Use a comprehensive solution to help monitor screentime, filter content, and monitor potentially risky apps and websites.
Monitor gaming communities. Gaming time can skyrocket during the summer and in a competitive environment, so can cyberbullying. Listen in and monitor game time conversations and make every effort to help him or her balance summer gaming time.
Make profiles and photos private. Require kids under 18 to make all social profiles private. By doing this, you limit online circles to known friends and reduces the possibility of cyberbullying and online conflict.
The post Family Safety: Twitter, Instagram Beef Up Measures to Fight Hate Speech, Bullying appeared first on McAfee Blogs.