Welcome to the third edition of Pardon The Intrusion, where we explore the wild world of security. Almost everyone agrees that two-factor authentication (2FA) is the holy grail when it comes to keeping our accounts safe from breaches. Still, it’s unbelievable how many companies screw this up, like Twitter did earlier this month. The social media platform recently disclosed it “accidentally” used email addresses and phone numbers provided for account security purposes to target ads. 2FA can be implemented with SMS (the weakest way), an authenticator app, biometrics, or even a hardware security key that you plug into your device to sign-in to, say, a service like Google. But Twitter’s egregious use of this information explicitly meant for one thing for something else entirely is not only a clear-cut case of a privacy violation, they also made phone numbers mandatory, even if you want to use an authenticator app for verification. So, deleting a phone number from your Twitter settings all but withdraws your account from Twitter 2FA. Other major sites, including Google, Facebook, and GitHub, don’t make this a prerequisite. Cybersecurity expert Matthew Green summed up this fuck up pretty well:
— Matthew Green (@matthew_d_green) October 8, 2019 Oof! The sooner Twitter decouples the phone number requirement from 2FA, the better. Now, onto more security news.
What’s trending in security?
Motherboard’s Joseph Cox wrote about MPC, a phone company run by drug traffickers that sells custom-engineered phones capable of sending encrypted emails and messages. [Motherboard] Planting spy chips inside hardware equipment can cost as little as $200. But don’t get any ideas… [Wired] ESET researchers discovered an advanced malware strain — dubbed “Attor” — that’s been deployed to spy on diplomats and Russian-speaking users in Eastern Europe. [ESET] Researchers discovered a new malware strain called “Reductor” that allows hackers to manipulate HTTPS traffic by tweaking a browser’s random numbers generator, used to ensure a private connection between the client and server. [Kaspersky] A hacking group named “FIN7” is back on the scene after a short period of no activity. They’re now packing new evasion techniques to thwart traditional antivirus detection. [FireEye]
The researchers over at McAfee concluded their deep dive that links the Sodinokibi/REvil ransomware — the same strain that was behind the coordinated Texas cyberattacks — to GandCrab, detailing their business model. [McAfee Labs] The Magecart cybercrime syndicate has been linked to Dridex — a banking Trojan that’s been employed in the theft of online banking credentials — and a threat group known as Carbanak. [MalwareBytes] Adware shows no signs of slowing down. Snaptube, a popular video downloader app for Android, was caught generating fake ad clicks and unauthorized premium purchases that users were forced to pay for. The app’s developer, Mobiuspace, blamed a third-party, called Mango SDK, for the fraudulent subscriptions and ad clicks. [Secure-D] Popular Android browser UC Browser has been downloading a third-party App Store app called 9Apps to devices over unsecured channels. [Zscaler ThreatLabZ] This new Mac “Tarmac” malware targets users via online malvertising (malicious advertising, get it?) campaigns that gather info about a victim’s hardware setup and send the details to a remote server. [ZDNet] Private equity firm Thoma Bravo intends to buy cybersecurity firm Sophos in a $3.9B deal, adding to its portfolio which already has McAfee, Barracuda Networks, Veracode, Imperva, and ConnectWise. [Sophos] There is a new kind of “jackpotting” malware attack that make ATMs eject all of the money inside them. [Motherboard]
It’s India vs. WhatsApp: the government and Facebook-owned messaging platform are arguing over decrypting private messages for national security reasons. [Reuters] Attackers are banking on users’ trust in privacy and security related apps to install malware. In the latest instance, the malware disguised itself as Tor browser to collect some $40K in Bitcoin from Russian-speaking victims on the dark web. [ESET] Cozy Bear sounds cute, but it’s not: this Kremlin-backed hacking group suspected of breaching the Democratic National Committee ahead of the 2016 US elections, has evolved its tactics with new spyware in a campaign ESET calls ‘Operation Ghost’ targeting high-value victims in 3 different countries in Europe. [ESET] Researchers demonstrated a new way third-party apps on Echo and Google Home smart speakers can surreptitiously eavesdrop on users and phish for their passwords. It exploits a flaw in both Alexa and Google Home that renders the devices silent upon encountering the character “�” (U+D801, dot, space), making it seem like they had terminated while the apps were still running. [SR Labs]
Data Point
A survey — commissioned by HP as part of National Cybersecurity Awareness Month — has found that more than 70% of people across the US, UK, and Canada feel inevitable that their personal information will be compromised at least once in their life, with over 75% polled acknowledging it’s only going to get harder to protect their information. Takeaway: Have to say, this is one helluva depressing statistic. We’ve reached a point where most of us have simply learned to accept data breaches as a fact of life, and move on. This desensitization sets a scary precedent because it reduces the pressure on organizations that handle our private data to do better.
Tweet of the week
— Runa Sandvik (@runasand) October 22, 2019
— Runa Sandvik (@runasand) October 22, 2019
— Runa Sandvik (@runasand) October 22, 2019
Securitip
[In this section, we ask security professionals about their top privacy and stips.] This week, we asked Troy Hunt, noted security expert and operator of Have I Been Pwned, to share the one password security tip he swears by: That’s it. See you all in two weeks. Stay safe! Ravie x TNW (ravie[at]thenextweb[dot]com) [Enjoyed this newsletter? You can sign up for it right here.]