Twitter’s latest hack is big

Twitter’s latest hack is big

Comment

Welcome to Cybersecurity 202! More in the semi-regular section of “How I’d Act as a Character in a Movie or TV Show”: A loved one is injured and dying, so I’m not just going to hold them, say, “Come with me!” and call out to other people for help. I’m calling 911.

Below: A look at Chinese surveillance in the wake of a crackdown on protests, and Meta faces a big fine over data processing. First:

Twitter can’t stay out of the regulators’ crosshairs

Already under high regulatory scrutiny since the purchase Elon MuskTwitter could face even more government oversight after the records of 235 million accounts and the emails associated with them surfaced on an online forum.

The leak sets “the stage for anonymous handles to be linked to real identities,” my colleague Joseph Menn reports.

While the Federal Trade Commission declined to comment, an investigation was already underway whether Twitter had broken an agreement that promised to better protect user data. Recently, the FTC asked Twitter if it still had the resources to comply with this consent decree following Musk’s dramatic staff cuts.

Twitter has been exposed to more regulatory scrutiny on the international frontalso a situation that will intensify after the latest revelations.

The hacker who claimed credit for obtaining the dataset advertised it for sale online on December 23. The hacker said it contained 400 million records. Alon Gala co-founder of the Israeli security company Hudson Rock who discovered the post later put the number of affected users at 235 million.

“This database is going to be used by hackers, political hacktivists and of course governments to further damage our privacy,” Gal said.

Joseph wrote: “The users with the least risk provided throwaway email addresses or those that were not associated with them elsewhere. But even they can be exposed to account takeover attempts, phishing or email threats.” Twitter did not respond to a request for comment on advice for its users.

See also  One minute hack allowed lock screen bypass on Android, current pixels are safe

The person who announced the data claims that they were able to obtain the records in 2021 using data scraping methods via a side-patched vulnerability that Twitter disclosed in August 2022. Twitter said it became aware of the vulnerability in January 2022.

It’s not the first time hackers seem to have exploited this vulnerability. In another incident, which appears to be a separate case, in July 2022 hackers were found to be selling 5.4 million Twitter account handles as well as associated email addresses and phone numbers.

By the way, January 2022 was when Twitter fired its two top security officials, including Peiter “Mudge” Zatko. Zatko would later file a whistleblower complaint with the Securities and Exchange Commission alleging that Twitter violated its 2011 consent decree, citing catastrophic missteps in security and privacy.

The hacker who released hundreds of millions of records last month has made further claims, some of which could not be independently verified, about celebrity names caught in the leak. The hacker is seeking $200,000 for the sale of the entire data set.

Gal’s firm tweeted that some of the allegations appear to be at least related to the overall breach.

Piers Morganwhich appeared in the data samples provided by the Twitter hacker, his account was just hacked,” Hudson Rock tweeted. “This is probably not a coincidence: the disclosure of the email address may have been just what the hacker needed to find the password to the account, or social engineering in their own way.”

Regardless of who is in the actual data set, the suspected size of the breach would put it on a list of some of the largest in US history.

In a coincidence of timing, the Irish Data Protection Commission had announced on December 23 that it was investigating the breach affecting 5.4 million users – the same day the apparent second hacker posted the 235 million records.

In response to the emergence of the latest data set, the Irish Data Protection Commission said it “will investigate Twitter’s compliance with data protection law in relation to that security issue,” Chris Vallance in BBC reported 30 Dec.

See also  What is bluebugging and how is it used to hack Bluetooth enabled devices?

American regulators have also been following developments in the company since Musk took over. “We are following the latest developments on Twitter with deep concern,” said the FTC in response to privacy and security departures at the social media giant. “No CEO or company is above the law, and companies must follow our consent decrees.”

Musk has inspired lawmakers to issue warnings about his handling of the company, including Sen. Edward J. Markey (D-Mass.), who got into a Twitter spat with the company’s billionaire owner.

With Markey’s permission, The Post was able to create a “verified” impostor account in November pretending to be Markey. My colleague Geoffrey A. Fowler writes that he was able to impersonate Markey even after the company launched a new way to authenticate its paid “verified” accounts.

“It’s an absolute joke that Elon Musk, who prides himself on being a tech entrepreneur, can’t implement a working verification regime — except the users aren’t laughing,” Markey said.

  • “Twitter’s current leadership has failed to protect the platform from misinformation, failed to answer my simple questions regarding their anti-fraud protocols, and failed to demonstrate an understanding of the role their platform plays in our democracy,” he said.

China’s protests have seen intense use of surveillance

Protesters and human rights advocates believe that Chinese authorities may have used cell tower data to locate phones near areas that saw protests against China’s “zero covid” policy, leads to protesters being subjected to intense surveillance measures, report Cate Cadell and Christian Shepherd. China’s government has not acknowledged that protesters have been arrested, and The Post could not independently verify the protesters’ accounts.

“[The police] appears to have used some modern technology, network technology, and they have collected a data pool of phone numbers of all the people involved in the incident, said a lawyer with direct knowledge of the demonstration cases who spoke on condition of anonymity because of the sensitivity of the case . – People have been called in for questioning one after the other.

See also  Hackers submitted CERB applications using 12,700 genuine CRA accounts

Chinese authorities have deployed hundreds of millions of surveillance cameras, including cameras that use facial recognition technology, in cities across the country. The police procurement documents “also include technology used to scrape and analyze cellphone data from hundreds of domestic and foreign apps,” Cate and Christian write.

The Irish regulator fines Meta more than $400 million

The Irish Data Protection Commission (DPC) fined Facebook and Instagram $414 million for processing personal data for behavioral advertising, RTÉ Ireland’s Brian O’Donovan reports. The DPC investigated the companies following complaints that Facebook and Instagram, which are both owned by Meta, forced users to agree to terms of service and would not allow them to opt out of data processing associated with it.

Meta indicated they plan to appeal. “We strongly believe that our approach respects [the General Data Protection Regulation], and we are therefore disappointed by these decisions and intend to appeal both the content of the rulings and the fines, a spokesperson for Meta told the newspaper. “These decisions do not prevent targeted or personalized advertising on our platform. The decisions only concern which legal basis Meta uses when serving certain ads.”

The management of five firms linked to the Pegasus manufacturer NSO will be moved to London (The Guardian)

Rackspace confirms Play ransomware was behind recent cyber attack (Bleeping Computer)

  • Brandon Pugh is now policy director in the R Street Institute’s cybersecurity and emerging threats team. He was previously a senior scholar on that team.
  • CISA Director Jen Easterly speaking at the CES conference in Las Vegas at 10 a.m. local time on Thursday.
  • US senators will speak at CES in Las Vegas at 2pm local time on Friday.

Thank you for reading. See you tomorrow.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *