Tag Archives: twitter

@MIBulgaria и @GovBulgaria вече са официални в Twitter

Post Syndicated from Боян Юруков original https://yurukov.net/blog/2023/mibulgaria-govbulgaria-official/

От няколко седмици акаунтите @MIBulgaria и @GovBulgaria в Twitter са официални. Създадох ги съответно преди 13 и 9 години с цел да пускат документи, новини и събития съответно от МВР и Министерски съвет. И двата бяха до скоро надлежно маркирани като неофициални и отбелязани като автоматизирани според изискванията на Twitter.

В началото неофициалният акаунт на МВР получаваше новини използвайки Yahoo Pipes. Създадох го покрай акаунта за безследно изчезналите след като осъзнах колко разхвърлен е бюлетинът на полицията и колко трудно се намира каквото и да е. 13 години по-късно това не се е променило, но проектът за безследно изчезналите остава отчасти замразен. В последствие създадох цяла мрежа от акаунти и информационни инструменти обединени около GovAlertEU. Скоро ще пиша пак с новости покрай следенето на презастрояването на градовете ни.

Междувременно акаунтите придобиха популярност, защото бяха наистина информативни по начин, който трудно можеше да се достигне преди това. Събраха над 10 хиляди последователи всеки, цитирани бяха от депутати, дипломати и европейски институции. Някои министерства и други институции създадоха свои акаунти, но тези тук – не и затова все още ги поддържам.

Имаше интерес преди няколко години за поемане на акаунта на МВР от ПР екипа на министерството. Дори имаха достъп известно време и пускаха съобщения. При липса на приемственост на много нива в институциите ни обаче, трайна стратегия за комуникация и разбиране за важността на правилния подход към социалните медии, този опит се провали.

Преди няколко седмици независимо един от друг с мен се свързаха представители на Министерски съвет и МВР и пожелаха да опитаме отново. Целта беше да поемат пълен контрол над съдържанието докато остава частична автоматизация на пускане на новините от сайта им, а аз им помагам безвъзмездно със сигурността и друга поддръжка. Ще намерите описанията и на двата акаунта променени и маркерите за автоматизация – изтрити.

На този етап не се планира верифициране на акаунтите. Причината е отчасти пилотния характер на този експеримент, отчасти финансов. Най-вече обаче в Twitter има сериозни проблеми с верификациите и виждаме някои сайтове несвързани с институции да получават верификация въпреки това. Все пак верификацията като институция е нещо задължително в среден план и ще се случи, когато съответните екипи имат капацитет да поемат изцяло поддръжката на всички аспекти от присъствието в Twitter.

The post @MIBulgaria и @GovBulgaria вече са официални в Twitter first appeared on Блогът на Юруков.

Failures in Twitter’s Two-Factor Authentication System

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/11/failures-in-twitters-two-factor-authentication-system.html

Twitter is having intermittent problems with its two-factor authentication system:

Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism. But users have been self-reporting issues on Twitter since the weekend, and WIRED confirmed that on at least some accounts, authentication texts are hours delayed or not coming at all. The meltdown comes less than two weeks after Twitter laid off about half of its workers, roughly 3,700 people. Since then, engineers, operations specialists, IT staff, and security teams have been stretched thin attempting to adapt Twitter’s offerings and build new features per new owner Elon Musk’s agenda.

On top of that, it seems that the system has a new vulnerability:

A researcher contacted Information Security Media Group on condition of anonymity to reveal that texting “STOP” to the Twitter verification service results in the service turning off SMS two-factor authentication.

“Your phone has been removed and SMS 2FA has been disabled from all accounts,” is the automated response.

The vulnerability, which ISMG verified, allows a hacker to spoof the registered phone number to disable two-factor authentication. That potentially exposes accounts to a password reset attack or account takeover through password stuffing.

This is not a good sign.

Mudge Files Whistleblower Complaint against Twitter

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/08/mudge-files-whistleblower-complaint-against-twitter.html

Peiter Zatko, aka Mudge, has filed a whistleblower complaint with the SEC against Twitter, claiming that they violated an eleven-year-old FTC settlement by having lousy security. And he should know; he was Twitter’s chief security officer until he was fired in January.

The Washington Post has the scoop (with documents) and companion backgrounder. This CNN story is also comprehensive.

EDITED TO ADD: Another news article. Slashdot thread.

EDITED TO ADD (9/2): More info.

Twitter Exposes Personal Information for 5.4 Million Accounts

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/08/twitter-exposes-personal-information-for-5-4-million-accounts.html

Twitter accidentally exposed the personal information—including phone numbers and email addresses—for 5.4 million accounts. And someone was trying to sell this information.

In January 2022, we received a report through our bug bounty program of a vulnerability in Twitter’s systems. As a result of the vulnerability, if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any. This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.

In July 2022, we learned through a press report that someone had potentially leveraged this and was offering to sell the information they had compiled. After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.

This includes anonymous accounts.

This comment has it right:

So after forcing users to enter a phone number to continue using twitter, despite twitter having no need to know the users phone number, they then leak the phone numbers and associated accounts. Great.

But it gets worse… After being told of the leak in January, rather than disclosing the fact millions of users data had been open for anyone who looked, they quietly fixed it and hoped nobody else had found it.

It was only when the press started to notice they finally disclosed the leak.

That isn’t just one bug causing a security leak—it’s a chain of bad decisions and bad security culture, and if anything should attract government fines for lax data security, this is it.

Twitter’s blog post unhelpfully goes on to say:

If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.

Three news articles.