Pastebin adds ‘Burn After Read’ and ‘Password Protected Pastes’ to the dismay of the infosec community

ZDNet

Image: Pastebin

Pastebin, the most popular website where users can share small snippets of text, has added two new features today that cyber-security researchers believe are going to be widely and wildly abused by malware operators.

Named “Burn After Read” and “Password Protected Pastes,” the two new features allow Pastebin users to create pastes (pieces of text) that expire after a single read or pastes that are protected by a password.

None of the two features are original, as they have been present on many paste sites for years.

However, they are new to Pastebin, which is, by far, today’s most popular pastes portal, being ranked in the Alexa Top 2,000 most popular sites on the internet.

Full article

Twitter prepares for US election with new security training, penetration tests

ZDNet

Image via Yucel Moran

Twitter said today it’s been working over the past months to bolster its internal security by requiring staff to go through additional security training, engaging in penetration tests, and by deploying hardware security keys to all employees.

The measures announced today are part of Twitter efforts to prevent a repeat of the July 2020 hack during the US presidential election later this fall.

In July this year, hackers phished Twitter staffers, gained access to its internal platform, and then tweeted a cryptocurrency scam via high-profile and verified accounts. Some of the defaced accounts belonged to political figures, including presidential candidate Joe Biden.

Twitter learned a hard lesson in July, but in a blog post today authored by Parag Agrawal, Twitter Chief Technical Officer, and Damien Kieran, Twitter Data Protection Officer, the company said it learned its lesson and has taken corrective actions.

Full article

How Twitter Survived Its Biggest Hack—and Plans to Stop the Next One

WIRED

Photographer: Jens Gyarmaty/Redux

July 15 was, at first, just another day for Parag Agrawal, the chief technology officer of Twitter. Everything seemed normal on the service: T-Pain’s fans were defending him in a spat with Travis Scott; people were upset that the London Underground had removed artwork by Banksy. Agrawal set up in his home office in the Bay Area, in a room that he shares with his young son. He started to hammer away at his regular tasks—integrating deep learning into Twitter’s core algorithms, keeping everything running, and countering the constant streams of mis-, dis-, and malinformation on the platform.

But by mid-morning on the West Coast, distress signals were starting to filter through the organization. Someone was trying to phish employee credentials, and they were good at it. They were calling up consumer service and tech support personnel, instructing them to reset their passwords. Many employees passed the messages onto the security team and went back to business. But a few gullible ones—maybe four, maybe six, maybe eight—were more accommodating. They went to a dummy site controlled by the hackers and entered their credentials in a way that served up their usernames and passwords as well as multifactor authentication codes.

Shortly thereafter, several Twitter accounts with short handles—@drug, @xx, @vampire, and more—became compromised. So-called OG user names are valued among certain hacker communities the way that impressionist artwork is valued on the Upper East Side. Twitter knows this and views them internally as high priority. Still, the problem didn’t filter up to Agrawal just yet. Twitter has a dedicated Detection and Response Team that triages security incidents. DART had detected suspicious activity, but the needed response was limited. When you run a sprawling social network, with hundreds of millions of users, ranging from obscure bots to the leader of the free world, this kind of thing happens all the time. You don’t need to constantly harangue the CTO.

But then, at 3:13 pm ET, the cryptocurrency exchange Binance sent an unlikely tweet announcing that it was “giving back” around $52 million of bitcoin to the community with a link to a fraudulent website. Over the next hour, 11 cryptocurrency accounts followed suit. And then, at 4:17 pm ET, @elonmusk tweeted a classic bitcoin scam to his nearly 40 million followers. A few minutes later, @billgates did the same.

Full article

iPhone 12 scam pretends to be Apple “chatbot” – don’t fall for it!

Naked Security

Aren’t SMSes dead? Aren’t they just plain old text anyway? Surely they’re of no interest to cybercriminals any more?

Well, SMSes aren’t dead at all – they’re still widely used because of their simplicity and convenience.

Indeed, as a general-purpose short message service – which is literally what the letters SMS stand for – it’s hard to beat, because any phone can receive text messages, from the fanciest smartphone to the cheapest pre-paid mobile.

If all you need to transmit is a 6-digit logon code or a “pizza driver now 2 minutes away” notification, SMSes still make excellent business sense.

Sadly, however, what works for legitimate businesses almost always works for cybercriminals too, so there are plenty of crooks still using SMSes for phishing – an attack that’s wryly known as smishing.

Full article

Phishing attacks are targeting your social network accounts

Bleeping Computer

Scammers are targeting your social network accounts with phishing emails that pretend to be copyright violations or promises of a shiny ‘blue checkmark’ next to your name.

With social networks such as Twitter, Facebook, Instagram, and TikTok becoming a significant component in people’s lives, attackers target them for malicious purposes.

These stolen accounts are then used for disinformation campaigns, cryptocurrency scams like the recent Twitter hacks, or sold on underground markets.

Due to this, social accounts should be treated as a valuable commodity and protected as such.

Full article

Scammers drain bank accounts using AnyDesk and SIM-swapping

Bleeping Computer

Scammers mixed together a malicious cocktail of social engineering, SIM-swapping, and remote desktop software to empty the bank accounts of at least three victims.

In total, victims lost more than $350,000. They were likely swindled by the same individuals since the modus operandi and some details were the same in all three cases.

Remote access to sensitive info

The scams happened over the summer in Budapest and started with the ruse of a well-located apartment offered for sale below the market value.

Enticed by the offer, the victims showed their interest and responded to the ad, learning that the lower price was because the owner, who was living abroad, needed money urgently.

A “relative” of the owner acted as an intermediary for the transaction, and promised potential victims more pictures of the property than shown in the original online ad, along with a video.

In two cases, the scammer convinced the victims to install AnyDesk remote desktop application to transfer the pictures and videos, Hungarian publication 24 reports.

Since AnyDesk is legitimate software, and the victims downloaded it directly from the developer’s website, there was no reason to suspect foul play.

The fraudster maintained access to the victim computer even after transferring the files and could search for sensitive info (documents, passwords, personal details) that would help them further in their scheme.

The goal was to log into the victim’s bank account and steal available funds; but with two-factor authentication (2FA) turned on, they also needed access to incoming message on the mobile phone.

Full article

Instagram bug allowed crashing the app via image sent to device

Bleeping Computer

Technical details about a high-severity vulnerability in Facebook’s Instagram app for Android and iOS show how an attacker could exploit it to deny user access to the app, take full control of their account, or use their mobile device to spy on them.

To trigger the bug, an attacker had only to send the target a specially crafted image via a common messaging platform or over email.

The issue was in the way Instagram parsed images, so as long as the app could access it to show it as options for a post, the vulnerability would set off allowing dangerous actions.

Full article

Microsoft secures backend server that leaked Bing data

ZDNet

Microsoft has suffered a rare cyber-security lapse earlier this month when the company’s IT staff accidentally left one of Bing’s backend servers exposed online.

The server was discovered by Ata Hakcil, a security researcher at WizCase, who exclusively shared his findings with ZDNet last week.

According to Hakcil’s investigation, the server is believed to have exposed more than 6.5 TB of log files containing 13 billion records originating from the Bing search engine.

The Wizcase researcher was able to verify his findings by locating search queries he performed in the Bing Android app in the server’s logs.

Full article

Guard your data with these privacy-focused search engines & browsers

Bleeping Computer

Popular search engines and browsers do a great job at finding and browsing content on the web, but can do a better job at protecting your privacy while doing so.

With your data being the digital currency of our times, websites, advertisers, browsers, and search engines track your behavior on the web to deliver tailored advertising, improve their algorithms, or improve their services.

In this guide, we list the best search engines and browsers to protect your privacy while using the web.

Full article

Think Twice Before Using Facebook, Google, or Apple to Sign In Everywhere

WIRED

Illustration: Elena Lacey

If you’re drowning in website logins and constantly using Forgot My Password prompts to get into random accounts, a “Log In With Google” or “Log In With Facebook” button can look a lot like a lifeline. The services provide a quick way to continue whatever you’re doing without having to set up a whole account and choose a new password to guard it. But while these “single sign-on” tools are convenient, and do offer some security benefits, they’re not the panacea you might think.

The SSO schemes offered by big tech companies have some obvious advantages. For example, they’re developed and maintained by companies with the resources to bake in strong security features. Take Sign In With Apple, which lets you use TouchID or FaceID to log into any number of sites.

But for all its convenience, consumer SSO has some real drawbacks, too. It creates a single point of failure if something goes wrong. If your password or access token gets stolen from an account you use for SSO, all the other sites you used it to log in with could be exposed. And not only do you have to trust the companies that offer SSO to protect your privacy and security, you also have to trust all the third-party websites offering these options to implement them correctly.

Full article