The IT Nerd

Today is the day for breaking news. ABC News is reporting that a Florida teen has been arrested in relation to the epic Twitter hack from earlier this month:

The 17-year-old Tampa resident, who was arrested Friday, was hit with 30 felony charges in connection with the hack, according to Hillsborough State Attorney Andrew Warren.

“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here,” Warren said in a statement. “This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that.” 

The Florida teen was the “mastermind” of the hack, according to a statement from Warren’s office.

That kind of implies that other arrests are coming or perhaps have already been made. Either way, this is huge. Expect more news to come shortly.

UPDATE: Here’s more. A Justice Department release has three people charged in connection to this hack. We only know of one that was arrested (the 17 y/o) in Florida. So I have to assume that the other two are still outstanding.

Twitter is “strongly encouraging” its almost 5,000 global employees to work from home due to concerns over the spread of the Covid-19 coronavirus, the company said Monday.

The social media company made the suggestion as part of a blog update one day after it suspended all non-critical travel for workers, including pulling out of the South by Southwest conference scheduled for later this month in Austin, Texas. Twitter says it’s mandatory for employees in Hong Kong, Japan and South Korea to work from home, but that other offices will remain open for those who choose or need to come in. “We are working to make sure internal meetings, all hands, and other important tasks are optimized for remote participation,” the company wrote on its blog. Twitter’s policy on working from home is a step beyond what most companies in the U.S. are doing as the virus spreads.

This is a sensible approach. But it will only work if companies have the tech in place to pull this off. I am talking about things like VPN access, virtual meeting software, and the like. And it will only work if users are trained on how these things work so that IT helpdesks are not flooded with calls from remote users that didn’t get the training that they need. Thus I would suggest that if you are a company that is considering something like this, you might want to start getting your ducks in a row so that there are no surprises once you roll it out.

Trend Micro Incorporated today announced a new study revealing how cybercriminals are abusing Twitter via tech support scams, command-and-control (C&C) operations and data exfiltration.

Trend Micro researchers analyzed a large volume of Twitter data to identify relationships between various entities to spot anomalies and uncover key insights.

Criminals were found using fake Twitter accounts to spoof those of legitimate vendors for credible tech support scams. Users call the fake phone number provided, believing they are speaking with the intended company’s help desk, which results in the caller either sharing credit card information or installing malicious content on their computer.

This is often part of a multi-platform strategy along with YouTube, Facebook, Telegram and other channels to improve SEO for fake tech support websites linked to the Twitter accounts, boosting their search rankings.

While criminals are using the social network for bad, threat researchers can leverage the power of social media for good. Most notably, Twitter is used for monitoring vulnerability disclosures to inform patch prioritization, and scanning for indicators of compromise, threat detection rules, and other contextual information to boost threat intelligence.

Trend Micro recommends users confirm the validity of a Twitter account by checking the company’s website directly, rather than through the account. It is also important for security teams to validate Twitter data when leveraging it for investigations or threat intelligence.

To read the full report, please visit:  https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/hunting-threats-on-twitter.

It seems that Twitter is down globally as users who are trying to log on aren’t having much luck. What appears is a message saying “Something is technically wrong.” This is confirmed by Downdetector and Twitter’s status page. There’s currently no time to resolution as of yet. But when it’s resolved, I’ll post an update.

UPDATE: This issue is now resolved.

Twitter has announced some iOS users saw their location data leaked to one of their third-party partners under some very specific circumstances:

Specifically, if you used more than one account on Twitter for iOS and opted into using the precise location feature in one account, we may have accidentally collected location data when you were using any other account(s) on that same device for which you had not turned on the precise location feature.

Separately, we had intended to remove location data from the fields sent to a trusted partner during an advertising process known as real-time bidding. This removal of location did not happen as planned. However, we had implemented technical measures to “fuzz” the data shared so that it was no more precise than zip code or city (5km squared). This location data could not be used to determine an address or to map your precise movements. The partner did not receive data such as your Twitter handle or other unique account IDs that could have compromised your identity on Twitter. This means that for people using Twitter for iOS who we inadvertently collected location information from, we may also have shared that information with a trusted advertising partner.    

We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time, and was then deleted as part of their normal process. 

Twitter has since fixed the issue, and all is as it should be with the universe. But I think that for companies that seem to consistently make these types of mistakes, there should be consequences. As in something more than bad PR. That would force them to up their game and keep your data safe.

Twitter really has to tighten things up as they’ve fixed a five year old bug that exposed the private tweets of Android users. Twitter has let affected users know and is really sorry for this. They also say that they can’t be sure that they have pinged everyone who has been affected. So Android users should review their privacy settings to ensure that their ‘Protect your Tweets’ setting reflects their preferences. But seriously. having a bug that flew under the radar for five years is kind of bad. It’s got be embarrassing if you’re Twitter.

Happy Friday!

The fine folks over at Gizmodo have an eye opening story that goes like this. Security researchers from Insinia Security discovered a hole on the Twitter platform that could allow a miscreant to post unauthorized tweets. They disclosed this to Twitter, and the social media company claimed to have fixed the problem. But when the researchers sanity checked the fix, they discovered it wasn’t fixed:

During a private chat with Gizmodo, however, the hackers appeared to reproduce their experiment, forcing an account belonging to the head of a London-based financial technology company to retweet a tweet from the BBC. Insinia said it verified the flaw remained using “a number of accounts.”

Twitter claims it is investigating this, but this seems like one hell of a screw up. Or worse, Twitter might have been hoping that nobody checked their work. Too bad for them that someone was smart enough to.

Take home message. If you say something is fixed. You should make sure that it is fixed or someone will call you on it.

Twitter is suggesting that all Twitter users update their passwords following a “bug” that exposed some passwords in plaintext on its internal networ:

When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.

Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password anytime by going to the password settings page.

That’s a bit of a #fail. The only saving grace is that these passwords were exposed internally. Thus the risk level SHOULD be low. But you should change your password just in case because these days you never know.