Forwarded from BlackBox (Security) Archiv
Exclusive: More than 1,000 people at Twitter had ability to aid hack of accounts
More than a thousand Twitter employees and contractors as of earlier this year had access to internal tools that could change user account settings and hand control to others, two former employees said, making it hard to defend against the hacking that occurred last week.
Twitter Inc and the FBI are investigating the breach that allowed hackers to repeatedly tweet from verified accounts of the likes of Democratic presidential candidate Joe Biden, billionaire philanthropist Bill Gates, Tesla Chief Executive Elon Musk and former New York Mayor Mike Bloomberg.
Twitter said on Saturday that the perpetrators "manipulated a small number of employees and used their credentials" to log into tools and turn over access to 45 accounts. here On Wednesday, it said that the hackers could have read direct messages to and from 36 accounts but did not identify the affected users.
The former employees familiar with Twitter security practices said that too many people could have done the same thing, more than 1,000 as of earlier in 2020, including some at contractors like Cognizant.
Twitter declined to comment on that figure and would not say whether the number declined before the hack or since. The company was looking for a new security head, working to better secure its systems and training employees on resisting tricks from outsiders, Twitter said. Cognizant did not respond to a request for comment.
βThat sounds like there are too many people with access,β said Edward Amoroso, former chief security officer at AT&T. Responsibilities among the staff should have been split up, with access rights limited to those responsibilities and more than one person required to agree to make the most sensitive account changes. βIn order to do cyber security right, you canβt forget the boring stuff.β
Threats from insiders, especially lower-paid outside support staff, are a constant worry for companies serving large numbers of users, cyber security experts said. They said that the greater the number of people who can change key settings, the stronger oversight must be.
π ππΌ https://www.reuters.com/article/us-twitter-cyber-access-exclusive/exclusive-more-than-1000-people-at-twitter-had-ability-to-aid-hack-of-accounts-idUSKCN24O34E
#twitter #fraud #bitcoin #hacked
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv
π‘@NoGoolag
More than a thousand Twitter employees and contractors as of earlier this year had access to internal tools that could change user account settings and hand control to others, two former employees said, making it hard to defend against the hacking that occurred last week.
Twitter Inc and the FBI are investigating the breach that allowed hackers to repeatedly tweet from verified accounts of the likes of Democratic presidential candidate Joe Biden, billionaire philanthropist Bill Gates, Tesla Chief Executive Elon Musk and former New York Mayor Mike Bloomberg.
Twitter said on Saturday that the perpetrators "manipulated a small number of employees and used their credentials" to log into tools and turn over access to 45 accounts. here On Wednesday, it said that the hackers could have read direct messages to and from 36 accounts but did not identify the affected users.
The former employees familiar with Twitter security practices said that too many people could have done the same thing, more than 1,000 as of earlier in 2020, including some at contractors like Cognizant.
Twitter declined to comment on that figure and would not say whether the number declined before the hack or since. The company was looking for a new security head, working to better secure its systems and training employees on resisting tricks from outsiders, Twitter said. Cognizant did not respond to a request for comment.
βThat sounds like there are too many people with access,β said Edward Amoroso, former chief security officer at AT&T. Responsibilities among the staff should have been split up, with access rights limited to those responsibilities and more than one person required to agree to make the most sensitive account changes. βIn order to do cyber security right, you canβt forget the boring stuff.β
Threats from insiders, especially lower-paid outside support staff, are a constant worry for companies serving large numbers of users, cyber security experts said. They said that the greater the number of people who can change key settings, the stronger oversight must be.
π ππΌ https://www.reuters.com/article/us-twitter-cyber-access-exclusive/exclusive-more-than-1000-people-at-twitter-had-ability-to-aid-hack-of-accounts-idUSKCN24O34E
#twitter #fraud #bitcoin #hacked
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv
π‘@NoGoolag
Reuters
Exclusive: More than 1,000 people at Twitter had ability to aid hack of accounts
SAN FRANCISCO (Reuters) - More than a thousand Twitter employees and contractors as of earlier this year had access to internal tools that could change user account settings and hand control to others, two former employees said, making it hard to defend againstβ¦
Forwarded from BlackBox (Security) Archiv
Bitcoin Inventory Out-of-Memory Denial-of-Service Attack - Researcher kept a major Bitcoin bug secret for two years to prevent attacks
The INVDoS bug would have allowed attackers to crash Bitcoin nodes and other similar blockchains.
In 2018, a security researcher discovered a major vulnerability in Bitcoin Core, the software that powers the Bitcoin blockchain, but after reporting the issue and having it patched, the researcher opted to keep details private in order to avoid hackers exploiting the issue.
Technical details were published earlier this week after the same vulnerability was independently discovered in another cryptocurrency, based on an older version of the Bitcoin code that hadn't received the patch.
Called INVDoS, the vulnerability is a classic denial-of-service (DoS) attack. While in many cases, DoS attacks are harmless, they are not for internet-reachable systems, which need to have stable uptime in order to process transactions.
INVDoS was discovered in 2018 by Braydon Fuller, a Bitcoin protocol engineer. Fuller found that an attacker could create malformed Bitcoin transactions that, when processed by Bitcoin blockchain nodes, would lead to uncontrolled consumption of the server's memory resources, which would eventually crash impacted systems.
π ππΌ CVE-2018-17145: Bitcoin Inventory Out-of-Memory Denial-of-Service Attack (pdf)
https://invdos.net/paper/CVE-2018-17145.pdf
π ππΌ https://www.zdnet.com/article/researcher-kept-a-major-bitcoin-bug-secret-for-two-years-to-prevent-attacks
#researcher #bitcoin #bug #INVDoS #pdf
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv
π‘@NoGoolag
The INVDoS bug would have allowed attackers to crash Bitcoin nodes and other similar blockchains.
In 2018, a security researcher discovered a major vulnerability in Bitcoin Core, the software that powers the Bitcoin blockchain, but after reporting the issue and having it patched, the researcher opted to keep details private in order to avoid hackers exploiting the issue.
Technical details were published earlier this week after the same vulnerability was independently discovered in another cryptocurrency, based on an older version of the Bitcoin code that hadn't received the patch.
Called INVDoS, the vulnerability is a classic denial-of-service (DoS) attack. While in many cases, DoS attacks are harmless, they are not for internet-reachable systems, which need to have stable uptime in order to process transactions.
INVDoS was discovered in 2018 by Braydon Fuller, a Bitcoin protocol engineer. Fuller found that an attacker could create malformed Bitcoin transactions that, when processed by Bitcoin blockchain nodes, would lead to uncontrolled consumption of the server's memory resources, which would eventually crash impacted systems.
π ππΌ CVE-2018-17145: Bitcoin Inventory Out-of-Memory Denial-of-Service Attack (pdf)
https://invdos.net/paper/CVE-2018-17145.pdf
π ππΌ https://www.zdnet.com/article/researcher-kept-a-major-bitcoin-bug-secret-for-two-years-to-prevent-attacks
#researcher #bitcoin #bug #INVDoS #pdf
π‘@cRyPtHoN_INFOSEC_DE
π‘@cRyPtHoN_INFOSEC_EN
π‘@BlackBox_Archiv
π‘@NoGoolag