Thursday, December 27, 2018

A band-aid for Twitter's horribly broken security

If you manage a high-value Twitter account, consider creating a second, "burner" account. After enabling multifactor authentication on the high-value account, add the same phone number to the burner account. This will turn off SMS access features for the high-value account, without breaking MFA on the same. 
Updated December 31: Added a description of the variations between mobile app, mobile web UI, and desktop web UI, along with a bug Kevin Beaumont pointed out (described at the end of this post).

On Christmas Eve, Richard De Vere of The AntiSocial Engineer published a doozie of an article describing a serious flaw in Twitter’s security. In a nutshell, if a Twitter account has a phone number connected to it, Twitter accepts instructions via SMS from that phone number, with no additional authentication required.

It gets worse – far worse. Twitter requires a phone number be connected to an account in order to enable multifactor authentication. Twitter does support using a mobile security app or a physical key for MFA, and allows you to turn off SMS-based 2FA, but requires a phone number to be connected to the account nonetheless. Removing the phone number also turns off "logon verification" (Twitter's term for multifactor authentication).

Removing a phone number from Twitter also turns off multifactor authentication

Meaning, a user security-aware enough to set up two-factor authentication to protect their Twitter account, is also opening a back door into their account, a back door that allows functions including follow, unfollow, tweet, retweet, like, DM, turn on or off push notifications, or remove the phone number from the account.

And since Twitter 2FA requires a phone number, sending a “stop” message to Twitter from (or spoofing) the number associated with an account, will disable 2FA on that account, with no notice to the rightful account owner.

That's right: enabling 2FA on Twitter, explicitly enables an SMS back door to Twitter, which can be used to disable 2FA on Twitter, without you knowing that 2FA has been disabled.

Tuesday, December 4, 2018

The most challenging aspect of security

Ever wondered what is the most challenging aspect to security? It's not understanding the evolving threats and actors. Certainly those are important, but people smarter than me do a fine job of tracking and reporting on emerging threats.

It's not the constant evolution of tools and blinky boxes. Sure, tools are part of the mix, and knowing what tools will benefit in what situations is a must, but a tool is a tool. Given the right tool with a suitable understanding of the problem, the right people can figure out the right way to use it.

It's not understanding the technologies and solutions I'm tasked with defending. Of course that is crucial, but 20 years in the field have taught me a great bit about operating systems, applications, networking, business, and the way systems work, break, and can be fixed.

The biggest challenge? It's not threats, blinky boxes, or foundational knowledge. It's the context switching. It's being eyeball deep into a topic when something else demands attention. It's the interrupt-driven pace of work, always at the mercy of the next unscheduled threat.

What techniques do you use to carve out dedicated time for strategic work? How do you avoid the pitfall of perpetual firefighting? Comment below or join the discussion on Twitter.