It’s time for the last News Update of 2018!
The EU based security firm Insinia Security briefly took over several prominent Twitter profiles through the use of an exploit that allowed them to post to the accounts without having to be logged in to them. They did so by analyzing the way Twitter handled requests for tweets from phone numbers, and they were able to replicate that traffic in a way that allowed them to authentically tweet as accounts with a linked phone number. Insinia Security claims that they have reported the vulnerability in the past, and have received no response and cooked up this idea as a way to increase the visibility of the vulnerability.
Attacking people’s accounts without permission is a good way to be served a lawsuit, and SOP for this sort of proof-of-concept attack would normally be done using willing volunteers. Insinia Security is claiming that they never actually logged into the accounts, and were unable to see or access any personal information, as their defense against a suit under the Computer Misuse Act. Insinia Security is also claiming that its actions were necessary as the vulnerability allows for extremely targeted and hard to detect spear-phishing attacks coming from trusted figures that would are currently impossible to stop. They’re not wrong that phishing attacks remain the most common method of attack, and anything that would allow an attacker to spoof their identity like Twitter would allow them to make a truly massive watering hole attack.
Source: Security firm hijacks high-profile Twitter accounts
A facility in Gumi, South Korea had the PII of nearly a thousand North Korean defectors revealed in a hack. The information includes their new names, locations, and other details form their time in North Korea. This is especially troubling as North Koreans who have defected to South Korea go missing with some regularity and they occasionally turn up in North Korea having renounced South Korea completely and preaching the North Korean party line on public broadcasts. The information revealed today will only make those efforts easier. The South Korean government has publicly responded by issuing an apology to those affected, but hopefully, they will take more concrete action in private.
Source: North Korean defectors PII exposed
Fortnite, the PUBG style free-for-all game that we know you know about, has become a lucrative business for hackers who take over accounts and then sell them online. The hacked accounts are going for hundreds of dollars in some cases, depending on the skins they possess. One victim has turned his experience into a lesson and now he works to crack and steal others accounts to make a profit. Fortnite hackers rely on complacency to get into the accounts: most users have not setup two-factor authentication or changed the shared password they use for multiple accounts after data breaches. This laxity allows the hackers easy access into the accounts, where they change the contact information associated with them and then enable two-factor authentication. This keeps the original owner out, and allows the attacker to resell the account. The nature of the game means that authorities aren’t quick to chase down the attackers as nothing physical has been lost and no one has been injured. The idea of police arresting someone for stealing some in-game skins is something that most people have some difficulty wrapping their head around. It’s easy to understand a stolen car, but not a purely cosmetic digital item.
Source: Fortnite teen hackers ‘earning thousands of pounds a week’