Discover and read the best of Twitter Threads about #2fa
Most recents (21)
Fellow tweeps, you might not be as safe as you had thought. Yeah, #Twitter might be posing some risks to you. ⚠👀
In this thread, I’ve compiled some security checks you SHOULD do on your @Twitter account.
You don’t want to read it? As you wish. 🧵🏌️♂️
In this thread, I’ve compiled some security checks you SHOULD do on your @Twitter account.
You don’t want to read it? As you wish. 🧵🏌️♂️
Oh, well, I guess you decided to read it anyway. That’s so thoughtful of you, and while we’re at it, I’ll appreciate and urge you to follow me. I provide exquisite contents that’ll interest you. 💯
For the taking, this thread is not about the internal vulnerabilities of Twitter;
For the taking, this thread is not about the internal vulnerabilities of Twitter;
I mean those private data leaks, account hacks, internal errors, and whatnot; no, it ain’t about all that. ❌👎
But you see those access and authorizations you give to external apps and sites via the Application Programming Interface (#API), they’re toast, man. 😂
But you see those access and authorizations you give to external apps and sites via the Application Programming Interface (#API), they’re toast, man. 😂
Protecting your privacy today is no longer optional. It’s a must. Read this thread for 10 simple ways to protect your identity online. 🧵⬇️
Use a password manager. It ensures you'll be able to use complicated passwords to secure your online accounts. If you can remember your password, it's not secure. Let your password manager remember them for you.
Secure your browsing with a #VPN like @ProtonVPN. It funnels all your data through an encrypted tunnel. Using a privacy-first VPN stops your internet service provider from collecting data on you. You also avoid government surveillance.
Wegen Twitters #2FA SMS Abschalt Stunt eine Erklärung aus InfoSec-Sicht, warum ihr euch etwas mit der Thematik beschäftigen solltet, wenn euch eure Accounts lieb sind.
Möglichkeiten, Angriffsvektoren, Kosten für Euch und worauf ihr achten solltet bei Mehr Faktor Authentifizierung
Möglichkeiten, Angriffsvektoren, Kosten für Euch und worauf ihr achten solltet bei Mehr Faktor Authentifizierung
Warum überhaupt #MFA / #2FA? Naja, weil ein Passwort ein oftmals alleinig schlechter Zugriffsschutz ist.
- Username tragt ihr in sozialen Medien offen rum
- Passwörter werden aus Bequemlichkeit oft kurz oder einfach gehalten
- Passwörter sind meist statische Faktoren
- Username tragt ihr in sozialen Medien offen rum
- Passwörter werden aus Bequemlichkeit oft kurz oder einfach gehalten
- Passwörter sind meist statische Faktoren
Vorgaben zu komplexen Passwörtern, häufigen Passwortänderungen etc. führen oft zum Gegenteil, da leider nicht alle User*innen Passwortmanager nutzen (die aber dann wiederum auch ein gewisser lukrativer Angriffsvektor sein können, was aber im Allgemeinen aufwändig und selten ist).
Message exceptionnel dans ma période de silence sur Twitter. Vous avez peut-être vu passer ce message sur votre écran ou dans votre fil de discussion.
Ne vous contentez pas de supprimer l'authentification par SMS ou si vous ne l'utilisez pas, utilisez un autre mode #2FA. 1/9
Ne vous contentez pas de supprimer l'authentification par SMS ou si vous ne l'utilisez pas, utilisez un autre mode #2FA. 1/9
L'authentification #2FA ou authentification par double facteur (on dit parfois MFA pour facteur multiple) est un outil de sécurité pour l'accès à vos comptes qui en plus de votre mot de passe demande une validation par un autre moyen (par exemple une application sur GSM) 2/9
Pour activer cette option sur Twitter, il faut aller dans vos paramètres et sélectionner l'option "Sécurité et accès au compte", puis "Sécurité" 3/9
Twitter about to give hackers a huge gift....
... by *REMOVING text message authentication* for non paying accounts.
Yes, there are better forms of #2FA.
But this is blackmail.
Expect waves of takeovers as hackers run through password dumps. 1/ blog.twitter.com/en_us/topics/p…
... by *REMOVING text message authentication* for non paying accounts.
Yes, there are better forms of #2FA.
But this is blackmail.
Expect waves of takeovers as hackers run through password dumps. 1/ blog.twitter.com/en_us/topics/p…
2/ Twitter is basically saying "hey the locks on your home aren't the most secure [true]... so we're just removing them at the end of the month [insane]"
Text message authentication isn't great.
And it needs to be evolved away from.
But this is reckless.
Text message authentication isn't great.
And it needs to be evolved away from.
But this is reckless.
3/ You don't make users more secure by unilaterally *degrading* their security, then hoping they do better.
Security is a ratcheting process.
If Twitter goes ahead with this, they absolutely deserve regulatory & Congressional scrutiny.
Security is a ratcheting process.
If Twitter goes ahead with this, they absolutely deserve regulatory & Congressional scrutiny.
🎙️Web3 Security Q&A with our CEO Rick Deacon - @rickdeaconx
⚠️Part I: Common #Web3 Threats
(Part II: How Interlock solves this by using #AI - will be published tomorrow!)
🧵👇
⚠️Part I: Common #Web3 Threats
(Part II: How Interlock solves this by using #AI - will be published tomorrow!)
🧵👇
Q: What are the top security problems for crypto and Web3 users right now?
A: "The most prevalent security problems are all focused on social engineering:
1⃣Phishing attacks where attackers try to steal personal information by disguising a malicious website as a legitimate one.
A: "The most prevalent security problems are all focused on social engineering:
1⃣Phishing attacks where attackers try to steal personal information by disguising a malicious website as a legitimate one.
2⃣Malware infections which can steal personal information, funds or take control of a device.
3⃣Scams that take advantage of the hype around #cryptocurrency and Web3 technologies to trick users into sending money or personal information.
3⃣Scams that take advantage of the hype around #cryptocurrency and Web3 technologies to trick users into sending money or personal information.
🔥 Had @LastPass not leaked their entire password database I would be safe right now even if attackers has my real password. They claim this is a “feature” that makes them extra secure. This is on them but I was dumb enough to believe they could keep their data & source safe 🔥
Recycling your passwords is a bad security practice ❌
Why not use a password manager to help with generating and maintaining passwords?
In this episode of the #OSINT show, host @IntelTechniques revisits password managers and #2FA 👇
Why not use a password manager to help with generating and maintaining passwords?
In this episode of the #OSINT show, host @IntelTechniques revisits password managers and #2FA 👇
Recommendations For Password Managers
Previously
🔹 Have always recommended @KeePassXC or @Bitwarden:
🔸 KeePassXC: A completely offline tool. Reserved for extreme scenarios
🔸 Bitwarden: A secure password manager that synchronizes your password database across multiple devices
Previously
🔹 Have always recommended @KeePassXC or @Bitwarden:
🔸 KeePassXC: A completely offline tool. Reserved for extreme scenarios
🔸 Bitwarden: A secure password manager that synchronizes your password database across multiple devices
Now
🔹 Online password managers have advanced quite a bit
🔹 Every reputable password manager encrypts everything on your machine before it goes into the database
🔹 Does not recommend LastPass, 1Password, Dashlane
🔹 For people new to password managers, he recommends Bitwarden
🔹 Online password managers have advanced quite a bit
🔹 Every reputable password manager encrypts everything on your machine before it goes into the database
🔹 Does not recommend LastPass, 1Password, Dashlane
🔹 For people new to password managers, he recommends Bitwarden
For those debating whether or not to leave Twitter, the alternatives aren't great and the user experience won't be the same on other platforms without the people you follow (and who follow you).
Consider these measures ...
(Thread) 🧵
Consider these measures ...
(Thread) 🧵
1) Take a break from tweeting if it gets too much, but DON'T delete your account.
Elmo's fuckery may be short-lived once he realizes advertisers won't allow him to take them hostage --
And there's ZERO accountability if everyone leaves en masse;
Elmo's fuckery may be short-lived once he realizes advertisers won't allow him to take them hostage --
And there's ZERO accountability if everyone leaves en masse;
2) If you do take an extended break and/or join other platforms, replace your background photo with where friends and followers can find you --
➡Response manipulation
The response is like: #2FA_Bypass #bugbounty
HTTP/1.1 404 Not Found
. . .
{"code": false}
. . .
Try to manipulate by changing {"code": true}
The response is like: #2FA_Bypass #bugbounty
HTTP/1.1 404 Not Found
. . .
{"code": false}
. . .
Try to manipulate by changing {"code": true}
➡Status code manipulation
The response is : #2FA_Bypass #bugbounty
HTTP/1.1 404 Not Found
...
{"code": false}
Try to manipulate by changing :
HTTP/1.1 200 OK
...
{"code": false}
The response is : #2FA_Bypass #bugbounty
HTTP/1.1 404 Not Found
...
{"code": false}
Try to manipulate by changing :
HTTP/1.1 200 OK
...
{"code": false}
When my @EFF colleague Alexis Hancock signed her baby up for daycare, she had to download a childcare management app - to monitor and specify "feedings, diaper changes, pictures, activities, and which guardian picked-up/dropped-off the child."
eff.org/deeplinks/2022… 1/
eff.org/deeplinks/2022… 1/
If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
pluralistic.net/2022/06/23/pee… 2/
pluralistic.net/2022/06/23/pee… 2/
This was during the lockdown, and the app was a way to comply with social distancing and contact tracing rules, but it was also designed to help with "separation anxiety of newly enrolled children and their anxious parents." 3/
At #disruptedtimes22, @johnnyryan says even tech giants don't know what they do with data (shades of Amazon's multiple scandals).
This is where #PurposeLimitation comes in. The #GDPR bans e.g. reusing phone numbers gathered for #2fa to target ads.
This is where #PurposeLimitation comes in. The #GDPR bans e.g. reusing phone numbers gathered for #2fa to target ads.
If one company is acquiring another, a regulator could compel both firms to disclose every single use they make of PII, and then analyze 'what happens when those two spreadsheets have a baby'
Purpose limitation is Big Tech kryptonite, and the DMA strengthens it, allowing the EU to pursue cases where national governments e.g. Eire won't
#NoCode #buildinpublic
Many people think that free #OpenSource software is only for #Linux.
But I use a lot of #FOSS software on my @Microsoft #Windows desktop that I'd be lost without!
These are some of my faves!
25+ FOSS Tools to Improve Your Windows Experience 🧵 👇
Many people think that free #OpenSource software is only for #Linux.
But I use a lot of #FOSS software on my @Microsoft #Windows desktop that I'd be lost without!
These are some of my faves!
25+ FOSS Tools to Improve Your Windows Experience 🧵 👇
7-Zip (@7zip)
Great archiver supporting
Packing/unpacking:
7z
XZ
BZIP2
GZIP
TAR
ZIP
WIM
Unpacking only:
AR
ARJ
CAB
CHM
CPIO
CramFS
DMG
EXT
FAT
GPT
HFS
IHEX
ISO
LZH
LZMA
MBR
MSI
NSIS
NTFS
QCOW2
RAR
RPM
SquashFS
UDF
UEFI
VDI
VHD
VHDX
VMDK
WIM
XAR
Z
7-zip.org
Great archiver supporting
Packing/unpacking:
7z
XZ
BZIP2
GZIP
TAR
ZIP
WIM
Unpacking only:
AR
ARJ
CAB
CHM
CPIO
CramFS
DMG
EXT
FAT
GPT
HFS
IHEX
ISO
LZH
LZMA
MBR
MSI
NSIS
NTFS
QCOW2
RAR
RPM
SquashFS
UDF
UEFI
VDI
VHD
VHDX
VMDK
WIM
XAR
Z
7-zip.org
Audacity (@getaudacity)
If you need to perform some audio editing, Audacity is a huge help. I often use it when fixing audio for a video or converting a recording for use in a phone system menu.
Tons of features & useful tools!
audacityteam.org
If you need to perform some audio editing, Audacity is a huge help. I often use it when fixing audio for a video or converting a recording for use in a phone system menu.
Tons of features & useful tools!
audacityteam.org
There are a lot of #Security Issues in the #NFT Ecosystem & #NFTs marketplaces (NFTMs)
1/ When using a password-based authentication workflow, there is no #2FA (two-factor authentication)
1/ When using a password-based authentication workflow, there is no #2FA (two-factor authentication)
2/ there is no support #hardwarewallet
#DataPrivacyDay
Today on #DataPrivacyDay, @SFLCin is bringing you some tips and quick fixes to help protect your privacy online.
#DataPrivacyDay2021 #PrivacyAware #privacy #cybersafety #dataprivacy
Today on #DataPrivacyDay, @SFLCin is bringing you some tips and quick fixes to help protect your privacy online.
#DataPrivacyDay2021 #PrivacyAware #privacy #cybersafety #dataprivacy
We as a generation use #SocialMedia almost obsessively. Most of us have accounts on social media websites like #Facebook, #Instagram & #Twitter.
#SocialSecurity #cybersecuritytips #PrivacyAware
#SocialSecurity #cybersecuritytips #PrivacyAware
We also keep hearing about various #Hacking, #Phishing attempts and in times like these it is important to understand the basics of social media privacy settings to secure yourself from such attempts.
#PrivacyAware
#PrivacyAware
1/ Solving the root cause of #GoldenSAML attacks, recently used in #Sunburst attacks.
Don't of scale security "UP", burying #SAML's private key deeper in HSM,
scale it "OUT": distribute it w/ modern crypto (#TSS #MPC)+ service architecture, as we do for #cryptocurrency @ZenGo
Don't of scale security "UP", burying #SAML's private key deeper in HSM,
scale it "OUT": distribute it w/ modern crypto (#TSS #MPC)+ service architecture, as we do for #cryptocurrency @ZenGo
2/ Advanced attackers (#APT) steal long term secrets ("the stamp") that allow them to issue access tokens and thus access all services in victims' environment, bypassing all security, including multi-factor auth (#MFA,#2FA)
3/ @CISAgov recommends protecting such secrets with hardware (HSM), but this solution is not always feasible, does not scale well and is susceptible to vulnerabilities especially when facing #APT attackers (hence: "aggressively updated")
media.defense.gov/2020/Dec/17/20…
media.defense.gov/2020/Dec/17/20…
Hilo de recursos de #SeguridadDigital 👨💻🛡️ para aquellos periodistas, activistas y defensores de #DDHH que van a cubrir la farsa electoral de la dictadura y sus cómplices mañana #6D. 👇🧵
Antes de salir a cubrir, activen la verificación en 2 pasos en sus cuentas de correo y redes sociales. En este y los próximos 3 tuits dejaré enlaces con los pasos que deben seguir para hacerlo 🔐 #2FA
Cómo configurar la verificación en 2 pasos en Twitter:
Cómo configurar la verificación en 2 pasos en Twitter:
Cómo configurar la verificación en 2 pasos en tu cuenta de Google:
#TPRM #IAM #authentication #2FA
Thoughts on a possible quick-win when it comes to reducing potential unauthorized access by third-party personnel that have approved access to your systems (be they on-prem or cloud)
Thoughts on a possible quick-win when it comes to reducing potential unauthorized access by third-party personnel that have approved access to your systems (be they on-prem or cloud)
Fact - Most organizations have a valid need to provide access for third-party personnel to their systems for one or the other reason
Unfortunate Reality - 3rd parties don't always let their customers (you) know when one of their people that has access to a customer system departs their employment. They may not even realize the user had access to your system(s)
Yesterday we published a deep dive on Saud al-Qahtani.
Who is he? Since October 2018, he has been known as the "mastermind" of the #Khashoggi murder.
He is one of #MBS's top aides and has been described as the Saudi crown prince's enforcer and chief propagandist.
Who is he? Since October 2018, he has been known as the "mastermind" of the #Khashoggi murder.
He is one of #MBS's top aides and has been described as the Saudi crown prince's enforcer and chief propagandist.
Al-Qahtani is also known as the "Lord of the Flies" — "flies" are what Saudi dissidents call trolls and bots that relentlessly attack critics of the Saudi state on social media.
They send death threats. They wage disinformation campaigns.
washingtonpost.com/world/saudi-el…
They send death threats. They wage disinformation campaigns.
washingtonpost.com/world/saudi-el…
Al-Qahtani has personally launched harassment campaigns against critics of the Saudi regime.
In August 2017, he launched a hashtag that translates to #the_black_list in English — it threatened dissidents that they would be "followed" if tagged.
In August 2017, he launched a hashtag that translates to #the_black_list in English — it threatened dissidents that they would be "followed" if tagged.
Sondersitzung des Digitalausschuss im #Bundestag, heute im Saal des Haushaltsausschusses, daher liegen hier überall fette Unterlagen herum. Neben Behörden wie BSI, BMI u BKA sind auch Twitter, FB, Google u GMX da, um unsere Fragen zum #Hackerangriff u #Datenklau zu beantworten.
#Facebook: "bei Bundestagswahlkampf 2017 legten wir allen Kandidat*innen nahe, eine 2 Faktor-Authentifizierung einzurichten, nur 2.1% haben das leider auch getan, ggf binden wir Kandidaten Verifizierung bei #EUWahl2019 an Einrichtung von #2FA". #hackerangriff #Datenklau #btADA
Facebook: "350 URLs haben wir im Zusammenhang mit dem #Hackerangriff identifiziert und geblockt, Inhalte entfernt, Infos mit BSI geteilt" #datenklau #btAdA
Truth! SMS is not a secure #2fa channel for Instagram or any service; and I've just switched what I could to @Authy. Read up on these #simhijacking #portoutscam hacks (and how to mitigate risk) with this great series by @lorenzofb for @Motherboard: motherboard.vice.com/en_us/topic/si…
For its part, @Instagram is rolling out support for third-party #2FA authentication code apps now (like @Authy or Google Authenticator) now, as an alternative to SMS. I've been checking my Settings > Two-Factor screen relentlessly! help.instagram.com/15824741551979…
Because, as @lorenzofb reports, carrier insiders are helping scammers take over phone SIMs even when you add account PINs, I wonder whether using SMS for #2FA is better than no 2FA at all. #simhijacking is relatively rare, so for most folks I think it is. motherboard.vice.com/en_us/article/…
