Twitter's initial implementation of two-factor authentication (2FA) relies on SMS.
But… Twitter also uses SMS as a way to send and receive Tweets (making use of SMS for double-duty: social and security). It's possible to "STOP" incoming Tweets via SMS, and that makes sense, because people sometimes end up roaming unexpectedly — and there needs to be a way to stop the SMS feature. Otherwise it could generate a costly bill.
Unfortunately, an attacker could use SMS spoofing to disable 2FA if he knows the target's phone number.
We've done some testing.
The STOP command removes the phone number from the account — and that in turn disables Twitter's 2FA.
Not great.
But there's an even worse possibility at the moment.
If you don't yet have 2FA enabled, an attacker who gains access to your account via spear phishing could enable it for himself!
All that's required is random phone number and SMS spoofing the word "GO".
Then the attacker can enable the account's 2FA.
Then send a message. (The message doesn't contain a confirmation code, so it isn't really needed.)
And then click "Yes".
That's it.
No confirmation code is needed to add a number. (Confirmation is required to change the account's associated e-mail address.)
This is what the victim will see — even if they reset the account's password.
The victim will be locked out, and cannot recover the account without Twitter's support.
So… perhaps you should enable your account's 2FA — before somebody else does it for you.
Fortunately, the majority of Twitter users aren't big targets. Unfortunately, accounts such as @AP are. And Twitter's SMS-based 2FA could be more harm than help when the use case is a dedicated attacker.
Twitter's blog post says "this feature has cleared the way for us to deliver more account security enhancements in the future."
If so, you may be the target of a spear phishing campaign designed to install a spyware on your Mac.
Here's a list of binaries signed by Apple Developer "Rajinder Kumar".
Detected as Trojan-Spy:OSX/HackBack.B:
• 1eedde872cc14492b2e6570229c0f9bc54b3f258 • 6737d668487000207ce6522ea2b32c7e0bd0b7cb • a2b8e636eb4930e4bdd3a6c05348da3205b5e8e0 • 505e2e25909710a96739ba16b99201cc60521af9 • 45a4b01ef316fa79c638cb8c28d288996fd9b95a • 290898b23a85bcd7747589d6f072a844e11eec65 — mentioned in yesterday's post.
Detected as Backdoor:OSX/KitM.A (includes screenshot feature):
• 4395a2da164e09721700815ea3f816cddb9d676e
Though the spear phishing payloads are not particularly "sophisticated", the campaign's use of German localization and the target's name (removed in the example above) does indicate the attackers have done some homework.
There's another case of Backdoor:OSX/KitM.A in the wild.
A German-based investigator reached out to us yesterday regarding OSX/KitM. (We wrote about it last week.) KitM stands for "Kumar in the Mac", which is our designation for spyware — related to OSX/Filesteal a.k.a. OSX/HackBack — that is signed using an Apple Developer ID in the name of Rajinder Kumar. The Developer ID has since been revoked by Apple.
This latest version of OSX/KitM used a Romanian C&C server called liveapple.eu during the period of attack, December 2012 to early February 2013. The spear phishing used an attachment called Christmas_Card.app.zip. (Remember, the attack started in December.)
So, that brings us to this bit of advice for those of you who might be targets.
This is the default "Gatekeeper" security setting:
Mac App Store and identified developers
This is the setting that you want, unless you're actively installing software:
Mac App Store
This is the prompt that results when OSX/KitM attempts to install with the stricter setting:
If you're running OS X Mountain Lion or Lion v10.7.5 — adjust your settings as an extra layer of precaution.
The Mac spyware discovered at the Oslo Freedom Forum last week is apparently connected to larger espionage efforts — and those efforts look to be connected to India.
Yesterday, the folks from Norman released their Hangover Report.
HANGOVER REPORT (tot.114pg): Indian APT group hacked Telenor, others; related to the MacOS trojans found at OFF blogs.norman.com/2013/security-…
— Snorre Fagerland (@SnorreFagerland) May 20, 2013
Snorre Fagerland has confirmed a connection to the C&Cs used by Backdoor:OSX/KitM.A.
LulzSec – the rockband of hacker groups – had three of their six members sentenced today in London.
LulzSec made headlines during their "50 days of Lulz" in May-June 2011, during which they attacked Fox, PBS, Sony, Nintendo, Sega, Minecraft, Infragard, NHS, US Senate, SOCA and CIA. They also recorded and published a conference call between US and European law enforcement officials, discussing police tactics against LulzSec.
LulzSec was different from most other attackers, as they weren't doing their attacks to make money or to protest. They did it for Teh Lulz. Also, they had no sense of self-preservation, which led to taking them down.
The Oslo Freedom Forum is an annual event "exploring how best to challenge authoritarianism and promote free and open societies." This year's conference (which took place May 13-15) had a workshop for freedom of speech activists on how to secure their devices against government monitoring. During the workshop, Jacob Appelbaum actually discovered a new and previously unknown backdoor on an African activist's Mac.
Our Mac analyst (Brod) is currently investigating the sample.
