Search This Blog

Showing posts with label Users. Show all posts

Twitter: Five Changes to the Platform for Users by Elon Musk

 

Three months have passed since Elon Musk stormed into Twitter's San Francisco headquarters, and the company has barely escaped the spotlight. We've talked a lot about his thoughts on the social network and some of his more controversial business decisions, such as laying off 50% of the workforce, but less about how the platform's 237 million monthly active users use it on a daily basis.

1. Restricting alternative Twitter viewing methods

Twitter appears to have suspended access to its API, which is used by other platforms to communicate with it. So, if you use a social media manager to access your account rather than the Twitter app or website, you may discover that Twitter is not currently working with it. It's unclear whether the move was intentional, but many experts believe it was.

"My guess is that this is because those third-party apps do not show ads and they allow the user to manage their feed as they see fit, which is at odds with Musk's plans to put more ads in front of users' eyeballs and prioritize the tweets of people who have paid for Twitter Blue," said tech commentator Kate Bevan.

Although Twitter has not made an official announcement, popular apps that appear to be struggling include Tweetbot, Fenix, and Twitterific.

2. Maintenance

The order in which tweets appear on people's timelines is perhaps the most noticeable change. A new tab allows you to select between the most recent tweets from people you follow and those recommended by Twitter.

If you're using an iPhone, you'll see two columns at the top, "for you" and "following"; if you're using an Android device, you'll see a star icon on the top right-hand side of the screen. The problem is that many users did not notice or were unaware that the app occasionally reverted to Twitter's curated "for you" feed. There have been complaints that this feed is mostly made up of Twitter recommendations and interactions between people you follow and people you don't know, rather than the content you chose to follow in the first place.

Others, on the other hand, don't mind: "Some days I want to go to a restaurant with just my friends, some days I'll pitch up at the pub and see who's in...can be fun," one Twitter user explained.

3. Reintroduction of contentious accounts

Mr Musk began with some high-profile accounts that had previously been banned for violating Twitter's rules. They included Ye (rapper Kanye West), who was barred from sharing anti-Semitic posts, influencer Andrew Tate (who is currently being held in Romania on charges of people trafficking), and former US President Donald Trump, whose tweets were accused of inciting the Capitol Hill riots in January 2021.

4. Twitter's Blue

Twitter's subscription service, Twitter Blue, launched at the end of November after a few false starts. The $8/$11 (£6.50/£9) monthly fee guarantees access to extra features such as an edit button, increased visibility, and fewer ads. Anecdotally, it appears to have attracted a reasonable number of subscribers, but not a large number - though, as usual, no official news about its success has been released thus far.

5. Ticks of silver and gold

Twitter's "blue tick," which is now a sign of a subscriber, was previously a symbol of a verified account. It was given to the accounts of hand-picked celebrities, journalists, and brands by Twitter to indicate that they were not fakes.

Those who acquired a blue tick under the old regime still have them, along with a message explaining that it is a "legacy" and "may or may not be notable". As a result, seeing a blue tick next to an account does not automatically confer authority on that account.

It has been replaced by a gold or silver tick for brands and government figures, so Coca-Cola is now gold, with an explanation that it is an "official business," and Rishi Sunak, the UK Prime Minister, now has a silver badge.

'Spin Master

Twitter had to change whether Mr. Musk was there or not. Its user base and ad revenue had been stagnant for a long time, while rival social networks had sprung up and experienced explosive growth. Twitter is known for being a small but influential platform, but this was not translating into profits.

Mr. Musk is "a master of PR and spin and innovation and creativity", said social media expert Matt Navarra. He is not afraid of causing a stir or tearing up the rulebook. But will his revolutionary tactics turn around the fortunes of this floundering company, which he claims was losing $4 million per day when he took over?

It's difficult to say because Twitter is secretive about its metrics. It is now a privately owned company, as it should be. However, new advertisers do not appear to be flocking to the site, users are complaining about changes to the way their accounts are displayed, and a recent API change has irritated developers, a community that Twitter needs to help it grow.

Mr. Navarra of his own user experience of engaging with 150,000 followers said, "The vibe seems to have shifted and it doesn't seem to be quite what it was before. I don't see any signs of green shoots for a new Twitter."

The Urlscan.io API Unintentionally Exposes Sensitive URLs and Data

 

Researchers have issued a warning about enterprise software misconfigurations that result in the leak of sensitive records on urlscan.io. 
Urlscan.io is a website scanning and analysis platform. The system accepts URLs and generates a wealth of data, including domains, IP addresses, DOM information, and cookies, as well as screenshots. According to the developers, the engine's goal is to enable "anyone to easily and confidently analyze unknown and potentially malicious websites."

Many enterprise customers and open-source projects are supported by Urlscan.io, and an API is provided to integrate these checks into third-party products. GitHub alert Positive Security stated in a blog post published today (November 2) that the urlscan API came to its attention as a result of an email sent by GitHub in February warning customers that GitHub Pages URLs had been accidentally leaked via a third-party during metadata analysis.

“With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan on all links), and the amount of data in the database, there is a wide variety of sensitive data that can be searched for and retrieved by an anonymous user,” the researchers say.

Positive Security discovered that this could include urlscan.io dorks, password reset links, setup pages, Telegram bots, DocuSign signing requests, meeting invitations, package tracking links, and PayPal invoices after further investigation.

Pingbacks to leaked email addresses appeared to indicate that the culprits were misconfigured security tools that submitted links received via email as public scans to urlscan.io. Many API integrations, for example, used generic python-requests/2.X.Y user agents that ignored account visibility settings, allowing scans to be incorrectly submitted as public.

Misconfiguration of SOAR

Positive Security contacted a number of leaked email addresses and received only one response: from a company that sent an employee a DocuSign link to their work contract and then launched an investigation. The employer discovered that the problem was caused by a misconfiguration of their Security Orchestration, Automation, and Response (SOAR) playbook, which was integrated with urlscan.io.

Positive Security investigated historical urlscan.io data and discovered misconfigured clients that could be abused by scraping the system for email addresses and sending them unique links to see if they appeared on urlscan. Password resets for many web services can be triggered for users of such misconfigured clients, and the leaked link can be used to set a new password and take over the accounts.

Speaking to The Daily Swig, Fabian Bräunlein, co-founder of Positive Security said that this attack vector could be triggered “for personal services like banking or social media or company services such as for popular SaaS or custom applications.

“For many SaaS providers, access to an email address with a certain domain is already sufficient to gain access to internal company data (e.g. chats or code repositories),” Bräunlein added. “In such a case, an attacker does not even need to take over existing accounts but can just create new accounts at interesting services.”

Urlscan  Overhaul

Positive Security reported its findings to urlscan.io once the impact of the issue assessment was completed in July. As a result, the cybersecurity firm and urlscan.io developers collaborated to resolve the issues discovered, resulting in the release of a new engine version later this month.

The updated software features an improved scan visibility interface as well as team-wide visibility settings. Urlscan.io later published Scan Visibility Best Practices, which explain the security benefits and risks posed by the three visibility settings users select when submitting a URL: 'Public,' 'Unlisted,' and 'Private.'

Urlscan.io has also contacted customers who have submitted a large number of public scans and has started reviewing third-party SOAR tool integrations. Finally, the developers added deletion rules, highlighted visibility settings in the user interface, and included a report button to disable problematic search results.

“Security teams that run a SOAR platform must make sure that no sensitive data is leaked to the public via integrations of third-party services,” Bräunlein commented.

Urlscan GmbH CEO Johannes Gilger told The Daily Swig: “We welcome the research performed by Positive Security and appreciate their professional conduct while working with us to identify the scope and source of these inadvertent information leaks.

“We have improved the visibility of the relevant settings on our platform, we have educated our users about the issue through a dedicated blog post and we continue to work with third-party automation providers to ensure adherence to safe default behaviors. A platform like urlscan will always carry the risk of unintended information disclosure due to the nature of its operation, so we take every available measure to minimize the likelihood of these things happening.”

7-year Android Malware Campaign Targeted Uyghurs: Report

 

A long-running surveillance and espionage campaign targeting one of China's largest ethnic minority groups has been revealed by researchers. Palo Alto Networks discovered the "Scarlet Mimic" group in 2016, which was initially spotted targeting Uyghur and Tibetan rights activists. 

Although the Chinese government has long oppressed and spied on these and other minority groups in the country, no direct attribution of this group's activities to Beijing is currently available. Check Point explained in a new report this week that Scarlet Mimic's mobile malware dates back to 2015. 

“The malware is relatively unsophisticated from a technical standpoint. However, its capabilities allow the attackers to easily steal sensitive data from the infected devices, even perform calls or send an SMS and track their location in real-time,” said Check Point.

“This makes it a powerful and dangerous surveillance tool. This tool also allows audio recording of incoming and outgoing calls, as well as surround recording.”

It has since identified 20 variants of the MobileOrder Android spyware, the most recent of which was discovered in mid-August of this year.

“The malware is relatively unsophisticated from a technical standpoint. However, its capabilities allow the attackers to easily steal sensitive data from the infected devices, even perform calls or send an SMS and track their location in real-time,” said Check Point.

“This makes it a powerful and dangerous surveillance tool. This tool also allows audio recording of incoming and outgoing calls, as well as surround recording.”

The malware is thought to be hidden in applications with Uyghur-language titles and disguised as PDF documents, photos, or audio. According to Check Point, it is spread through social engineering rather than being made available on the Google Play Store.

“When the victim opens the decoy content, the malware begins to perform extensive surveillance actions in the background. These include stealing sensitive data such as the device information, SMS messages, the device location, and files stored on the device,” the report continued.

“The malware is also capable of actively executing commands to run a remote shell, take photos, perform calls, manipulate the SMS, call logs and local files, and record the surround sound.”

Check Point advised anyone who might be a victim of this campaign to install anti-malware software on their device, use a VPN, and avoid clicking on suspicious links.

"Scarlet Mimic seems to be a politically motivated group. In the past, there have been reports from other researchers that it could be linked to China,” the vendor concluded.

“If true, it would make these surveillance operations part of a much wider issue, as this minority group has reportedly been on the receiving end of attacks for many years.”

This week, Beijing is on the defensive at the United Nations after a long-awaited report from the UN Human Rights Office confirmed evidence of serious human rights violations against Uyghur and other ethnic minority groups in Xinjiang.

Researchers: AiTM Attack are Targeting Google G-Suite Enterprise Users

 

A large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services has also targeted Google Workspace users. 

"This campaign specifically targeted chief executives and other senior members of various organizations which use [Google Workspace]," Zscaler researchers Sudeep Singh and Jagadeeswar Ramanukolanu detailed in a report published this month.

The AiTM phishing attacks are said to have begun in mid-July 2022, using a similar method to a social engineering campaign designed to steal users' Microsoft credentials and even circumvent multi-factor authentication. 

The low-volume Gmail AiTM phishing campaign also includes the use of compromised emails from CEOs to conduct additional social engineering, with the attacks also utilizing several compromised domains as an intermediate URL redirector to take victims to the final landing page.

Attack chains entail sending password expiry emails to potential targets that encompass an embedded malicious link to supposedly "extend your access," tapping which takes the recipient to Google Ads and Snapchat redirect pages that load the phishing page URL.

Aside from open redirect abuse, a second variant of the attacks uses infected sites to host a Base64-encoded version of the next-stage redirector in the URL, as well as the victim's email address. This intermediate redirector is a piece of JavaScript code that directs you to a Gmail phishing page.

In one case, the redirector page used in the Microsoft AiTM phishing attack on July 11, 2022, was revised to take the user to a Gmail AiTM phishing page, connecting the two campaigns.

"There was also an overlap of infrastructure, and we even identified several cases in which the threat actor switched from Microsoft AiTM phishing to Gmail phishing using the same infrastructure," the researchers said.

Overall, the findings suggest that multi-factor authentication safeguards alone are insufficient to defend against advanced phishing attacks, necessitating that users scrutinize URLs before entering credentials and avoid opening attachments or clicking on links in emails sent from untrusted or unknown sources.

New Google Chrome Zero-Day Flaw Being Exploited in the Wild

 

Google launched patches for the Chrome browser for desktops on Tuesday that address an actively exploited high-severity zero-day flaw in the wild. The issue, identified as CVE-2022-2856, has been described as a case of insufficient validation of untrusted input in Intents. 

On July 19, 2022, security researchers Ashley Shen and Christian Resell of Google Threat Analysis Group were credited with discovering the flaw. As is customary, the tech powerhouse has withheld further details about the flaw until the vast majority of users have been informed. 

"Google is aware that an exploit for CVE-2022-2856 exists in the wild," the company said aptly.

The latest update also addresses ten other security flaws, the majority of which are related to use-after-free flaws in various components such as FedCM, SwiftShader, ANGLE, and Blink. A heap buffer overflow vulnerability in Downloads has also been fixed.

This is the fifth zero-day vulnerability in Chrome that Google has fixed since the beginning of the year.
  • CVE-2022-0609 - Use-after-free in Animation
  • CVE-2022-1096 - Type confusion in V8
  • CVE-2022-1364 - Type confusion in V8
  • CVE-2022-2294 - Heap buffer overflow in WebRTC
To mitigate potential threats, users are advised to update to version 104.0.5112.101 for macOS and Linux, and 104.0.5112.102/101 for Windows. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also apply the fixes as they become available.

Uber Admits Covering up Data Breach Involving 57M Users

 

Uber has reached an agreement with the US Department of Justice regarding its cover-up of a data breach in November 2016. In exchange for avoiding prosecution, the ride-hailing company has agreed to assist the DOJ in prosecuting its former top security officer Joseph Sullivan. 

The agreement stemmed from a data breach that compromised the personal information of 57 million people, including both passengers and drivers. The attackers gained access to a secret source code repository and obtained an access key, which they then used to steal the data. 

According to reports, the corporation decided to pay off the criminals while also hiding the breach from the Federal Trade Commission (FTC), which was already examining its security policies at the time. Uber notified the FTC and dismissed Sullivan in November 2017, following the resignation of previous CEO Travis Kalanick and the appointment of new CEO Dara Khosrowshahi. It reached an agreement with the Commission in 2018, agreeing to maintain a privacy programme that includes external audits. It also paid $148 million to resolve disputes with all 50 states. 

In August 2020, the Department of Justice charged Sullivan with obstruction of justice and hiding a felony. In December 2021, it announced new accusations of wire fraud for neglecting to notify Uber drivers that their driver's licences had been compromised. Uber had previously been working with the investigation and will continue to do so under the conditions of the most recent settlement. 

The corporation has agreed to disclose any materials and witnesses needed to help the DoJ prosecute Sullivan. In exchange, Uber and its affiliates are exempt from prosecution in connection with the 2016 data breach. 

According to Ilia Kolochenko, founder of ImmuniWeb and member of the Europol Data Protection Experts Network, Uber may still face a private legal lawsuit.“To void such undesirable situations, companies should take privacy and data breaches seriously, considering their duties and obligations under all applicable laws and regulations,” he said. 

“Having a well-thought-out data breach response plan in place that would include, among other things, swift interaction with internal and external legal teams, media and investors, is crucial to minimize reputational and financial damage of unpreventable data breaches. The close collaboration of technical and legal experts is the next big thing in cybersecurity,” further added. 

Sullivan is a former federal prosecutor who currently serves as Cloudflare's chief security officer. He served as an assistant US attorney in the Northern District of California from 2000 to 2002, where he will be tried in September. He stated yesterday that he will be taking time off from work to prepare for the trial.

Microsoft Exchange Online And Outlook Email Service Hit By Outage

 

Microsoft is investigating an ongoing outage affecting Microsoft 365 services after users experienced problems signing into, accessing, and receiving emails via the outlook.com gateway and Exchange Online. 

"We're investigating an issue with users accessing or experiencing degraded functionality when using Exchange Online and http://outlook.com services," Microsoft stated in a tweet via the company's official Twitter account for updates on Microsoft 365 services. 

Admins were also warned that further information about these ongoing issues may be found in the admin centre under EX401976 and OL401977. 

"We suspect there may be unexpected network drops which are contributing to the degraded experience and are reviewing diagnostic logs to understand why," the company added. 

While Redmond did not indicate the scope of the problem, hundreds of reports on DownDetector have been reported in the last 24 hours by Outlook and Exchange Online customers who have been unable or experiencing difficulty while attempting to log in or email. In an update to the Outlook.com online site, Microsoft also noted that Microsoft 365 subscribers may be unable to access the web portal or any of its features. 

Microsoft explained, "Users may be unable to access or use outlook.com services or features. We're reviewing diagnostic information and support case data to understand the cause and establish a fix. We're investigating a potential issue and checking for impact to your organization. We'll provide an update within 30 minutes." 

Another Microsoft 365 outage occurred in June, affecting consumers worldwide who attempted to access Microsoft Teams and Exchange Online. Redmond rerouted traffic to another, healthy traffic management infrastructure and performed targeted infrastructure restarts to restore service access and functioning. On July 1, Microsoft stated it fixed the issue that caused this outage. 

"We identified a section of our network infrastructure that was performing below acceptable thresholds. We've rerouted connections to alternate infrastructure and that confirmed the issue is resolved," Redmond tweeted.