Twitter launches two-factor authentication, too late to save The Onion

On the heels of the Syrian Electronic Army compromising a number of high-profile accounts—including those of the Associated Press, The Guardian, and The Onion—Twitter has introduced a two-factor authentication feature that should make such attacks more difficult. In a blog post today, Jim O'Leary of Twitter's security team announced the release of "login verification," an optional security measure that requires a verified phone number and e-mail address.

Twitter is a bit late to the two-factor authentication party. Word first spread that Twitter was working on a two-factor authentication scheme in February when the company advertised job openings for security engineers to develop "user-facing security features, such as multi-factor authentication and fraudulent login detection." Google has offered two-factor authentication since February of 2011, and Facebook introduced two-step login approval in May of 2011.

Like Google's two-factor authentication, Twitter's login verification sends a code via SMS to be entered to confirm login. But unlike Google's system, the code will be sent every time users sign in to Twitter through its website. This is the case even if it's from a computer or device that they've logged in from before. The phone has to be enrolled through Twitter's existing SMS service first—you have to text a code to Twitter to verify the phone first, which may not work with some phone carriers. The relationship between phones and accounts is also strictly one-to-one: if you have a shared business account, you're going to need to share a phone number too. If you have multiple accounts and only one phone number, you can only secure a single account.

Read 1 remaining paragraphs | Comments

Spammers Targeting Oklahoma Tornado Victims

Natural disasters, like tornadoes and earthquakes, are quite common in the United States of America. Unfortunately, the Oklahoma City suburb of Moore experienced a violent tornado on Monday, May 20, that sadly resulted in dozens of casualties. Spammers take advantage of natural disasters with luring scams and Symantec Security Response has started to observe spam messages related to this tornado flowing into the Symantec Probe Networks. The top word combinations used in message headlines include:

  • Tornado – hits – Oklahoma
  • Massive – Tornado
  • Huge – Tornado
  • Tornado – survivors

Spammers Targetting 1.jpeg

Figure 1: Oklahoma City tornado spam campaign

These headers have been observed in the spam attack:

Subject: People Killed After Violent Tornado Hits Oklahoma

From: Hottestxxx<[email protected][REMOVED]>

Spammers will always make use of the relief efforts by sending spam emails that urge people to help the survivors of the disaster. Users should be careful when looking for news of recent popular incidents and events. Symantec recommends that users take extra caution with any donations or relief funds and recommends using trusted and secure sites to stay safe.

We predict a rise in malicious attacks and other spam campaigns over the next few days. Do not click on suspicious links or open attachments received in unsolicited emails. Keep your security software up-to-date in order to protect your information from online viruses and scams. We are monitoring this trend around-the-clock to ensure that readers are kept up to date with information on the latest threats.

Power company targeted by 10,000 cyberattacks per month

A Congressional survey of utility companies has revealed that the country's electric grid faces constant assault from hackers, with one power company reporting a whopping 10,000 attempted cyberattacks per month.

US Reps. Edward Markey (D-MA) and Henry Waxman (D-CA) sent 15 questions to more than 150 utilities and received replies from 112 of them. Only 53 of those actually answered all the questions—the others provided incomplete responses or only "a few paragraphs containing non-specific information" without answering any of the questions.

Results from those who did answer show utilities are under continuous assault:

Read 8 remaining paragraphs | Comments

Google Releases Google Chrome 27.0.1453.93

Original release date: May 22, 2013

Google has released Google Chrome 27.0.1453.93 for Windows, Mac, Linux, and Chrome Frame to address multiple vulnerabilities. These vulnerabilities could allow a remote attacker to cause a denial-of-service condition, obtain sensitive information, or execute arbitrary code.

US-CERT encourages users and administrators to review the Google Chrome Release blog entry and follow best-practice security policies to determine which updates should be applied.

This product is provided subject to this Notification and this Privacy & Use policy.