Analysis Why does Bitcoin work? Fraudsters should have left it in cinders years ago, and might have done, if it wasn’t for two things: spam and the Byzantine Empire.
A Bitcoin is basically an entry in a ledger that is distributed across a network of computers. Bitcoins are transferred between parties by noting the transaction in the ledger. This might sound just like any other banking system except there’s a crucial difference: no one is in charge of the ledger.
It’s held across a network of computers and anyone can add their computer to the network when they wish – or leave when they wish. This may seem crazy, and an easy way for fraudsters to join the network and get their computer to update the ledger to give themselves new Bitcoins.
In 1997, a British cryptographer called Adam Back proposed an anti-spam approach called Hashcash. The basic idea was to make an email message contain proof that a computationally difficult problem, specific to the contents of the message, had been solved. Any email that didn’t contain this proof would be discarded by the recipient’s email server.
Ordinary users of email wouldn’t be inconvenienced because the amount of work for one email message would be tolerable, but spammers would be deterred because it would add up to a huge amount of money, in the form of the huge electricity bill run up by all the computers they’d need to buy to solve the mathematical problems.
In the end it didn’t work out as an anti-spam technique partly because spammers today use botnets, which are vast armies of hijacked computers. But the idea behind Hashcash was picked up and used for Bitcoin.
Coining it … how does Bitcoin stack up against national currencies?
The basic idea behind Bitcoin is that blocks of transactions are chained together, each new block of transactions referring to the previous one. A block is validated by having a value computed for it that matches the hash signature of the block, with the difficulty of the matching calibrated automatically by the network. As members of the network get faster (using faster computers or entirely new generations of hardware engineered specifically for the task), the computation gets more difficult. It is designed to always take about ten minutes to match the hash.
A block cannot be altered without once again performing the computation and adding the proof-of-work to it. But crucially, this must then also be repeated for the block that was chained to it (since the proof of work for that block now will not match). It is a little like trying to alter a company’s accounts from a few years back: the balance sheet and profit-and-loss statements won’t tally forward properly, so each subsequent year will have to be changed too.
Historian William Lecky wrote in 1869 of the Byzantine Empire: “The universal verdict of history is that it constitutes, without a single exception, the most thoroughly base and despicable form that civilization has yet assumed.” Harsh, certainly. Byzantine has become a byword for treachery – and it is the basis for a classic problem in computer science: the Byzantine Generals Problem.
This challenge involves working out how to reach a valid consensus among a set of military generals when some of them are traitors and will send fraudulent messages. This is exactly the problem Bitcoins must face on the internet. The solution to the problem is voting. The Bitcoin network maintains the integrity of its ledger by the loyal members collectively outvoting traitors.
If a traitor computer tries to alter a transaction (undoing a payment to take back the money, for example) then it must also alter the transactions in blocks that came after. But because of the Hashcash approach this is computationally challenging and painfully slow, and by the time it has done this more blocks will have been chained by the rest of the network.
Thus, it is futile for a fraudster to compete with the rest of the Bitcoin network unless he can outpace it.
The wretched hive of scum and villainy on the internet generally cannot nobble the currency: even if they amassed a huge botnet of a million hijacked Windows machines it would be unlikely to exceed 6TH/s (trillion hash operations per second) yet the Bitcoin network is currently running at 58TH/s. Furthermore the performance of the Bitcoin network is set to grow quickly as dedicated chips (ASICs in other words) in Bitcoin mining rigs push PCs into obsolescence – and these rigs do not run Windows. There remains a risk that a well-funded organization (perhaps governmental) could amass the dedicated computing power required to swamp the Bitcoin network.
Defending against this risk is one of the motivations of engineers such as Yifu Guo at Avalon to get ASICs widely adopted.
Next page: Can you keep a secret? Bitcoin doesn’t
Security expert Raul Siles has warned that years after it was first identified, the Preferred Networks List (PNL) Wi-Fi bug remains unaddressed on many an iPhone, Android phone, and Windows or BlackBerry handset.
The problem itself is simple enough, reports HelpNet Security. When searching for networks, a poor Wi-Fi implementation can result in a device exposing its PNL list to eavesdroppers. This could allow an attacker to spoof one of the network that appears on the user’s list, becoming the vector for a man-in-the-middle attack.
PNL disclosure remains a problem in Android 2, 3 and 4, may occur when users add networks manually in iOS 1-6, and in BlackBerry 7, according to Siles. It has also been fixed in some versions of Windows Mobile.
Some mobile operating systems (BlackBerry, for example) give users enough control that the problem can be fixed manually – but only, Siles said, if the user knows there’s a problem and knows how to fix it.
Given the growing popularity of BYOD in the business environment, there’s the added danger of a fake preferred network being used to capture corporate logins. System administrators need to ensure that devices hide Wi-Fi network data (where this is possible), and Siles called for Android to be upgraded to allow users to hide new networks.
I need to stress that these types of client attacks are commonly left unchecked and without consideration, the modern smartphone could become the ultimate digital “Trojan Horse”, allowing attacks to breach ultra-secure locations.
The infamous APT1 cyberespionage crew is diminished but not defeated following its public exposure three months ago.
Mandiant, the cyber security intelligence firm that d0xed APT1, detailing its tools and tactics as well as its affiliation to a Chinese People’s Liberation Army unit, has published a follow-up report this week describing it as “active and rebuilding”. APT1 was the most prolific cyber-espionage outfit tracked by Mandiant, of around 20 such groups within China.
Since its exposure, the operation has shifted towards the use of new tools and attack infrastructures while other similar outfits are carrying on much as before, Mandiant concludes in a blog post:
Mandiant’s report and the simultaneous release of 3,000+ indicators hindered APT1’s operations by causing the group to retool and change some operational methodology. Since the report, APT1 has stopped using the vast majority of the infrastructure that was disclosed with the release of the indicators.
However, APT1 maintained an extensive infrastructure of computer systems around the world, and it is highly likely that APT1 still maintains access to those systems or has utilised those systems to establish new attack infrastructure in the last three months.
One thing that has not changed is the activity level of many of the 20+ Advanced Persistent Threat (APT) groups of suspected Chinese origin that Mandiant tracks. These groups are still very active and Mandiant has observed no significant changes in their operations after the release of the APT1 report.
These groups also conduct cyber espionage campaigns against a broad range of victims and, based on Mandiant’s observations, they were not directly affected by the release of the Mandiant APT1 report.
The Mandiant report – which exposed the alleged methodology and targets of APT1 in some detail – has propelled the issue of China-based cyber-espionage geared towards the theft of intellectual property up the political agenda. Groups like APT1 typically use tactics such as zero-day exploits and spear phishing to run cyber-espionage campaigns against targets in multiple sectors, including defence contractors, government agencies, NGOs, the media, oil and gas production – and many more.
“The subject of Chinese attacks, such as those conducted by APT1, seems poised to stay front and center on the diplomatic agenda where, according to the New York Times, it will be a ‘central issue in an upcoming visit to China by President Obama’s national security adviser, Thomas Donilon’,” writes Dan McWhorter, Mandiant’s managing director for threat intelligence.
Mandiant’s findings run contrary to earlier expectations that public exposure might result in the dismantling of the Comment Crew. A few optimists even expected to see a more general reduction in the the activity of other Chinese cyber espionage threat groups.
Cyber Squared, another threat intelligence firm, reported a month ago that APT1 was still in business. However, at the time it said there was no discernible difference in the group’s implant technologies or command and control capabilities. The group’s target selection process also remained unaltered, according to Cyber Squared. ®
The US electricity grid is under near constant attack from malware and cyber-criminals, yet most utility companies implement only the barest minimum of security standards, according to a new report released by Congressmen Ed Markey (D-MA) and Henry Waxman (D-CA).
“National security experts say that cyber attacks on America’s electric grid top the target list for terrorists and rogue states, yet we remain highly vulnerable to attacks,” Markey said in a statement. “We need to push electric utilities to enlist all of the measures they can now, and push for stronger standards in Congress that will keep our economy and our country safe from cyber warfare.”
Among the report’s findings, more than a dozen utilities surveyed said their systems were under “daily,” “frequent,” or “constant” attack, with one claiming to be the target of around 10,000 attempted cyber-attacks each month.
Yet although the companies admitted to being the targets of attacks, most said they complied only with mandatory cyber-security standards set by the North American Electric Reliability Corporation (NERC).
Only 21 per cent of investor-owned utilities, 44 per cent of municipal or cooperatively-owned utilities, and 62.5 per cent of federally-owned utilities said they had taken any additional, voluntary “Stuxnet measures,” as the report terms them.
Stuxnet, as most Reg readers will recall, was the mysterious malware that infected supervisory control and data acquisition (SCADA) systems in plants related to Iran’s nuclear enrichment facilities in 2010. Many security researchers believe it was a targeted attack initiated by the US government – and if the US can do it, then so can its enemies.
The report calls out the power grid as a particularly high-profile target for attacks because of its critical importance to industry and infrastructure. According to the report, power outages and disturbances are estimated to cost the US economy between $119bn and $188bn per year, with individual events costing $10bn or more.
“Cyber-attacks can create instant effects at very low cost, and are very difficult to positively attribute back to the attacker,” the report states. “It has been reported that actors based in China, Russia, and Iran have conducted cyber probes of U.S. grid systems, and that cyber-attacks have been conducted against critical infrastructure in other countries.”
By way of example, the report cites the 2012 malware attack on Saudi Aramco, Saudi Arabia’s massive, state-run oil company, which infected some 30,000 computers.
To help harden US infrastructure against such attacks, Markey and Waxman would like to see Congress grant the Federal Energy Regulatory Commission (FERC) additional authority to draft and enforce cyber-security standards among power utility companies.
The report points out that although President Obama signed an executive order in February 2013 identifying critical infrastructure areas and establishing a voluntary cyber-security framework, only an act of Congress can empower agencies to police the standards.
The full text of the report is available here. ®
China is responsible up to 80 per cent of US intellectual property theft, which a government report has estimated accounts for $300bn in lost exports, roughly the equivalent of the current American trade balance with Asia.
“Unless current trends are reversed, there is a risk of stifling innovation, with adverse consequences for both developed and still developing countries,” the IP Commission report warns. “The American response to date of hectoring governments and prosecuting individuals has been utterly inadequate to deal with the problem.”
The commission, headed by the former ambassador to China and Republican presidential candidate Jon Huntsman, former director of national intelligence Admiral Dennis Blair, and aided by former Intel boss Craig Barrett, has spent the last year examining the state of IP theft in the US, and the results aren’t pretty.
An estimated 70 per cent of US corporate assets are tied up in “intangible assets” such as intellectual property, and around 6 per cent of this is being lost in IP theft every year, according to the commission. If China operated at the same level of IP law as the US, the result would be an estimated $107bn in additional annual sales for American companies and net employment could increase by 2.1 million jobs.
The most immediate problem is that US companies are being directly harmed by IP theft. The report cited a recent case where a US firm had perfected a miniaturized smartphone component, only to have its designs (and markets) stolen when Middle Kingdom companies undersold them using the purloined material.
China was also fingered in a US Senate Armed Services Committee investigation that found over 1,800 counterfeit electronic and mechanical products that were traced back to over 100 Chinese firms. Some factories building these fake goods employ 15,000 people at a time.
Other countries are also taking part in skinning the US on IP, according to the report.
“Russia, India, and other countries constitute important actors in a worldwide challenge,” it states. “Many issues are the same: poor legal environments for IPR, protectionist industrial policies, and a sense that IP theft is justified by a playing field that benefits developed countries.”
This is all leading to the long-term effect of discouraging research and development by US companies, the report suggests. There’s little point in spending vast amounts on RD if someone’s going to steal the result and manufacture it offshore.
The report makes 21 recommendations, with the initial push being legislative. Congress needs to view IP theft as a matter of national security, the report suggests, and a foreign company’s record on the issue must be taken into account when deciding whether to allow foreign investors to operate in the US and use its banking and financial services.
Disclosure laws also have to be beefed up, so that when US companies suffer theft they have to report it and can be held accountable. The US should move away from the policy of trying to persuade governments to enforce IP laws and be more willing to use bodies like the International Trade Commission to pursue claims.
The report says increases are needed in the funding and investigative capabilities of the FBI and Department of Justice to go after IP offenders and, somewhat more controversially, it also recommends US companies should be freed up to take measures to fight back against attackers and retrieve stolen information.
“Currently, Internet attacks against hackers for purposes of self-defense are as illegal under U.S. law as the attacks by hackers themselves,” the report states. “If counterattacks against hackers were legal, there are many techniques that companies could employ that would cause severe damage to the capability of those conducting IP theft.”
Finally, offending companies must be penalized in cases of proven theft, to reduce the financial incentive for crime. This could involve a tariff on Chinese imports amounting to 150 per cent of the estimated value of IP theft and/or the withholding of an equivalent amount from the World Health Organization budget.
All this will make uncomfortable reading for President Obama as he prepares for his first meeting with the new Chinese president Xi Jinping next month. No doubt they will have lots to talk about on the IP front. ®
AUSCERT 2013 First the good news: for all the known vulnerabilities that exist in the SCADA world, exploiting them in a way that can actually “shut down a power plant” is harder than most people (particularly including media) realise.
That’s the reassuring view put forward by Mark Fabro of Lofty Perch, in his spot at this year’s AusCERT 2013.
That’s because even though in a fairly short time the number of known vulnerabilities in programmable logic controllers (PLCs) has gone from zero to 171, turning the existence of a vulnerability into a successful exploit is a much more complex task than merely launching an attack against the individual device.
The industry, he said, is “stuck in a bit of a funk” thinking that one vulnerability will bring down whole systems – chiefly because we forget that one of the main points of SCADA systems is to present information to an operator.
If an operator sees systems starting to raise alarms or doing things that aren’t in his operational manual, Fabro said, it’s expect the operator to take some sort of action, or at least investigate what’s going on. So to go from “here’s a vulnerability in one system” to “here’s a nationwide blackout” takes a lot more effort than we believe.
However, Fabro said, as attackers become more sophisticated and learn ore about both the SCADA systems and their control environments, the likelihood of more dangerous SCADA-based attacks increases.
A key part of defending against those attacks that may occur, he said, is to start with a thorough understanding of the “kill chain” – the number of steps and scenarios an attacker is forced to step through to achieve what they want.
Breaking into a system, finding its control system, presenting false information to an operator, and then exploiting the attack doesn’t sound too difficult. However, to attack the bulk power system, Fabro said “the attack tree we’ve built contains 143,000 scenarios the attacker would need to get by”, and if any one of those fails, “he can’t get in”.
And if you’re spotting a pattern emerging, you’re right: the operator isn’t just an important point of defence, but also the biggest weakness.
“Time and time again people are the vector, the kill-chain’s tipping point is at people,” he said. “An individual who was tricked and had done something inappropriate – clicked on the link in the e-mail, let someone into the facility.”
It points to a difficult cultural problem in defending industrial control systems, because in trying to instil a new security culture, “the people you’re risking upsetting are the ones you’re relying on to run the system.” ®
Provider Ticket Zone is continuing a joint investigation with Brentford Football Club after it emerged that card details used to buy tickets for the League One playoff final last weekend were subsequently used for fraudulent purchases.
Yeovil beat Brentford 2-1 to reach The Championship on Sunday, piling on further misery for many Bees’ supporters who had been stung by the fraudulent purchases. Fan Derek Abbey first heard of the apparent scam on a Bees’ forum before discovering £380 in fraudulent Oyster Card payments had been deducted from his account, the BBC reports.
Reg reader Faisal told us he was also hit.
“It appears that fraudsters were able to access my online banking account and I don’t think it was my PC that was compromised,” he said.
These cases were far from isolated, prompting Brentford and Ticket Zone to launch a joint investigation. Initial forensic work points to a “man in the middle” attack rather than a problem on Ticket Zone’s systems or something linked to malware on consumers’ PCs, the latest statement on the investigation explains.
Brentford Football Club is continuing its investigation to find out why some card details of those using Ticket Zone to purchase tickets for the npower League One Play-Off Final were compromised.
The Club learned last week that some cardholder data from those buying tickets for the match online had been used fraudulently.
An investigation was immediately launched and initial forensic work pointed to a “man in the middle” attack.
An independent investigation of Ticket Zone’s systems and those of the specialist online queuing company, Queue-it, is now underway and the Police Active Fraud Department have been informed about the security incident and are also investigating.
An investigation as serious as this will not, unfortunately, be resolved quickly.
Brentford FC acknowledged a “great deal of inconvenience has been caused to supporters” and promised it “will not rest until the full details of what has happened have been made public”. It encouraged fans to report problems to Ticket Zone, the official club online sales ticketing partner.
An earlier statement, issued shortly after complaints began and the investigation was launched last week, states that Ticket Zone does not store customer card data.
Ticket Zone does not store customer card data at any point and all information is stored in a secure token system that is approved and provided by its banking partner.
Further examinations have also been undertaken in conjunction with the Danish IT company, Queue-it, who provided the front-end queuing system ahead of the Ticket Zone site.
Once again, all systems are shown as clean.
However, following an investigation, it has been noted that a small number of attempts to access the site from unknown web destinations have arrived through unauthorised links shared via social media sites.
Ticket Zone has commissioned forensic specialists to assist their own technical teams with the on-going investigations.
All investigations point towards a MITM “man in the middle” attack intercepting internet traffic prior to landing on the queuing site.
An attack like this would allow a fraudulent third party to record key strokes as they are being made on the customer’s own browser.
When this occurs, neither the customer or Ticket Zone is aware that fraudulent data capture is taking place behind the scenes.
The crime has been reported to the Police via Active Fraud UK and they are now investigating this on Ticket Zone’s behalf.
Supporters of Bradford City buying tickets through Ticket Zone for the League Two play-off final may also have been hit by fraud, according to local reports in Yorkshire. The pattern of fraud seems to be much the same as in the Brentford case, with one Bradford fan getting hit with a £900 fraudulent PayPal charge and another getting stung for £50 in scam mobile phone top-up charges. The fraud involving Bradford City fans have also become the subject of a police investigation, the Bradford Telegraph Argus reports.
Bradford City FC, which gained promotion to League One in a League Two play off final at Wembley last Saturday, is yet to comment on the matter.
Ticket Zone is yet to respond to our request to comment on the matter. We’ll update this story as and when we hear more. ®
Skyhigh Networks has trousered $20m from VC firms keen on the security company’s tech for snooping on corporate networks and locking down banned apps.
The $20 megabuck Series E investment round was led by Sequoia Capital along with pre-existing investors Greylock Partners, the company announced on Tuesday.
By scanning networking traffic from logs from firewalls, proxies, and web security gateways, the company’s tech can sniff out network traffic that matches up with any of its 2,000 or so profiled cloud apps. It can then rank the security of them via 30 different factors and even let admins shut access to those apps that may warrant security concerns.
In the past Skyhigh told us that one of its customers found upon installing the agent-based snooping technology that it was using 46 cloud storage services within its own organization.
To coincide with the funding Skyhigh announced its 30-in-30 challenge, which guarantees that the company’s tech will “uncover “at least 30 unknown cloud services in use by their organization in 30 minutes”.
This round of funding brings the company’s total investment to date to $26m. The money will go on expanding the company’s engineering teams in Cupertino, USA, and Banaglore, India, and hiring people for sales and marketing roles in US, Europe and Asia.
The company is currently at 62 employees and hopes be at 100 by close of 2013 and 200 by 2014, Skyhigh Networks’ chief executive Rajiv Gupta told us. “Hiring will be approximately evenly split across sales, marketing, and engineering,” he said.
As for the company’s technology, the $20m will go on a broad swathe of improvements to its discovery, analysis and control strands. The $20m investing comes alongside Blue Coat gobbling network packet surveillance firm Solera Networks, whose tech offers a more granular traffic-view of security rather than app-view. ®
An investigation into a security slip that left the identity information for over 170,000 users of a US federal government program publicly available online has led to accusations of hacking and legal threats.
The Scripps News investigative team spent the last month studying companies running Lifeline, a federal program to supply cheap fixed or mobile phone access for low-income households. Lifeline was set up by President Reagan and is paid for by a $2.97 surcharge on telecoms bills.
The team found that two of the commercial companies in the scheme, TerraCom and affiliate YourTel America, had cached application forms for Lifeline on unsecured web servers – forms containing names, Social Security numbers, dates of birth, and details of other government programs potential users were registered for.
“Every single piece of information that we either viewed, or used to view records, was all 100 per cent publicly accessible,” reporter Isaac Wolf told The Register. “It was all freely posted online and was not password protected.”
In a video showing the exploit, Wolf found a large chunk of private data simply by searching Terracom’s site on Google for a particular file type. Page two of the search results showed a Lifeline application form on plain view and a domain search of the site revealed more files on public view.
Before publishing the story, Scripps got in contact with the companies involved and asked for an interview. While the security hole was quickly fixed and users’ data password-protected, the investigative team received not an interview but a legal letter threatening prosecution under the Computer Fraud and Abuse Act (CFAA).
The letter, which refers to the investigative team as the “Scripps Hackers,” claims they used the GNU Wget code to download the files from the web. It claims the team tried (unsuccessfully) to break into password-protected accounts at its Vcare hosting company, and says downloading 19,000 application forms and 120,000 proof files does not show “solely journalistic intent.”
The controversial CFAA legislation – introduced in 1986, before the World Wide Web even existed – was the legislation used to prosecute internet activist Aaron Swartz. It’s currently under review in Congress, although politicians are looking to extend its reach, rather than reforming the law.
Under a strict interpretation of the CFAA, lying about your age on a dating site could be criminal as well as stupid, and a clever lawyer might argue that a script like Wget constitutes an attempt to hack a site. If so, then jail time and fines can be levied.
“A digital forensics investigation by TerraCom has revealed that the news service used sophisticated computer techniques and non-public information to view and download the personal information of applicants,” TerraCom COO Dale Schmick told The Register in an email. “The news service had to identify non-public directories in TerraCom’s computer system and decipher sophisticated URL addresses that included sequences of 14 random numbers to download the 170,000 files they now have in their possession.”
A TerraCom spokesman said that the team used knowledge that was well beyond simple internet searches, because the investigators also got information by fiddling with URL data to fish for unprotected information.
The company accepts responsibility for the security breach and has fixed the issue, the spokesman told El Reg, but is in “ongoing discussions” with federal and state regulators and law enforcement about the case. Scripps Scripps News denies that it accessed any non-public records and points out that TerraCom has declined numerous interview requests to go over the evidence.
If charges are brought, then the knock-on effect for security researchers could be severe. Normally El Reg would assume the Scripps team could beat the charges, but in this judicial climate there’s always the possibility it won’t. ®
Twitter has joined the growing number of companies offering two-factor authentication to prevent logins being stolen – a fate several high-profile users of its service have suffered recently.
A new checkbox is being added to the Settings pages of Twitter accounts to enable the new feature. When checked, an SMS message containing an authentication code will be sent to a nominated phone before allowing access to the user’s account, so long as the phone’s carrier supports the function.
“With login verification enabled, your existing applications will continue to work without disruption,” Twitter’s security team manager Jim O’Leary said in a blog post.
“If you need to sign in to your Twitter account on other devices or apps, visit your applications page to generate a temporary password to log in and authorize that application.”
Security is a sensitive topic for Twitter at the moment, thanks to a series of attacks on media sources from the self-styled Syrian Electronic Army (SEA). The hacking group has been hijacking accounts for the last few months to push pranks and propaganda – a tactic that doesn’t so much terrorize as mildly inconvenience.
The Dow suffered a blip after the SEA pwned AP’s Twitter feed and put out a message about a terrorist attack on the White House. Other hijackings targeted Reuters (repeatedly), AFP, the BBC, and Al-Jazeera, and Twitter was forced to tell the world’s hacks to sort themselves out. Then The Onion got hit.
Unlike its companions in the media, The Onion published a full rundown of the tactics and their source, with advice on how to stop this happening in the future. According to its tech support team, the site was hit by a triple-pronged assault on the Google accounts of its staff.
Emails started to appear in Onion inboxes reading “Please read the following article for its importance,” and containing a link appearing to lead to a Washington Post piece. The emails weren’t spammed out to all staff, just trickle-fed to look like background noise, the tech team recounts.
One employee fell for it (there’s always one) and his account was used to forward it on to more staff. This time two staff fell for it, since the source was trusted, but one of them had the passwords for the site’s social media accounts.
After discovering the first attack, the tech team sent out a company-wide email warning everyone to change their passwords ASAP. But the hackers had already found an orphaned account and used it to spam out the same link, this time masquerading as a password reset button. Two more employees, one with the Twitter login details, got hijacked.
At this point, The Onion‘s editorial team got into the fight, publishing a number of stories lampooning the incident with headlines like “Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels.”
This taunting was too much, and the SEA began using the Twitter feed to post a barrage of propaganda, odd false headlines, and the usual anti-Israel rants. Using the information gained from the posts, the IT team then pushed the red button and forced an email reset on every account.
But despite the warnings, the SEA attacks have carried on being successful, with the Daily Telegraph and Financial Times both temporarily losing control of their social networking feeds in the last week. It’s hardly the hacking Hollywood blockbusters are made of, but sources familiar with the project said the resultant fuss had led to a faster deployment of two-factor.
Twitter is not the first to make two-factor an option, and it had better not be the last. The technology isn’t perfect and can still be subverted, but it’s a useful protection when the attackers prefer to harvest the low-hanging fruit (as a rule). Some companies, based on current form, should get implement Twitter’s system immediately. ®