Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
GoDaddy cPanel Shared Hosting Compromised
Web hosting company and domain registrar GoDaddy has disclosed an attack which has been intermittently redirecting users away from customer web sites. Upon investigation, GoDaddy's admins found the intermittent redirects were happening on seemingly random websites hosted on their cPanel shared hosting servers and were not easily reproducible, even on the same website.
Further investigation uncovered malware, installed by an unauthorized third party who had gained access to servers in the company's cPanel hosting environment. The company claims that "this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy. According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities".
It is unclear how many customers were affected, but previous breach, in November 2021, affected up to 1.2 million customers of the firm's 'Managed WordPress' platform, while the login credentials of approximately 28,000 hosting customers were compromised in March 2020, according to the company's SEC 10-K filing.
Uncredited, Statement on recent website redirect issues, news release, 16 February 2023. Available online at https://aboutus.godaddy.net/newsroom/company-news/news-details/2023/Statement-on-recent-website-redirect-issues/default.aspx.
Twitter Disables SMS Verification (Unless You Want to Pay to Be Insecure)
For several years now, NIST and others have deprecated the use of SMS text messages as a form of account verification. Also known as mTAN's (mobile Transaction Authentication Numbers), these are six-digit numbers which are texted to the user's number in order to verify their logins.
However, these have always been a weak second factor mechanism for authentication. Phone numbers can be ported - all the attacker needs is a little social engineering, dumpster diving or mailbox theft to get the necessary identity paperwork. Phones can be lost or stolen, and text messages intercepted by other means. And most importantly, a one-time code can be intercepted using a proxy or man-in-the-middle phishing attack.
Now Twitter has announced that it will disable the use of SMS verification from 20 March 2023 - except for Twitter Blue customers, who are paying to display that blue mark, and can apparently pay to be lax about security, too.
Seriously, folks: switch to either an authenticator app (Authy, Google Authenticator, etc.) or - better still - a security key such as a YubiKey.
Twitter Inc., An update on two-factor authentication using SMS on Twitter, blog post, 15 February 2023. Available online at https://blog.twitter.com/en_us/topics/product/2023/an-update-on-two-factor-authentication-using-sms-on-twitter.
Apple OK's Security Keys, Too
And while I'm on the topic: Apple has now added support for security keys for Apple ID accounts, too, replacing six-digit security codes for the same reasons.
To use use security keys for your Apple ID, you'll need to be running iOS 16.3, iPadOS 16.3, or macOS Ventura 13.2 (or later) and have two-factor authentication enabled. You'll also need at least two FIDO security keys - these can connect using NFC, USB-C or USB-A, using a Lightning-to-USB-C for phones. You may also need to update any old browser versions.
Uncredited, About Security Keys for Apple ID, support note, 5 February 2023. Available online at https://support.apple.com/en-us/HT213154.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.