The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Paid security features at Twitter and Meta spark cybersecurity concerns

Analysis by

with research by Vanessa Montalbano

February 21, 2023 at 7:40 a.m. EST
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! If you want to hear the funniest sequence of noises perhaps in the history of the world, watch this video. Do not worry. No frog is actually harmed in the video so far as I can tell, despite its title. I daresay the frog is quite happy at the conclusion of the video.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: The FBI says it contained a cyberattack, and GoDaddy reveals it was the target of a multiyear hacking operation. First: 

Cyber pros have questions about paid security features at Twitter and Meta

In recent days, Twitter — and to a lesser extent Facebook parent company Meta — has debuted features that gate off stronger security features for those who pay for them.

It’s a development that seemingly goes against a movement by some U.S. government officials and cyber pros for products to offer strong security to everyone at the outset without additional cost.

And while the Twitter Blue feature and the Meta Verified test initiative could improve security in certain ways, both developments sparked concern, to varying degrees, among cyber observers.

“The thing that strikes me is that security should be baked into everything we do, not a paid-for service,” Charles Henderson, global head of IBM’s X-Force threat management division, told me. “It should be on by default.”

What’s happening

Last week, Twitter published a blog post announcing that as of March 20, only Twitter Blue paid users will be able to use a form of two-factor authentication (2FA) that sends text message codes to users to verify their identities after they enter their passwords. 

“While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used — and abused — by bad actors,” the blog post read.

  • Twitter owner Elon Musk later said that these text messages have cost Twitter $60 million a year, although he didn’t elaborate on why or how it was costing them that much.

Separately, over the weekend, Meta — which owns both Facebook and Instagram — said it would begin testing Meta Verified, a paid program that offers enhanced impersonation protections, access to account support and more. 

  • “This new feature is about increased authenticity and security across our services,” Meta CEO Mark Zuckerberg wrote. The tests will begin in Australia and New Zealand.

Twitter last year allowed Twitter Blue subscribers to get blue check marks, which have historically represented “verified” users on the platform. However, the company didn’t require users to provide ID to verify that they were who they said they were, and users impersonated brands like Eli Lilly and Co. The company briefly paused the feature, with Musk saying users would be authenticated. But our colleague Geoffrey A. Fowler was still able to get an account impersonating Sen. Edward J. Markey (D-Mass.) verified.

What’s concerning

The Twitter move, in particular, prompted a lot of worry that popped up on … well, Twitter, naturally.

Here’s Dakota Cary, a consultant with the Krebs Stamos Group, in one typical response:

Twitter’s announcement comes amid a push by federal cybersecurity officials for tech companies to offer security to customers from the start. Earlier this month, Cybersecurity and Infrastructure Security Agency Director Jen Easterly co-wrote an essay with Eric Goldstein, her agency’s executive assistant director for cybersecurity, making their biggest plea to date about putting security features in the base product rather than charging extra for them.

“Secure-by-default products have strong security features — akin to seat belts and air bags — at the time of purchase, without additional costs. Strong security should be a standard feature of virtually every technology product, particularly those that underpin critical infrastructure such as energy, water, transportation, communications, and emergency services,” the pair wrote.

  • They continued: “Attributes of strong security by default will evolve over time, but at a minimum, software sellers must include in their basic pricing features that secure a user’s identity, gather evidence of potential intrusions, and control access to sensitive information rather than as added expensive options.”

Easterly herself tweeted out her concern on Twitter’s move, but said she was encouraged about the attention it gave to multifactor authentication (MFA), often an interchangeable term with two-factor authentication:

One of the most thorough breakdowns of the security worries triggered by the Twitter and Meta moves came from Rachel Tobac, a hacker and CEO of SocialProof Security.

Summarized, Tobac is concerned that forcing people to pay for text-based (also known as SMS) two-factor authentication will push them away from using multifactor authentication altogether. And she’s got questions about whether Meta expanding account support will give cybercriminals a venue to trick customer support employees, as well as how the enhanced impersonation protections will work.

Cybersecurity experts say text message-based forms of two-factor authentication are among the weakest forms, since hackers can intercept them with tactics like sim-swapping, where they trick mobile phone carriers into activating a SIM card in their possession that scammers can then use to take over a victim’s phone number.

But “SMS is vastly better than using a static password” with no two-factor authentication, Bill Malik, vice president of infrastructure strategies at cybersecurity firm Trend Micro, told me.

Still, if text-based two-factor authentication is costing Twitter so much money, one might ask why it’s offering it at all, especially to paying users. Henderson offered the theory that paying users who are using text-based two-factor authentication would be the ones reimbursing its costs.

For Meta, some observers have pointed out that the paid service also requires a government ID to verify a user’s identity, which could make Meta a more tempting hacker target and make a breach worse if criminals obtained those sensitive documents.

Workarounds and responses

Twitter notably isn’t taking away the ability to use multifactor authentication entirely. Users will still be able to employ methods such as Google or Microsoft authentication apps. Here’s security journalist Kim Zetter

Meta, for its part, isn’t taking away any existing security features for nonpaying users, like Twitter is doing. And it already has some capabilities for taking down fake accounts and offering customer support chats.

Meta also securely stores IDs for 30 days before deleting them, Meta spokesperson Gabby Curtis told me. And by better protecting creator accounts that have large followings against impersonation, Curtis explained, that could better protect users who might fall victim to scams from fraudsters pretending to be popular creators.

Twitter did not respond to a request for comment Monday.

The keys

The FBI says it contained breach on its computer network

The FBI has in recent days been working to contain a malicious cyber incident on part of its computer network that has been involved in investigations of child sexual exploitation material, according to people briefed on the matter, CNN’s Evan Perez and Sean Lyngaas report. 

“The FBI is aware of the incident and is working to gain additional information,” the bureau said in a statement to CNN. “This is an isolated incident that has been contained. As this is an ongoing investigation the FBI does not have further comment to provide at this time.”

The people said that the attack likely targeted the FBI’s New York field office — one of its largest and most prominent offices. The bureau has yet to name a suspect. 

Hackers stole GoDaddy source code, installed malware in multiyear breach

Web hosting giant GoDaddy said last week that hackers had access to its computer software for at least the past three years, allowing them to steal company source code and customer and employee data, Sergiu Gatlan reports for Bleeping Computer

In a filing Thursday with the Securities and Exchange Commission, the firm also said that over that period the cybercriminals installed malware onto its systems that redirected customer websites to malicious ones. 

GoDaddy, one of the largest domain registrars, first discovered the breach following customer reports early last December, but later linked it to previous incidents in November 2021 and March 2020. 

In those cases, bad actors “gained access to the email addresses of all [1.2 million] impacted customers, their WordPress Admin passwords, sFTP and database credentials, and SSL private keys of a subset of active clients,” and “used their [28,000 customers] web hosting account credentials in October 2019 to connect to their hosting account via SSH,” Gatlan writes. 

“Based on our investigation, we believe these incidents are part of a multiyear campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy,” the hosting site said in the filing. 

GoDaddy said it is working with law enforcement agencies and external cybersecurity experts to investigate the cause of the breach. 

Spain to extradite British Twitter hacker to U.S.

Spain’s National Court on Friday agreed to a request to extradite a British citizen to the United States over the alleged July 2020 hack of more than 130 Twitter accounts, including those of President Biden, former president Barack Obama, Bill Gates and Elon Musk, the BBC’s Shiona McCallum reports. 

Joseph James O’Connor is wanted by courts in the Northern District of California and the Southern District of New York on 14 charges, including illegal access to computer systems, internet fraud, money laundering and extortion. 

U.S. officials have accused him of hijacking the high-profile Twitter accounts and asking their followers to send bitcoin to an account, promising to double their money.

A court statement said the “necessary conditions” were met for Spain to hand over O’Connor, 23, who was arrested in 2021 in Estepona. The Spanish court also said that he is suspected of hacking the Snapchat account of an anonymous public figure and threatening to publish their nude photos unless he was paid a ransom. 

Spain’s cabinet must first approve the extradition before it is finalized, and his defense team will also have the opportunity to appeal the decision. 

Global cyberspace

Russian state TV website goes down during Putin speech (Reuters)

Researching North Korea online? You could be victim of a malware attack (Tech Radar)

Russia targets Netherlands' North Sea infrastructure, says Dutch intelligence agency (Reuters)

Norway seizes $5.84 million in cryptocurrency stolen by Lazarus hackers (The Hacker News)

Cyber insecurity

Guardian staff forced to work out of former brewery after ransomware attack (The Telegraph )

Lehigh Valley Health Network reports cyberattack from suspected Russian ransomware group (The Morning Call)

Major hack at Virgin Media Television in Ireland ‘contained and terminated’ (The Independent)

Industry report

Semiconductor industry giant says ransomware attack on supplier will cost it $250 million (The Record )

AI is starting to pick who gets laid off ( Pranshu Verma)

Daybook

  • The Atlantic Council holds a discussion with the authors of two new reports on Russian narratives to justify the war in Ukraine on Wednesday at 9 a.m. 
  • The R Street Institute holds a webinar on the state of cybersecurity careers for Black professionals on Thursday at noon. 
  • Former U.S. national security adviser John Bolton will join The Washington Post for a conversation about the war in Ukraine and rising tensions with China on Friday at 11 a.m. 

Secure log off

Thanks for reading. See you tomorrow.