Select Page
Twitter’s SMS Two-Factor Authentication Is Melting Down

Twitter’s SMS Two-Factor Authentication Is Melting Down

Following two weeks of extreme chaos at Twitter, users are joining and fleeing the site in droves. More quietly, many are likely scrutinizing their accounts, checking their security settings, and downloading their data. But some users are reporting problems when they attempt to generate two-factor authentication codes over SMS: Either the texts don’t come or they’re delayed by hours.

The glitchy SMS two-factor codes mean that users could get locked out of their accounts and lose control of them. They could also find themselves unable to make changes to their security settings or download their data using Twitter’s access feature. The situation also provides an early hint that troubles within Twitter’s infrastructure are bubbling to the surface.

Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism. But users have been self-reporting issues on Twitter since the weekend, and WIRED confirmed that on at least some accounts, authentication texts are hours delayed or not coming at all. The meltdown comes less than two weeks after Twiter laid off about half of its workers, roughly 3,700 people. Since then, engineers, operations specialists, IT staff, and security teams have been stretched thin attempting to adapt Twitter’s offerings and build new features per new owner Elon Musk’s agenda.

Reports indicate that the company may have laid off too many employees too quickly and that it has been attempting to hire back some workers. Meanwhile, Musk has said publicly that he is directing staff to disable some portions of the platform. “Part of today will be turning off the ‘microservices’ bloatware,” he tweeted this morning. “Less than 20 percent are actually needed for Twitter to work!”

Twitter’s communications department, which reportedly no longer exists, did not return WIRED’s request for comment about problems with SMS two-factor authentication codes. Musk did not reply to a tweet requesting comment.

“Temporary outage of multifactor authentication could have the effect of locking people out of their accounts. But the even more concerning worry is that it will encourage users to just disable multifactor authentication altogether, which makes them less safe,” says Kenneth White, codirector of the Open Crypto Audit Project and a longtime security engineer. “It’s hard to say exactly what caused the issue that so many people are reporting, but it certainly could result from large-scale changes to the web services that have been announced.”

SMS texts are not the most secure way to receive authentication codes, but many people rely on the mechanism, and security researchers agree that it’s better than nothing. As a result, even intermittent or sporadic outages are problematic for users and could put them at risk.

Twitter’s SMS authentication code delivery system has repeatedly had stability issues over the years. In August 2020, for example, Twitter Support tweeted, “We’re looking into account verification codes not being delivered via SMS text or phone call. Sorry for the inconvenience, and we’ll keep you updated as we continue our work to fix this.” Three days later, the company added, “We have more work to do with fixing verification code delivery, but we’re making progress. We’re sorry for the frustration this has caused and appreciate your patience while we keep working on this. We hope to have it sorted soon for those of you who aren’t receiving a code.”

Apple MacOS Ventura Bug Breaks Third-Party Security Tools

Apple MacOS Ventura Bug Breaks Third-Party Security Tools

The release of Apple’s new macOS 13 Ventura operating system on October 24 brought a host of new features to Mac users, but it’s also causing problems for those who rely on third-party security programs like malware scanners and monitoring tools. 

In the process of patching a vulnerability in the 11th Ventura developer beta, released on October 11, Apple accidentally introduced a flaw that cuts off third-party security products from the access they need to do their scans. And while there is a workaround to grant the permission, those who upgrade their Macs to Ventura may not realize that anything is amiss or have the information needed to fix the problem. 

Apple told WIRED that it will resolve the issue in the next macOS software update but declined to say when that would be. In the meantime, users could be unaware that their Mac security tools aren’t functioning as expected. The confusion has left third-party security vendors scrambling to understand the scope of the problem.

“Of course, all of this coincided with us releasing a beta that was supposed to be compatible with Ventura,” says Thomas Reed, director of Mac and mobile platforms at the antivirus maker Malwarebytes. “So we were getting bug reports from customers that something was wrong, and we were like, ‘crap, we just released a flawed beta.’ We even pulled our beta out of circulation temporarily. But then we started seeing reports about other products, too, after people upgraded to Ventura, so we were like, ‘uh oh, this is bad.’”

Security monitoring tools need system visibility, known as full disk access, to conduct their scans and detect malicious activity. This access is significant and should be granted only to trusted programs, because it could be abused in the wrong hands. As a result, Apple requires users to go through multiple steps and authenticate before they grant permission to an antivirus service or system monitoring tool. This makes it much less likely that an attacker could somehow circumvent these hurdles or trick a user into unknowingly granting access to a malicious program. 

Longtime macOS security researcher Csaba Fitzl found, though, that while these setup protections were robust, he could exploit a vulnerability in the macOS user privacy protection known as Transparency, Consent, and Control to easily deactivate or revoke the permission once granted. In other words, an attacker could potentially disable the very tools users rely on to warn them about suspicious activity. 

Apple attempted to fix the flaw multiple times throughout 2022, but each time, Fitzl says, he was able to find a workaround for the company’s patch. Finally, Apple took a bigger step in Ventura and made more comprehensive changes to how it manages the permission for security services. In doing that, though, the company made a different mistake that’s now causing the current issues.

“Apple fixed it, and then I bypassed the fix, so they fixed it again, and I bypassed it again,” Fitzl says. “We went back and forth like three times, and eventually they decided that they will redesign the whole concept, which I think was the right thing to do. But it was a bit unfortunate that it came out in the Ventura beta so close to the public release, just two weeks before. There wasn’t time to be aware of the issue. It just happened.”

The Challenge of Cracking Iran’s Internet Blockade

The Challenge of Cracking Iran’s Internet Blockade

Some communication services have systems in place for attempting to skirt digital blockades. The secure messaging app Signal, for example, offers tools so people around the world can set up proxy servers that securely relay Signal traffic to bypass government filters. Proxy service has previously only been available for Signal on Android, but the platform added iOS support on Wednesday. 

Still, if people in Iran don’t already have the Signal app installed on their phones or haven’t registered their phone numbers, the connectivity outages make it difficult to download the app or receive the SMS code used for account setup. Android users who can’t connect to Google Play can also download the app directly from Signal’s website, but this creates the possibility that malicious versions of the Signal app could circulate on other forums and trick people into downloading them. In an attempt to address this, the Signal Foundation created the email address “getsignal@signal.org” that people can message to request a safe copy of the app. 

The anonymity service Tor is largely inaccessible in Iran, but some activists are working to establish Tor bridges within Iran to connect internal country networks to the global platform. The work is difficult without infrastructure and resources, though, and is extremely dangerous if the regime detects the activity. Similarly, other efforts to establish clandestine infrastructure within the country are fraught because they often require too much technical expertise for a layperson to carry out safely. Echoing the issue with safely downloading apps like Signal, it can also be difficult for people to determine whether circumvention measures they learn about are legitimate or tainted.

Users in Iran have also been leaning on other services that have proxies built in. For example, Firuzeh Mahmoudi, executive director of the US-based nonprofit United for Iran, says that the law enforcement-tracking app Gershad has been in heavy use during the connectivity blackouts. The app, which has been circulating in Iran since 2016 and is now developed by United for Iran, lets users crowdsource information about the movements of the regime’s “morality police” and is now also being used to track other security forces and checkpoints.

The basic issue of connectivity access is still a fundamental challenge. Efforts to provide satellite service as an alternative could theoretically be very fruitful and threaten the totality of internet blackouts. SpaceX CEO Elon Musk tweeted last week that he was “activating” the company’s Starlink satellite internet service for people in Iran. In practice, though, the option isn’t a panacea. To use Starlink or any satellite internet, you need hardware that includes base stations to pick up and translate the signal. Procuring and setting up this infrastructure takes resources and is especially infeasible in a place like Iran, where sanctions and trade blockades drastically limit access to equipment and the ability to pay for subscription services or other connectivity fees. And even if users can overcome these hurdles, jamming is also a potential issue. The French satellite operator Eutelsat said yesterday, for example, that two of its satellites were being jammed from Iran. In addition to providing internet services, the satellites also broadcast two prominent Iranian dissident television channels.

“There are just so many challenges of installing this in Iran,” Miaan Group’s Rashidi says. “If you have a terminal, my understanding is that Starlink is working, but getting those terminals into the country is a challenge. And then they are a security risk because the government can locate those terminals. And then, who is going to pay for all of it and how, given the sanctions? But even if you ignore all those issues, satellite base stations don’t solve the problem that mobile data is part of the shutdown. You can’t put a Starlink terminal in your backpack to go to a protest. So satellite connectivity would be helpful, but it doesn’t solve the issues.”

Though the problem is nuanced, human rights advocates and Iranian activists emphasize that the global community can make a difference by raising awareness and continuing to work on creative solutions to the problem. With digital censorship and connectivity blackouts being used as levers for authoritarian control, developing circumvention tools is increasingly vital. As United for Iran’s Mahmoudi puts it, “We all need to keep the lights on.”

The Race to Find the Nord Stream Saboteurs

The Race to Find the Nord Stream Saboteurs

Investigators across Europe, including intelligence agencies, will now be trying to piece together exactly who and what caused the apparent explosions. This is likely to involve multiple steps, such as examining what data is held about the area, including seismic data and other sensors, checking whether any communications around the incident have been intercepted, and examining the pipelines to see if there are any signs of intentional destruction.

Neither of the pipes is operational—Nord Stream 1 was paused for repairs in August and Nord Stream 2 has not officially opened after Germany pulled support for it ahead of Russia’s full-scale invasion of Ukraine in late February—but both pipes are holding gas. All three leaks happened relatively close to each other, near the Danish island of Bornholm, in the Baltic sea. The island is surrounded by Denmark to the west, Sweden to the north, and both Germany and Poland to the south. The leaks are in international waters, but also sit in both Denmark and Sweden’s exclusive economic zones. “It’s quite shallow, around 50 meters on average in this region,” says Julian Pawlak, a research associate at the Helmut Schmidt University and the German Institute for Defence and Strategic Studies.

Security sources have speculated if the attacks were deliberate, they could have been conducted by unmanned underwater drones, involve mines being dropped or planted by boats, been carried out by divers, or even from within the pipes themselves. “We still don’t know what the origin is of those explosions or where they came from—if they originated from the outside or if they originated from the inside of the pipelines,” Pawlak says. In a process called “pigging,” cleaning and inspection machines can be sent down the pipes from Russia in the direction of Germany. It’s possible pigging was repurposed to carry out an attack.

Back in 2007, before the first Nord Stream pipeline was constructed, a review of the project by the Swedish Defence Research Agency (FOI) warned about potential explosions around the pipe, in the context of terrorism. “Despite its concrete coating, a pipeline is rather vulnerable, and one diver would be enough to set an explosive device,” its report said. “However, the impact of such an assault would probably be rather modest and most likely a minor incident of this type would not result in a large explosion.”

“They [Russia] have the capability for subsea warfare, with the divers, but also with mini-submarines and drones,” Hansen says. However, confirming any responsibility isn’t necessarily straightforward. The relatively shallow depth of the area around the Nord Stream pipes means it is unlikely that any large submarines would have been operating nearby, as they would be easy to detect.

Pawlak says any vessels in the area could potentially detect others that may have caused the damage. Undersea sensors could equally spot something in the area moving, but it is unclear where any of these systems are. “It’s still not the case that all of the Baltic Sea is filled up with sensors and that NATO knows every movement,” Pawlak says. “On the surface, but especially on the seabed, it’s still not possible to know, at every time, at every place, what’s moving, what’s going on.”

Child Predators Mine Twitch to Prey on Kids

Child Predators Mine Twitch to Prey on Kids

Some churches across the United States are using invasive phone-monitoring technology in efforts to discourage “sinful” behavior, a WIRED investigation revealed this week. The churches are using a series of apps, dubbed “shameware,” that track people’s activity and use their personal data as a way to control their lifestyle choices. The apps can record everything you do on your phone, like your browsing history, by capturing thousands of screenshots of your activity before reporting it back to a designated chaperone. In addition to their draconian surveillance, our investigation found the apps are full of security flaws.

As Vladimir Putin once again raises the specter of nuclear weapons in his full-scale invasion of Ukraine, we have looked at one way in which Russia is trying to integrate areas of Ukraine into its territory. In recent months, new Russian mobile network providers have appeared in Ukraine, promising they will provide internet connectivity to “liberated” regions. While Russian officials plan to hold referendums in some of these areas, they are also losing ground to successful Ukrainian counteroffensives. When that happens, these shadowy mobile companies wipe their existence in the areas from the web.

Iran’s latest internet shutdowns are significant as the government continues to tighten its grip on citizens’ ability to connect, and the roots of Nigeria’s cybersecurity problem shed light on digital challenges in the country, including how data collection remains largely unmonitored despite strong data protection laws. The supply chain security firm Chainguard launched an open source way to guard against supply chain attacks this week, and new research indicates that the workplace communication platforms Slack and Microsoft Teams have gaps in their security that could be exploited.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

The popular streaming service Twitch, owned by Amazon, offers a rich source of information about the daily lives of kids to child predators, according to new research. A researcher who manually browsed Twitch from October 2020 to August 2022 found hundreds of seemingly predatory accounts run by adults that mostly followed children or young teenagers. Each account followed more than 1,000 children, and the study found 279,016 children who were potentially targeted by predatory accounts. “In the course of reporting, Bloomberg discovered additional live videos and predatory accounts not cataloged by the researcher, suggesting the problem could be even more widespread than the data portrays,” the investigation reads. Bloomberg granted the researcher anonymity but conducted its own vetting of the findings. “We know that online platforms can be used to cause harm to children, and we have made extensive investments over the last two years to better stay ahead of bad actors and prevent any users who may be under 13 from accessing Twitch,” the company said in a statement to Bloomberg.

In March, the nonprofit transparency group DDoSecrets published a trove of more than 160,000 records, or 700 GB of data, from the Bashkortostan regional office of Russia’s internet regulator, Roskomnadzor. This week, The New York Times published an in-depth analysis of the documents, revealing rare insights into how the agency, which wields significant digital monitoring and censorship powers, goes about exerting control. The documents highlight how the Kremlin works to silence detractors, monitor social movements including those related to topics like “sexual freedoms” and recreational drug use, control the flow of information within Russia, spread disinformation, and monitor dissidents such as opposition leader Alexey Navalny. The analysis also provides insight into how Roskomnadzor’s role has shifted in recent years. “Roskomnadzor was never part of this game before of providing political intelligence,” Andrei Soldatov, a fellow at the Center for European Policy Analysis, told the Times. “They’re getting more and more ambitious.”

In implementing their speech policies, Facebook and Instagram impeded the human rights of Palestinian users last May during a rash of Israeli attacks on the Gaza Strip, an investigation commissioned by Meta found. The independent group Business for Social Responsibility, which Meta has previously tasked with conducting third-party audits on controversial topics, found  “a lack of oversight at Meta that allowed content policy errors with significant consequences to occur.” While the report was scheduled to come out at the beginning of 2022, Meta delayed the release of the report to this week. Last month, human rights groups protested the delay in an open letter. “Meta’s actions in May 2021 appear to have had an adverse human rights impact … on the rights of Palestinian users to freedom of expression, freedom of assembly, political participation, and non-discrimination, and therefore on the ability of Palestinians to share information and insights about their experiences as they occurred,” the report said.

Optus, Australia’s second-largest telecommunications company, said Thursday that a “significant” portion of its almost 10 million customers had been impacted by a data breach. It’s unclear whether the attack came from criminal or state-sponsored actors, but Australian officials warned that affected customers will face the threat of identity theft because of the breach. “If you are an Optus customer, your name, date of birth, phone number, email addresses may have been released,” wrote the Australian Competition and Consumer Commission’s Scamwatch group. “For some customers identity document numbers such as driver’s licence or passport numbers could be in the hands of criminals. It is important to be aware that you be may be at risk of identity theft and take urgent action to prevent harm.”

Optus chief executive Kelly Bayer Rosmarin was contrite in an interview with ABC’s Afternoon Briefing on Thursday. “We’re so deeply disappointed because we spend so much time and we invest so much in preventing this from occurring,” she said. “Our teams have thwarted a lot of attacks in the past, and we’re very sorry that this one was successful.”