Twitter fights hacking with two-factor authentication

After a string of high-profile hacking incidents, Twitter has finally introduced a two-factor authentication system as a way for members to keep their accounts more secure.

On Wednesday, the information network rolled out the new login verification feature, which people can select to require entry of a six-digit code, in addition to their standard password, to gain access to their Twitter accounts.

"When you sign in to twitter.com, there's a second check to make sure it's really you," the company said in a blog post announcing the optional security feature.

The two-factor system mirrors that of Facebook's and requires members to provide a phone number to which Twitter can send a unique code with each login attempt. Twitter users can turn on two-factor authentication from their Account Settings page, where they can tick the box to "Require a verification code when I sign in." Users then need to enter their phone number, and Twitter will subsequently text the number for verification purposes.

"With login verification enabled, your existing applications will continue to work without disruption," Twitter said. "If you need to sign in to your Twitter account on other devices or apps, visit your applications page to generate a temporary password to log in and authorize that application."

The additional security measure certainly complicates the login process, but the extra step is one many Twitter users, particularly brand users, will welcome with open arms. Last month, the Twitter accounts of CBS News' programs "60 Minutes" and "48 Hours" were compromised by hackers. (Disclosure: CNET is a unit of CBS Interactive.) The Associated Press was also the victim of a particularly cringeworthy breach when hackers sent out a false tweet that claimed the White House had been bombed. This news caused an immediate dive in the stock market.

Two-factor authentication should help Twitter defend against hacking attempts and partly repair its reputation as a public square for people, businesses, and celebrities.

Source: CNET

Hacker sentenced to 41 months for exploiting AT&T iPad security flaw

Hacker Andrew "Weev" Auernheimer was found guilty last year of spoofing iPad user IDs to gain access to an AT&T email database, and he's now been sentenced to 41 months in prison. The time was chalked up to one count of identity fraud and one count of conspiracy to access a computer without authorization. In addition to the nearly three and a half years behind bars, Auernheimer also faces another three years of supervised release, and restitution payments of $73,000 to AT&T.

Prosecutors in the case were asking for a four-year sentence, and reports say that they used both a Reddit Ask Me Anything post that Auernheimer did as well as quotes from the Encyclopedia Dramatica wiki. Auernheimer did give a statement before the sentencing, where he both read out a John Keats poem, and said that he was "going to jail for doing arithmetic."

Auernheimer has promised that he will appeal the sentencing, so this may not be the last we've heard of "Weev" just yet.

[Source: TUAW]

Yet another Java vulnerability discovered, researchers recommend disabling browser plug-in

Following an attack on a smaller number of corporate Macs that exploited exploited a flaw in the Java browser plug-in, researchers from security firm FireEye are warning users of yet another new Java zero-day vulnerability. According to a blog post published yesterday (via IDG), browsers running Java v1.6 Update 41 and Java v1.7 Update 15 are currently vulnerable to a malware attack that installs a remote access tool known as McRAT. The exploit is reportedly different from the one used to attack Facebook, Twitter, Apple and several other companies last month. Following the earlier attack, Apple released an updateto Java for users to version 1.6.0_41. These recent vulnerabilities come after several updates over the past year to Java addressing exploits.

FireEye is recommending users disable Java until Oracle addresses the issue:

We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery. Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to “High” and do not execute any unknown Java applets outside of your organization.

Oracle provides the instructions below for uninstalling Java on Mac:  

  1. Click on the Finder icon located in your dock
  2. Click on Applications tab on the sidebar
  3. In the Search box enter JavaAppletPlugin.plugin
  4. This will find the JavaAppletPlugin.plugin file
  5. Right click on JavaAppletPlugin.plugin and select Move to Trash

[Source: 9to5Mac]