Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Hey,

Any good literature which you'd recommend to read to avoid something like this?



Use U2F for 2FA. If Twitter had all their employees using U2F keys it's very unlikely they'd be phished.

With U2F it's impossible to "enter" a 2FA code on the wrong domain, making you immune to phishing attacks by most definitions. This Kerbs article from awhile back says that Google had zero phishing incidents after making this switch: https://krebsonsecurity.com/2018/07/google-security-keys-neu...


"If Twitter had all their employees using U2F keys it's very unlikely they'd be phished."

I don't know that they even need to go that far. Just U2F on the god-mode admin tool would have been reasonable.


I keep trying to read and understand the attacks that have all happened so far... after you understand the vectors that are currently in use, hopefully it'll stoke your imagination to see how you might attack other systems and make up new vectors. All the current attack write-ups will usually link to vulnerabilities as well. See HackerOne disclosures, Google Project Zero or the "How I hacked X" disclosures you see on HN.

I don't think published textbooks are very useful — attackers also have access to them, and if the attack has been written down it'll likely be encoded into a firewall software or security process rulebook already (though it might still work for smaller companies lagging behind on the curve).


That's the thing, you can't,not with the way current tech is. But you can read up about having good monitoring/detection and hardening on your endpoints.

Microsoft for example recommenda privileged access workstations. If twitter's employees used a separate set of credentials and workstations for privileged twitter moderation than their regular account/machine used for email and day to day stuff I bet the attack wolf have failed.


There are probably Twitter employees whose job it is to reset emails all day long. Having 2 separate computers and accounts, one for for resetting emails (which is done all day) and one for responding to email sounds like quite a burden on employees. How are they going to get the name of the account from one computer to the other? Copy and paste won't work. Retyping from one computer to the other surely will result in typos.


I'd say a typo rate is an acceptable tradeoff for air-gapping privileged access.


The typos themselves could be a vector for attack. The attacker asks for a reset for one account with a capital I and maybe gets a reset for a different account with a lowercase l.


Sounds like that's a font selection issue for the admins - there are good choices of font that are unambiguous, they've been linked here.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: