What to do if your Twitter account has been hacked?

Losing access to your account can be stressful, but there are steps you can take to get it back – and avoid getting hacked again

by  https://www.welivesecurity.com/author/aowaida/

Many people who use social media are fans of the blue network, and by blue we mean light blue with a bird and character limit of 280 characters. Tomorrow, Twitter celebrates its 14^th birthday and undeniably it has had an impact on our digital lives since its launch. Some people use it as a way to keep up with their favorite celebrities, others to have a quick overview of world affairs, while most usually use it to share opinions with their friends and the world in general.

But what if your Twitter account gets compromised or hacked?

How did I get hacked?

Everyone is a target – from celebrities to regular people. Even Jack Dorsey, Twitter’s CEO, has had his account compromised although in his case, the bad actors gained access using a SIM swapping attack. Criminals sometimes also have access to databases of previously compromised accounts on other services; these include emails, usernames, and passwords.

The now-defunct LeakedSource was one such repository from which hackers were able to obtain the information by running a username through it. If they can get back an email and previously used password, they try their luck with your Twitter. The accounts of Keith Richards of the Rolling Stones and Justin Bieber’s producer Dan Kanter were hacked this way.

Alternatively, this method could be used for credential stuffing: the hackers would use bots to hammer the site with login attempts until they stumble upon the right combination. Since people often recycle their passwords, which makes the job of the ne’er-do-wells simpler.

You also could have fallen victim to a phishing campaign. It’s nothing to feel ashamed about; it happens sometimes, and phishing scams have gotten more complex. The scammers may have sent you an email with a link that redirects you to a website that looks exactly the same as Twitter, asking you to log in. By trying to log into this counterfeit Twitter, you essentially handed them the keys to your Twitter kingdom.

What are the signs that I was hacked?

The most obvious sign that you were hacked is that you’re locked out of your account. And by locked out, we mean you have been logged out of every device you’ve been using Twitter on and you can’t log in, no matter what you do or how hard you try.

Your first course of action is to try to change your password, by requesting an email from the password reset form; if you can get in, great: you can then perform a security audit. If you can’t get in, then you have to contact Twitter’s official support and hope they’ll help you recover your hacked account.

Besides getting hacked and locked out, your account can get compromised. There are a variety of telltale signs that may raise alarm bells. You may notice Direct Messages (DMs) you haven’t sent or tweets you didn’t write; your account may have followed or unfollowed accounts unbeknownst to you or even have blocked people. Twitter may alert you that your account has been compromised or that changes have been made to your account information, but you didn’t have a hand in that … those are all alarming signs.

There’s a number of things Twitter recommends that you should do immediately. Start with changing your password, then make sure your email account is secure; you should also revoke access to third-party applications that you don’t recognize and update your Twitter password in your trusted third-party applications. You can also take a peek at Twitter’s own security tips.

How not to get hacked again

Once you’ve gone through a compromised or hacked account scare, you probably want to lower the chances of that ever happening in the future. The simplest thing to start with for a more secure account is by creating a new stronger password, or if we might suggest, a strong passphrase. Just make sure that you haven’t recycled that passphrase for another account, since that makes it easier to compromise.

If you’re not a fan of holding all the passwords in your head, then a password manager could be a solution to your problems. You should also double down on your security and start using two-factor authentication (2FA), since adding an extra layer of security makes it harder for bad actors to invade your account.

Twitter supports a variety of 2FA options, such as authentication using text messages, hardware tokens or even software tokens. Actually, you shouldn’t use 2FA to secure only your Twitter account, but apply it as well to every non-Twitter account that allows the option. You can read up on the ins and outs of 2FA in our article.

On the eve of Twitter’s anniversary, we hope you didn’t get hacked, and that the suggestions we’ve made will help you take preventive measures to secure your account rather than reactive ones.

Work from home: improve your security with MFA

Remote work can be much safer with the right cyber-hygiene practice in place – multi-factor authentication is one of them

By Cameron Camp

If you happen to be working from home due to the COVID-19 pandemic, you should beef up your logins with Multi-Factor Authentication (MFA), or sometimes called Two-Factor Authentication (2FA). That way, you don’t have to entrust your security to a password alone. Easy to hack, steal, leak, rinse and repeat, passwords have become passé in the security world; it’s time to dial in your MFA.

That means you have something besides just a password. You may have seen MFA in action when you try to log into your bank and you receive an access code on your smartphone that you must also enter to verify it’s really you who is logging in. While it’s an extra step, it becomes exponentially more difficult for bad guys to get access to your account, even if they have a password that was compromised in a breach or otherwise.

What are your options?

The good news is that MFA is no longer super-tough to use. Here, we look at a few different popular ways to use it. If you need to work remotely now and log into a central office to collaborate with co-workers, this is a nice way to beef up the security of those connections.

Physical token

This means you have something like a key fob, security USB key or the like, which can be used to generate a very secure passcode that’s all-but-impossible to break (unless you have a quantum computer handy). Nowadays, things like YubiKey or Thetis are available for less than US$50 and are very widely supported if you’re logging into your own corporate office technology, online office applications and a host of other cloud applications. It means your normal login will ask for a password, but also the code generated by your device, which is often physically small enough to get lost in a pants pocket, so some folks hang them on their keychain for safekeeping.

Mobile phone

Nowadays you probably carry a mobile device around most of the time, which is a good argument for using it to boost your MFA security stance. For example, you can download an authentication app such as Authy, Google Authenticator, or ESET Secure Authentication. Whatever you choose, make sure it has a solid history, security-wise, since it needs to reside on your smartphone, which we now know can become compromised as well, thereby undermining your other security efforts.

RELATED READING: Work from home: How to set up a VPN

It’s worth noting that spam SMS messages on your smartphone can trick some users into voluntarily compromising their own accounts, so stay on the lookout if you use this. Of course, reputable mobile security software can help if you’re concerned with security problems on the platform itself.

Biometrics

It’s very hard to fake a fingerprint or retinal scan and make sure it offers a solid factor in MFA. Nowadays, lots of devices have built-in biometric readers that can get an image of your face from your smartphone taking your picture, or scan your fingerprint, so it’s not hard to implement this on a device you probably already have. Some folks steer away due to privacy concerns, which promises to be an ongoing conversation. Also, while you can reset a password, if a provider gets hacked it is notoriously difficult to reset your face (old spy movie plots, anyone?).

Closing thoughts

The important thing with MFA is that you pick one that suits your goals and one that is easy for you to include in your routine. I have a very good lock on my front door, but it’s very hard to use, so often my wife catches me leaving it open, which isn’t very secure, is it? Good security you don’t use can’t protect you.

In the event of a breach, MFA can offer side benefits as well. If you are notified that your password is compromised, there’s a very good chance they don’t also have one of your other factors, so successful hack attacks should drop precipitously if MFA is correctly implemented. Use an MFA solution and enjoy technology more safely.

Work from home: how to set up a VPN

As the COVID-19 pandemic has many organisations switching employees to remote work, a virtual private network is essential for countering the increased security risks.

By Cameron Camp

If you’re newly working from home because of the COVID-19 outbreak, you probably have to learn some new tools and tricks very quickly now. Here we look at virtual private network (VPN) technology. Later this week, we’ll dive into other security tools such as Two-Factor Authentication (2FA, or Multi-Factor Authentication – MFA).

For now, however, we’ll start with the basics of how to set up and use a VPN to secure your connection to your office. We’re not talking about building your own from scratch, just how to get up and running quickly.

First, what is a VPN?

A VPN is an encrypted tunnel for your internet traffic that goes through the open internet, often from your home office or coffee shop to your work network at the office. You can connect across a VPN no matter what network you’re on and “appear” to be sitting at your desk at work using all the resources you could if you actually were there.

For our purposes, we’ll only consider VPNs that facilitate working from home. You’ll see a lot of online vendors offering standalone VPN services, but these are typically aimed at users who just want a secure connection to the internet that’s less susceptible to tracking, or to bypass network filters, but not necessarily for those seeking to work from home.

It’s called a virtual private network because it creates your own personal tunnel no one else can access. If all your team members are working remotely from their home offices, this is how you can work as a virtual team without all being at the main office, or gathered together in some other location. Due to COVID-19, this is a newly found desire – even a requirement – for many right now.

Do I need to set up a VPN?

To make such VPN connections, you need to initially set up both ends of that connection – the one on your laptop or home desktop, and the one in the main office. Sometimes, if you have an IT department, they’ll tell you what app to download to your personal device(s) and then give you some VPN credentials for your specific situation – problem solved. Once you install that app and configure it, you can click a button and the link will establish itself and let you know you’re connected.

If you don’t have an IT department, you might have to set up your own VPN connections. Don’t worry, it’s not as daunting as you might think.

Many business-class routers (some under US$100), and some small office/home office (SOHO) ones, have built-in VPN capability, so cost shouldn’t be an issue. In fact, you may already have such a device, so you’ll only need to configure it!

Let’s now look at two common VPN technologies: OpenVPN and IPsec.

  

OpenVPN

This tried-and-true option, which has been around for a long time, is reasonably secure. Also, being open-source software, it is probably supported by your business-class router (and many SOHO units). It used to be tricky to install, but manufacturers have been working on making it simpler.

On contemporary devices, you usually just have to click a few buttons in the configuration screens of the router for the network to be accessed (your office network). You then download the configuration file generated by your router and use that to configure the OpenVPN client software on any remote laptop, desktop or smartphone that needs to access the network behind that router. You should be able to find an easily followed online tutorial for your router.

After you’ve set up your office network router, you have to install apps on the remote devices that will access your new office VPN. Download these from the OpenVPN website, then install and configure them with the files generated while setting up OpenVPN on your office router. That can be tricky if you don’t have an IT person helping, but there are nice online tutorials for this, too.

Altogether, you could set up your router and laptop in half an hour to an hour, so it’s certainly doable.

IPsec

IPsec (Internet Protocol Security) also has a long history and reasonable security. It’s one of the other VPN technologies a lower-cost router is likely to support. The process is similar to OpenVPN, except that many laptops, desktops and smartphones have IPsec support built-in, so you may not need to install another app on your remote devices.

Some of the router IPsec implementations I’ve seen lately seem to be more complicated than those I’ve seen for OpenVPN. However, this may be offset by being able to use native tools on your remote endpoints to just type in a of couple things such as an IP address and credentials and it “just works”. Again, you could probably set this up in under an hour.

Closing thoughts

There are certainly other VPN technologies out there, but if you want to get started very quickly, these methods have lots of tutorials, experts and experience behind them, so you have a reasonable chance of getting them up and running without having a raft of IT experts on call.

It’s also worth noting that your remote users will likely need a beefier-than-normal broadband connection to sustain high throughput when running their traffic through a VPN, since there’s more horsepower required to do the work of keeping the connection encrypted and tunneled, so you may notice some significant slowdowns, especially on slower connections. This is offset, of course, by the ability to work more safely from home in these turbulent times.

Next we’ll look at how to set up Multi-Factor Authentication, sometimes called Two-Factor Authentication (MFA, 2FA), which can also help you work more securely from home. Until then, stay safe – and healthy!

COVID-19 and the forced workplace exodus

 As the pandemic forces many employees to work from home, can yoiur organization stay productive – and safe?

The coronavirus (COVID-19) outbreak has officially been categorized by the World Health Organization (WHO) as a pandemic, meaning infection is accelerating in multiple countries concurrently. The United States of America has declared travel bans on 28 European countries, many countries have closed schools and universities, and large gatherings of people have been stopped.

High-profile companies such as Google and Microsoft are encouraging or mandating that staff adopt a work-from-home policy. For modern tech companies, the infrastructure and policy needed for remote working are unquestionably already in place and the vast majority of staff members are probably already laptop users.

For many smaller companies and organizations, however, the situation is likely to be very different. Remote working is probably limited to a few, and realistically mainly for email and other non-operational systems. The education sector is a good case in point: universities have been delivering distance learning as a feature for some time, while high schools and others are mainly dependent on staff and pupils being on-site to learn. The school’s operations and administrative teams also need to be considered, as they are unlikely to be mobile workers and may be using desktop devices rather than laptops.

Breaking the organization into just a few groups with differing requirements and dealing with the needs of each to effect the mass exodus may seem a simplistic approach, but is probably essential given the urgency in some cases. Using education as an example, there are students (the customers), teaching faculty, administration and operations. The school can’t run without significant student engagement, teachers at least need virtual conferencing facilities and the administration teams need network access, and this is the minimum.

Read the complete article on https://www.welivesecurity.com/2020/03/16/covid19-forced-workplace-exodus/

ESET étend sa protection entreprise avec Endpoint Antivirus pour Linux

ESET, un leader mondial en information et cybersécurité, lance aujourd’hui la nouvelle version d’ESET Endpoint Antivirus pour Linux, afin de garantir que toutes les organisations soient protégées selon les normes les plus élevées, quel que soit leur système d'exploitation. Endpoint Antivirus pour Linux rejoint la vaste gamme de produits ESET, dont un grand nombre s’adresse déjà à Windows et MacOS.

ESET Endpoint Antivirus pour Linux a été conçu afin de fournir une protection avancée contre les menaces aux postes de travail des entreprises et organisations. Utilisant la technologie avancée ESET LiveGrid®, la solution combine vitesse, précision et impact minimal sur le système, laissant plus de ressources système disponibles pour les processus métier des postes de travail et maintenir la continuité des activités.

Cette nouvelle version d'ESET Endpoint Antivirus pour Linux a été conçue pour répondre au niveau élevé de protection exigé dans un réseau d'entreprise et offre désormais la même protection de pointe déjà disponible pour les autres systèmes d'exploitation. Les fonctionnalités clés de cette version comportent la protection des fichiers en temps réel, une analyse plus efficace et une stabilité accrue, ainsi qu'une compatibilité totale avec ESET Security Management Center et ESET Cloud Administrator. La gestion du logiciel est intuitive et il peut être déployé immédiatement et de manière transparente.

Dans nombre de grandes organisations et entreprises telles que le gouvernement et les technologies de l'information, les logiciels anti-malware sont obligatoires. Il est donc impératif que ces entreprises aient accès à une solution de sécurité complète pour les terminaux et cela pour tous leurs systèmes d'exploitation. De plus, tous les utilisateurs d'ESET existants peuvent obtenir une mise à niveau gratuite, même s'ils n'ont pas utilisé la version Linux auparavant.

Matúš Čipák, product manager chez ESET, explique : « Nous savons que les organisations déploient souvent une variété de systèmes technologiques et doivent être sécurisés contre tous les vecteurs d'attaque possibles. Nous sommes fiers d'offrir des solutions de pointe en cybersécurité pour répondre à tous les systèmes d'exploitation, et de veiller à ce que chaque utilisateur puisse profiter d'une technologie plus sûre. Aujourd’hui, il est plus important que jamais que les entreprises et leurs données soient protégées, et que les solutions de sécurité fonctionnent de manière transparente, pour que les entreprises puissent se concentrer sur leur activité principale. »

Visitez www.eset.com  pour en savoir plus sur ESET Endpoint Antivirus pour Linux.