Olivia
Online
Black Lives Matter
@conorgil
he/him. Usable security & privacy engineer🤓 Podcast host🎙Co-creator PhD student @Berkeley_EECS👨🎓Formerly @virtruprivacy 📧
Berkeley, CA
Joined April 2009
1.1K Following
955 Followers
5.4K Posts
Pinned Tweet
Backup options in many Android #TOTP #2FA apps share personal info w/ 3rd parties, have serious crypto flaws, and/or allow app devs to access TOTP secrets 😱
A 🧵 on our @USENIXSecurity '23 📜 "Security and Privacy Failures in Popular 2FA Apps"
https://t.co/KehOVknjut
#infosec
Come join us!
I am recruiting 1~3 PhD students in CS or ML to join NLP X lab at Georgia Tech.
Topics include but not limited to:
(1) multilingual multimodal LLM
(2) RLHF, text generation models
(3) NLP+X (X = privacy, science, etc)
Apply by Dec 15: https://t.co/ae62WD6BSj
(📷Colin Gough)
@spazef0rze Sadly, I still see this regularly for many US banks and credit unions
Who to follow
Jim Manico from Manicode Security 
@manicode
AI and AppSec Educator. Secure coding system prompts. https://t.co/gbW3ZLhURT
Sean Wright
@SeanWrightSec
Head of Application Security focused on all things #AppSec. Occasionally dabble in my own research. Also keen gamer and aspiring photographer.
Daniel Cuthbert
@dcuthbert
Documentary photographer, old creaky hacker. Co-author of @OWASP ASVS standard. Blackhat/Brucon Review Board & Co_chair UK Gov Cyber Security Advisory Board
Are you implementing 2FA for your mobile or web app? You need to understand the privacy and security risks associated with various 2FA apps.
Today's comic is inspired by a recent paper written by @conorgil, Fuzail Shakir, @Noura_7N, and @v0max. 🧵[1/8]
#privacy #cybersecurity
![securing_bits's tweet photo. Are you implementing 2FA for your mobile or web app? You need to understand the privacy and security risks associated with various 2FA apps.
Today's comic is inspired by a recent paper written by @conorgil, Fuzail Shakir, @Noura_7N, and @v0max. 🧵[1/8]
#privacy #cybersecurity https://t.co/yo3zb6F7uP](https://pbs.twimg.com/media/F0Q8bqYaEAALot0.jpg)
Police auction off many of the items they come into possession of. This includes cellphones. In a study led by @stack__trace we asked: are police wiping phones before they sell them? @briankrebs wrote about our study. In this 🧵, I'll give some highlights. https://t.co/8Utllu11f1
Texas Republicans are trying to force public schools to display the Ten Commandments in every classroom.
I told the bill author: “This bill is not only un-constitutional and un-American, it’s deeply un-Christian.” #txlege
Big news from Chrome Security Team!
With HTTPS encryption now nearly ubiquitous, they're finally killing off the browser🔒icon, which tends to give users a false sense of security about other threats.
https://t.co/oU5jQulwjb
A huge milestone for web security.
h/t @dadrian
@GeekyxNerdy @mysk_co We recently analyzed the backup mechanisms of the top 22 Android authenticator apps and will be presenting our work at the USENIX Security conference. Details and the paper: https://t.co/bJi7t5zggN
@Filip_G_Loco @mysk_co the new syncing feature is off by default, so if you do not opt-in, then you are not using it
@Myceliyum19 @mysk_co yup! There are dozens of apps that support time-based one-time passwords (TOTP). I analyzed the backup and recovery features of the top 22 Android authenticator apps, which you can read about here: https://t.co/bJi7t5zggN
@stevetranby @mysk_co We analyzed Authy's backup mechanism in detail as part of recent research on 2FA apps: https://t.co/bJi7t5zggN
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
Why is this bad?
Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.
Also, 2FA QR codes typically contain other information such as account name and the name of the service (e.g. Twitter, Amazon, etc). Since Google can see all this data, it knows which online services you use, and could potentially use this information for personalized ads.
Surprisingly, Google data exports do not include the 2FA secrets that are stored in the user's Google Account. We downloaded all the data associated with the Google account we used, and we found no traces of the 2FA secrets.
The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing secrets. We recommend using the app without the new syncing feature for now.
#Privacy #Cybersecurity #InfoSec #2FA #Google #Security
Good things come to those who wait. New and improved @Google Authenticator. (Feels like an appropriate start to @RSAConference week). https://t.co/AaBqP3B2Gh
When your institution has a >$50B endowment and accepts an unrestricted $500 million but can’t pay their grad student workers and employees wages that align with cost of living and inflation 💖
If guns made us safer, America would be the safest place in the world.
But the opposite is true. Nowhere else do students, concertgoers and bank patrons get slaughtered on a daily basis.
Because as it turns out, it's all the guns that make us so unsafe.
Happy to be part of the @SOUPSConference poster session - You can submit until May 25, 2023 🙂 https://t.co/UVTQSr78lg
#UsableSecurity #soups2023
As @PrivacyMatters speculated, Authy sends too much analytics for an authenticator app. It associates analytics with the user's ID, which is tied to phone number and email. The analytics include the issuer name of each scanned QR code. Try to use a different #2FA app.
#Privacy
Last Seen Users on Sotwe
Suka Kontol Bapak Wito
Seen from Indonesia
JAV Japan 🇯🇵💦
Seen from Germany
TÜRK PORNO EDIT❤️
Seen from Turkey
ben
Seen from Turkey
body stw mantap
Seen from Germany
Jennifer💖♠️
เราทั้งใหญ่ทั้งยาว
Seen from Thailand
รวมคลิปหลุดไทยเด็ดๆทุกอย่าง
Seen from Thailand
jenyar
Seen from Malaysia
Trai Thẳng
Seen from Vietnam
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers