Phishing for info on Twitter

Note: I originally submitted this elsewhere to be published but it never did so.. I’ll publish it on my own blogs.

@tarotbyarwen: *poke poke poke*

@syrlinus: yes?

@tarotbyarwen: I got 98% on twittergrader! Squee!

@syrlinus: huh? Wazzat? Lemme check.

I go to the website and see that it asks for a username and password. Warning bells and spidey senses are being alerted. Ok. So maybe it’d didn’t quite happen like that. But, one of the fastest growing social networking tools of late has been Twitter, a quick messaging tool that utilizes UDP packets. It’s a great tool to send out quick updates. It is, to use the analogy, nothing more than a true virtual gab fest. People exchange “info” and talk about almost nothing at all. Seinfeld would be proud. But in recent weeks, a number of sites have popped up, trying to take advantage of people’s egos to one-up each other in regards to their ranking on twitter. That is, the more people who follow you, the better the rating; the more people talk to you with directed messages; the more you talk, etc. (amongst other factors). In a nutshell, how popular are you to the rest of the world.

One way that they do this is request the username and password utilized for twitter. The person logs in with this and then the “attacker” can then use that account to send out spam or steal someone’s reputation.

And online, one’s reputation can pretty much be the only thing that carries or is important, particularly so during these hard times. There are no specific inherent security tools but there are some simple steps that you can do to ensure a secure Twitter experience.

  1. Change your password regularly: The only thing that ever should be static in life is a mosquito pond. Otherwise, everything should change at some point. Passwords are no exception. When online, you should change your password at least every 6-12 weeks. If you suspect or potentially are suspicious that your password has been compromised, change it sooner.
  2. Be complex: Few things in life are simple (other than toast and butter). You’re password should be a complex secret that only you would know or guess. I try to use combinations of things that have some unique meaning to me. For example, I might use Blu3Bl@nk3t since my name is Linus (I don’t but you get the idea). The combination of upper, lower, numbers and special characters as well as the length makes it hard to guess or crack.
  3. Never give out your password: the exception would be the Twitter application itself but only use those that are sanctioned by Twitter or have a high visibility rate (that is, other friends you know – ideally in person – recommend).
  4. Be careful what you say: This method of communication uses non-encrypted method of communication. Because of this, you may not want to trade the latest exciting news from the company about the new product to be released in a couple of months – unless your Marketing department has ok’d that information to be released. Even when talking with colleagues online, watch out for that.

Because of the inherent lack of security in Twitter itself, it’s up to the individual user to practice safe twittering. Be aware, be careful and be thoughtful. Don’t just jump at all the gadgets, ranking sites, etc.

As for Twitterrank, that one got busted the other day as I wrote this, claims that the intent wasn’t username/password harvesting. It may be true but it does highlight the importance of being vigilant without FUDing. That’s the other side of Twitter: news travels fast. 😉

ATM Skimming

If you’ve never heard of this, you should be aware. It’s one of the ways that “thieves” break into your bank accounts. The news clip below has some good suggestions at the end on how to prevent this from happening.



The Art of Troubleshooting

And yes, it really is an art. It’s a challenge for some to learn how to figure out problems. In the IT industry, this is a requirement, almost as vital as having oxygen to breath. But because of the nature of troubleshooting — based on logic and deduction — it can be hard to teach all aspects of it. There are some things that can be taught and would be worthwhile to know when considering a computer, network or security issue at hand.

First, before you even get to the stage of having to troubleshoot get to know a system when it’s well. This means checking to see what processes are common at startup, how much memory is used when various applications run and what the over-all system does things. One of the things that helped me was this book for information on XP (I detest Vista with a passion) and this one for hardware. This allowed me to investigate and learn what’s new.

Second, have a good resource to read and learn from. Books are great (especially for a traditionalist like myself who likes the feel of paper) but often get quickly outdated. Something like Maximum PC Magazine is a great regular magazine to have for those who like to read while on subway, a plane or just relaxing at home. Even better is to have a regular forum to ask questions in. Tom’s Hardware is one of the foremost sites when it comes to hardware news, updates, reviews and even forums. It’s amongst the best out there just for that alone. Linux Questions.org can answer pretty much any question on linux issues. And when it comes to Windows questions, I go to Antionline. While it’s primarily a security site, there are enough knowledgable people there that can help eliminate security as the issue. These can act as resources for learning so you know when things work as well as for troubleshooting. The reality is that to address any issue we need to learn about the “thing” that we’re focused on fixing. Ideally, we want to do this before a problem occurs and to also help prevent problems from occuring. Also, ensure that you have valid, working backups. The ultimate solution to most problems is a re-format of the OS (often needed if a hard drive fails). Even on home systems a form of back of important data should be done regularly to avoid issues. And don’t backup the whole system, just the critical data that you need (e.g., mailboxes, bookmark links, documents, pictures, iTunes songs, logs, etc.) Installation files for applications and such should already be saved on CD for when re-installation is necessary.

The next step is when there is an issue, identifying the source. Unless you know there is an issue you’ll never be able to address it. It important to get all the facts you can about the issue and to be as detailed as possible. This may include screenshots, writing error messages down and noting anything that had been recently added, changed or removed. Poor software design and/or coding can cause serious issues at times so it’s important to keep track of changes. Sometimes even updates to the Operating System can cause it to behave in a manner similar to that of spyware activities. Also, use numerical values where possible when describing something. “It’s slow!” doesn’t mean a heck of a lot compared to “It used to take only 28 seconds to boot up; now it takes about a minute to boot up”.

The kernel of an OS is the portion that loads up all drivers and allows for full interaction with the user. Both Linux and Windows have modes where the kernel isn’t loaded. This can be a pretty good indicator as to whether the issue is outside of the OS or not. Booting into what is referred to as “Safe Mode” or “Single User” mode minimizes what’s loaded (usually it’s only basic drivers) and can help determine if it’s a driver or startup application that may be causing the issue. If the issue is still there, then it’s possible it’s at the BIOS level. Gathering all this info means you are now armed to find out the cause. This is where Google and/or the sites listed above can be handy.

Put any error code messages into Google and/or describe the issue, with as much detail as possible, to the forum. If it’s an error code and you’ll Google it, you’ll find either a KB page or other forums that detail the issue or both. The only exception is if you’re the first to hit upon this but given the speed of the internet, often issues spread rapidly around the world. Read up the details of others’ who have experienced the same issue and see how much of it matches your own. Sometimes problems are like Shrek’s proverbial onion: layer after layer after layer until you get to the root of the issue. As you research your problem more, you’ll find your solution and be able to address it.

Once addressed, you start the process over again. As you go through problems, you’ll learn what to recognize as a problem and what isn’t. You’ll also learn habits on how to fix these faster each time. Troubleshooting is an art to a degree but it’s an art that’s learned through trial and error. Unless you experience it, you won’t know. The one thing to keep in mind is that it isn’t magic but rather simple legwork and a bit of work to find the problem at hand.

Quick morning thoughts

Ok. So I originally had wanted to post yesterday — from the subway on my Blackberry — about individual’s need to be careful about what we post online. Of course, as luck would have it, none of it got saved. While posting from my Blackberry has been interesting and neat, it has presented some challenges. I still need to figure out how to use the email-to-post feature of WordPress (perhaps I’ll take some time tomorrow afternoon or this Sunday to do it).

In the meantime, I have been busy. First off, I’ve recently acquired two new domains — cigarnewbie.com (where I’ll post my cigar reviews and such — I’m still debating as to whether to create a whole separate blog for that or not) and wiredcatonline.com, which redirects to here. Wired Cat Online has been the name of my consulting/desktop publishing/personal company since I bought my first Mac, with my own money, back in 1993.

One of the things that I enjoy the most about what I do is that I can share what I learn with others. It’s actually far more critical, IMO, that we do so and that keeping secrets from others isn’t helpful. But this society, particularly in the IT industry, seems to continue to maintain that keeping secrets is a necessity. It, in this mindset, ensures we’re employed and important. All that it actually does is maintains an environment of distrust and facilitates the ability of assumptions to grow. These assumptions often hold us back because we become blind to what is going on. When it comes to security this makes us blind to the “bleeding obvious” (to quote Computer Stupidities).

So when I hear things or am asked things that seem to fit the bleeding obvious, I begin to wonder what brought our industry to this stage of things and how it holds us back. We miss the simple security things we can put in place, at no-to-low cost, effort and time, and miss the obvious security holes that need quick fixes but that take a bit of time, effort and planning. I have to admit to liking WordPress because a particular plug-in, Theme/Plugin Updater, has made it easier for me to ensure that I keep up to date on those plug-ins. Additionally, even WordPress itself is easy on the upgrade without me having to go back and re-adjust pages that I had modified before. Some themes still need something like that where widgets aren’t affected if I experiment with one theme over another but perhaps with time that will come (or I’ll create something — a Widget Keeper so to speak). Perhaps all of this is a result of the on-going larger political tiredness over state security and the FUD that the federal US government generates on a daily basis (if you travel alot, how often do you hear the “We’re at level Orange” warnings, often blared over the general speakers in the airport terminals?).

Anyways, tonight I’ll take a few moments to put down those original thoughts on individual security so we can continue working on ensuring that even home systems and home environments are protected from a computer point of view. If a particular area is of interest, pop me a note in the comments and I’ll see what I can dig up for you. 😉

Oh look: I can post from anywhere. Whee.

I have to say it’s interesting writing a post
from my Blackberry to add to my blog. Particularly since the subway ride from Queens to Wall Street can take about 45 minutes and the majority of the ride is above ground.

It does highlight how having this is both a useful tool as well as a bane. And does make me wonder how much extra info we’re publishing, given the ease in which it now takes to be published? At one time public transit was a way to meet up with colleagues and talk about the game or kids from the night before. Today, in a car of over 200 people it is silent, save for the silent murmur of iPod-isk music and the occassional bleat from the conductor announcing the next stop.

Even though this has no security risk or sensitive infomation I keep my Blackberry close to my chest, to avoid the possibility of wandering eyes. My, how we’ve changed. What is yet to be determined is if this change is helping or hindering. What do you think the answer is?

Security Ideas: Back to Basics isn’t a bad thing.

I’ve been pondering the Palin e-mail fiasco of late. It never fails that it’s the simplest of things that leave open doors in environments. I had suspected that at some point this would happen: all the FUD that the overall security industry has heaped upon the average person has dulled their sense of security and awareness. And it’s starting to show itself in today’s environment. Last weeks crash seemed to mimic the crash we’ll likely see at some point in computer security.

Seriously. We should not have mentalities where employees spend their day poking their Facebook applications; that it’s corporately acceptable to never change our default password from the very first one we received; that laptops issued to mobile employees don’t come with security filters to prevent theft of intellectual property. Our environments are far too connected to ignore the simplest of security practices. People are starting to become lax in security in the wrong areas. There is a belief by many that local networks do not need to have security because, well, it’s internal. While we’d like to believe that all employees are here to do a good job and not go over to the competition, it happens.

So the obvious question is what do we do when we’ve pushed people to the limit of their wanting to be security minded and this has resulted in a more lax attitude towards the simplest of security features. So here’s a list of the simplest of things that you can do, whether at home or at work:

Passwords: Always use passwords and ensure they are a combination of lower case, upper case, special characters and numbers. The trick is to create a password that rememberable and doesn’t have to be written down to be recalled. First, let’s consider what not to use: birthdates, names of family and friends, no pet names, no kid names, no names of favourite teams, singers, actors, etc., do not use your SSN/SIN, or other common identifiers.  Now, what should we use? A phrase that you like can be used as the password if it’s got enough varying characters and such. Alternatively, you can use a password generator like the following to create a password and commit it to memory. This is the method I prefer to use and have a variety of generated passwords committed to memory as “regular” passwords that I use.

Secure Network Practices: Regardless of what is being transported on the internal network, some form of network security should be utilized. Since most home environments today utilize wireless this should be easy to do. Products like Linksys WRT54G Wireless-G Router to create a secure local environment. I’ve used this particular brand for the last four years with great success. You can use this to ensure that any connections are protected, at least, by WEP. Again, you can use the password generator to create new passphrases to generate a good key.

Updates: It’s not just Windows that needs updates but also your applications, anti-virus programs and spyware detection programs. Keeping these up-to-date can help address those new virii that are and will be released. When you do your scans, put your system into safe mode and do the scan in that mode. If you run these scans when the system is fully running, it will slow down the progress of the scan and some trojans/virus will hide when the full kernel is loaded.

This is a good enough start but there is more to do and I will be adding those thoughts and ideas over the next few days and weeks. If there is an area of specific interest, let me know.

Are forums a community or a business?

I had to post this. I was visiting a queer site today and noticed someone who was banned. And it seemed, that they were banned for being an FTM who was straight. Now, there are other FTMs on the site but this just kinda stood out. There may have been other issues at play here since the member was identified as being previously banned but the way the admin had stated it, it came across as being banned for being a straight FTM (he was asking if others were straight identified as well).

And this does make me think about how sites are managed. Are forums just a business or are they a community? If the site is charging at what lines does it become a business? At one point in the life of the internet (oh, around the early 90s-to-mid 90s) the internet was about information and community. It was a big part of what it was and how it developed. People wanted to connect with others to learn, rant, rave and find a connection that otherwise was hard to do. Distance and too few like-minded individuals made it hard to do. Additionally, only the truly geeky could setup a site and move it forward because they had the all powerful know-how.

But the reality of costs began to impede on the viability of continuing communities as they were. When I think of it, it’s not really costs that kill communities but rather when a community gets too big too fast and doesn’t allow for the core group (depending on the size of the community but can range from 5-50 individuals) from forming a strong cohesion, then it can die. On the flip side, however, is the issue that if there is ONLY the core group, a community can die. Being too heavy handed is just as bad as being too light handed.

I have come to the belief that being communicative as to goals and dreams in a big way with the community is the best way to keep things moving. An open line where community thoughts are taken into consideration — and USED on occassion — as much owner/admin thoughts are. While most sites I’ve admin’d or moderated on have a hard rule about not letting individuals back after banned, I do believe that exceptions can be made. Perhaps I’m too much of a softy but even in our own judicial systems there are opportunities for individuals to make amends and earn back “societal” points, if you will.

So all this said, where are our internet communities now going? Facebook and MySpace are hardly communities. They are, if you will, fly-by-night friends who spam each other with garish comments and applications (it can be fun but let’s call them what they are at times). Blogs like Livejournal and Blogger are forms of massive bookmarks that few people seem to get a chance to read. And our community forums are… well, their permanence and actual cohesiveness seem to be in question these days.

Do you remember newsgroups? If you do, you’ll remember that they were in their hay day during the early formation of the internet up to about the mid-90s when forums began to really appear. It makes me wonder if this is the future of forums: sluffed away in favour of fly-by-night “communities”.

Lemme Tell Ya: Thoughts on the Internet

Ok. So I’m avoiding doing some work. 😛 But I figured I’d put a little more of an update in here. I’m rather impressed with all the flexibility of WordPress thus far. I still find the themes rather limiting (enough to make me want to re-learn CSS and actually create my own — scary, eh?). But as I was mucking about both my blogs today I realized how much things have changed over the last 10-15 years when it comes to how the internet is used.

At one time, during the initial growth spurt of the internet (I’ll put that around 1994) it was about transference of ideas and information. Really, that was what this was all about: sharing ideas, causing conversation and finding solutions to the niggly little problems that we faced (particularly those of us in IT admin roles that managed unique server types). It was simple and plain. No advertising. No flash. Just substance.

Today we see something far different. It is all about flash and bang, and very little substance (unless you dig — if you dig well enough, you’ll find your individual holy grails of info). We’ve actually seen a degradation of trust of information as a result. Find me a news outlet that actually is reliable and doesn’t slant a story (good luck on that). Find me a forum that actually has discussions that are discussions about topics and not the people therein.

I’m still deciding whether this has resulted in a better or worse environment and haven’t come to a conclusion yet. I suppose there is some good stuff here but it’s being overshadowed by everything else. And that’s no fun, lemme tell ya.

Well..

Ok. So I figured out how to import eveything although the formatting leaves a little to be desired. We’ll see how things go from here on in. Should be interesting to say the least.

Sigh..

Well.. I’m going to try to recover the files from the old version of the website. I’m presently in the process of migrating from my old blogging software, Serendipity, to the new one, WordPress. I figure with WordPress I’ll get more options, plug-ins and templates to muck about in. I wish there was an easier way to do the import than manually doing it. 🙁

Edited to add: Archives from the past