Phishing for info on Twitter

Note: I originally submitted this elsewhere to be published but it never did so.. I’ll publish it on my own blogs.

@tarotbyarwen: *poke poke poke*

@syrlinus: yes?

@tarotbyarwen: I got 98% on twittergrader! Squee!

@syrlinus: huh? Wazzat? Lemme check.

I go to the website and see that it asks for a username and password. Warning bells and spidey senses are being alerted. Ok. So maybe it’d didn’t quite happen like that. But, one of the fastest growing social networking tools of late has been Twitter, a quick messaging tool that utilizes UDP packets. It’s a great tool to send out quick updates. It is, to use the analogy, nothing more than a true virtual gab fest. People exchange “info” and talk about almost nothing at all. Seinfeld would be proud. But in recent weeks, a number of sites have popped up, trying to take advantage of people’s egos to one-up each other in regards to their ranking on twitter. That is, the more people who follow you, the better the rating; the more people talk to you with directed messages; the more you talk, etc. (amongst other factors). In a nutshell, how popular are you to the rest of the world.

One way that they do this is request the username and password utilized for twitter. The person logs in with this and then the “attacker” can then use that account to send out spam or steal someone’s reputation.

And online, one’s reputation can pretty much be the only thing that carries or is important, particularly so during these hard times. There are no specific inherent security tools but there are some simple steps that you can do to ensure a secure Twitter experience.

  1. Change your password regularly: The only thing that ever should be static in life is a mosquito pond. Otherwise, everything should change at some point. Passwords are no exception. When online, you should change your password at least every 6-12 weeks. If you suspect or potentially are suspicious that your password has been compromised, change it sooner.
  2. Be complex: Few things in life are simple (other than toast and butter). You’re password should be a complex secret that only you would know or guess. I try to use combinations of things that have some unique meaning to me. For example, I might use Blu3Bl@nk3t since my name is Linus (I don’t but you get the idea). The combination of upper, lower, numbers and special characters as well as the length makes it hard to guess or crack.
  3. Never give out your password: the exception would be the Twitter application itself but only use those that are sanctioned by Twitter or have a high visibility rate (that is, other friends you know – ideally in person – recommend).
  4. Be careful what you say: This method of communication uses non-encrypted method of communication. Because of this, you may not want to trade the latest exciting news from the company about the new product to be released in a couple of months – unless your Marketing department has ok’d that information to be released. Even when talking with colleagues online, watch out for that.

Because of the inherent lack of security in Twitter itself, it’s up to the individual user to practice safe twittering. Be aware, be careful and be thoughtful. Don’t just jump at all the gadgets, ranking sites, etc.

As for Twitterrank, that one got busted the other day as I wrote this, claims that the intent wasn’t username/password harvesting. It may be true but it does highlight the importance of being vigilant without FUDing. That’s the other side of Twitter: news travels fast. 😉

Quick morning thoughts

Ok. So I originally had wanted to post yesterday — from the subway on my Blackberry — about individual’s need to be careful about what we post online. Of course, as luck would have it, none of it got saved. While posting from my Blackberry has been interesting and neat, it has presented some challenges. I still need to figure out how to use the email-to-post feature of WordPress (perhaps I’ll take some time tomorrow afternoon or this Sunday to do it).

In the meantime, I have been busy. First off, I’ve recently acquired two new domains — cigarnewbie.com (where I’ll post my cigar reviews and such — I’m still debating as to whether to create a whole separate blog for that or not) and wiredcatonline.com, which redirects to here. Wired Cat Online has been the name of my consulting/desktop publishing/personal company since I bought my first Mac, with my own money, back in 1993.

One of the things that I enjoy the most about what I do is that I can share what I learn with others. It’s actually far more critical, IMO, that we do so and that keeping secrets from others isn’t helpful. But this society, particularly in the IT industry, seems to continue to maintain that keeping secrets is a necessity. It, in this mindset, ensures we’re employed and important. All that it actually does is maintains an environment of distrust and facilitates the ability of assumptions to grow. These assumptions often hold us back because we become blind to what is going on. When it comes to security this makes us blind to the “bleeding obvious” (to quote Computer Stupidities).

So when I hear things or am asked things that seem to fit the bleeding obvious, I begin to wonder what brought our industry to this stage of things and how it holds us back. We miss the simple security things we can put in place, at no-to-low cost, effort and time, and miss the obvious security holes that need quick fixes but that take a bit of time, effort and planning. I have to admit to liking WordPress because a particular plug-in, Theme/Plugin Updater, has made it easier for me to ensure that I keep up to date on those plug-ins. Additionally, even WordPress itself is easy on the upgrade without me having to go back and re-adjust pages that I had modified before. Some themes still need something like that where widgets aren’t affected if I experiment with one theme over another but perhaps with time that will come (or I’ll create something — a Widget Keeper so to speak). Perhaps all of this is a result of the on-going larger political tiredness over state security and the FUD that the federal US government generates on a daily basis (if you travel alot, how often do you hear the “We’re at level Orange” warnings, often blared over the general speakers in the airport terminals?).

Anyways, tonight I’ll take a few moments to put down those original thoughts on individual security so we can continue working on ensuring that even home systems and home environments are protected from a computer point of view. If a particular area is of interest, pop me a note in the comments and I’ll see what I can dig up for you. 😉

Are forums a community or a business?

I had to post this. I was visiting a queer site today and noticed someone who was banned. And it seemed, that they were banned for being an FTM who was straight. Now, there are other FTMs on the site but this just kinda stood out. There may have been other issues at play here since the member was identified as being previously banned but the way the admin had stated it, it came across as being banned for being a straight FTM (he was asking if others were straight identified as well).

And this does make me think about how sites are managed. Are forums just a business or are they a community? If the site is charging at what lines does it become a business? At one point in the life of the internet (oh, around the early 90s-to-mid 90s) the internet was about information and community. It was a big part of what it was and how it developed. People wanted to connect with others to learn, rant, rave and find a connection that otherwise was hard to do. Distance and too few like-minded individuals made it hard to do. Additionally, only the truly geeky could setup a site and move it forward because they had the all powerful know-how.

But the reality of costs began to impede on the viability of continuing communities as they were. When I think of it, it’s not really costs that kill communities but rather when a community gets too big too fast and doesn’t allow for the core group (depending on the size of the community but can range from 5-50 individuals) from forming a strong cohesion, then it can die. On the flip side, however, is the issue that if there is ONLY the core group, a community can die. Being too heavy handed is just as bad as being too light handed.

I have come to the belief that being communicative as to goals and dreams in a big way with the community is the best way to keep things moving. An open line where community thoughts are taken into consideration — and USED on occassion — as much owner/admin thoughts are. While most sites I’ve admin’d or moderated on have a hard rule about not letting individuals back after banned, I do believe that exceptions can be made. Perhaps I’m too much of a softy but even in our own judicial systems there are opportunities for individuals to make amends and earn back “societal” points, if you will.

So all this said, where are our internet communities now going? Facebook and MySpace are hardly communities. They are, if you will, fly-by-night friends who spam each other with garish comments and applications (it can be fun but let’s call them what they are at times). Blogs like Livejournal and Blogger are forms of massive bookmarks that few people seem to get a chance to read. And our community forums are… well, their permanence and actual cohesiveness seem to be in question these days.

Do you remember newsgroups? If you do, you’ll remember that they were in their hay day during the early formation of the internet up to about the mid-90s when forums began to really appear. It makes me wonder if this is the future of forums: sluffed away in favour of fly-by-night “communities”.