Phishing for info on Twitter

Note: I originally submitted this elsewhere to be published but it never did so.. I’ll publish it on my own blogs.

@tarotbyarwen: *poke poke poke*

@syrlinus: yes?

@tarotbyarwen: I got 98% on twittergrader! Squee!

@syrlinus: huh? Wazzat? Lemme check.

I go to the website and see that it asks for a username and password. Warning bells and spidey senses are being alerted. Ok. So maybe it’d didn’t quite happen like that. But, one of the fastest growing social networking tools of late has been Twitter, a quick messaging tool that utilizes UDP packets. It’s a great tool to send out quick updates. It is, to use the analogy, nothing more than a true virtual gab fest. People exchange “info” and talk about almost nothing at all. Seinfeld would be proud. But in recent weeks, a number of sites have popped up, trying to take advantage of people’s egos to one-up each other in regards to their ranking on twitter. That is, the more people who follow you, the better the rating; the more people talk to you with directed messages; the more you talk, etc. (amongst other factors). In a nutshell, how popular are you to the rest of the world.

One way that they do this is request the username and password utilized for twitter. The person logs in with this and then the “attacker” can then use that account to send out spam or steal someone’s reputation.

And online, one’s reputation can pretty much be the only thing that carries or is important, particularly so during these hard times. There are no specific inherent security tools but there are some simple steps that you can do to ensure a secure Twitter experience.

  1. Change your password regularly: The only thing that ever should be static in life is a mosquito pond. Otherwise, everything should change at some point. Passwords are no exception. When online, you should change your password at least every 6-12 weeks. If you suspect or potentially are suspicious that your password has been compromised, change it sooner.
  2. Be complex: Few things in life are simple (other than toast and butter). You’re password should be a complex secret that only you would know or guess. I try to use combinations of things that have some unique meaning to me. For example, I might use Blu3Bl@nk3t since my name is Linus (I don’t but you get the idea). The combination of upper, lower, numbers and special characters as well as the length makes it hard to guess or crack.
  3. Never give out your password: the exception would be the Twitter application itself but only use those that are sanctioned by Twitter or have a high visibility rate (that is, other friends you know – ideally in person – recommend).
  4. Be careful what you say: This method of communication uses non-encrypted method of communication. Because of this, you may not want to trade the latest exciting news from the company about the new product to be released in a couple of months – unless your Marketing department has ok’d that information to be released. Even when talking with colleagues online, watch out for that.

Because of the inherent lack of security in Twitter itself, it’s up to the individual user to practice safe twittering. Be aware, be careful and be thoughtful. Don’t just jump at all the gadgets, ranking sites, etc.

As for Twitterrank, that one got busted the other day as I wrote this, claims that the intent wasn’t username/password harvesting. It may be true but it does highlight the importance of being vigilant without FUDing. That’s the other side of Twitter: news travels fast. 😉

Security Ideas: Back to Basics isn’t a bad thing.

I’ve been pondering the Palin e-mail fiasco of late. It never fails that it’s the simplest of things that leave open doors in environments. I had suspected that at some point this would happen: all the FUD that the overall security industry has heaped upon the average person has dulled their sense of security and awareness. And it’s starting to show itself in today’s environment. Last weeks crash seemed to mimic the crash we’ll likely see at some point in computer security.

Seriously. We should not have mentalities where employees spend their day poking their Facebook applications; that it’s corporately acceptable to never change our default password from the very first one we received; that laptops issued to mobile employees don’t come with security filters to prevent theft of intellectual property. Our environments are far too connected to ignore the simplest of security practices. People are starting to become lax in security in the wrong areas. There is a belief by many that local networks do not need to have security because, well, it’s internal. While we’d like to believe that all employees are here to do a good job and not go over to the competition, it happens.

So the obvious question is what do we do when we’ve pushed people to the limit of their wanting to be security minded and this has resulted in a more lax attitude towards the simplest of security features. So here’s a list of the simplest of things that you can do, whether at home or at work:

Passwords: Always use passwords and ensure they are a combination of lower case, upper case, special characters and numbers. The trick is to create a password that rememberable and doesn’t have to be written down to be recalled. First, let’s consider what not to use: birthdates, names of family and friends, no pet names, no kid names, no names of favourite teams, singers, actors, etc., do not use your SSN/SIN, or other common identifiers.  Now, what should we use? A phrase that you like can be used as the password if it’s got enough varying characters and such. Alternatively, you can use a password generator like the following to create a password and commit it to memory. This is the method I prefer to use and have a variety of generated passwords committed to memory as “regular” passwords that I use.

Secure Network Practices: Regardless of what is being transported on the internal network, some form of network security should be utilized. Since most home environments today utilize wireless this should be easy to do. Products like Linksys WRT54G Wireless-G Router to create a secure local environment. I’ve used this particular brand for the last four years with great success. You can use this to ensure that any connections are protected, at least, by WEP. Again, you can use the password generator to create new passphrases to generate a good key.

Updates: It’s not just Windows that needs updates but also your applications, anti-virus programs and spyware detection programs. Keeping these up-to-date can help address those new virii that are and will be released. When you do your scans, put your system into safe mode and do the scan in that mode. If you run these scans when the system is fully running, it will slow down the progress of the scan and some trojans/virus will hide when the full kernel is loaded.

This is a good enough start but there is more to do and I will be adding those thoughts and ideas over the next few days and weeks. If there is an area of specific interest, let me know.

Are forums a community or a business?

I had to post this. I was visiting a queer site today and noticed someone who was banned. And it seemed, that they were banned for being an FTM who was straight. Now, there are other FTMs on the site but this just kinda stood out. There may have been other issues at play here since the member was identified as being previously banned but the way the admin had stated it, it came across as being banned for being a straight FTM (he was asking if others were straight identified as well).

And this does make me think about how sites are managed. Are forums just a business or are they a community? If the site is charging at what lines does it become a business? At one point in the life of the internet (oh, around the early 90s-to-mid 90s) the internet was about information and community. It was a big part of what it was and how it developed. People wanted to connect with others to learn, rant, rave and find a connection that otherwise was hard to do. Distance and too few like-minded individuals made it hard to do. Additionally, only the truly geeky could setup a site and move it forward because they had the all powerful know-how.

But the reality of costs began to impede on the viability of continuing communities as they were. When I think of it, it’s not really costs that kill communities but rather when a community gets too big too fast and doesn’t allow for the core group (depending on the size of the community but can range from 5-50 individuals) from forming a strong cohesion, then it can die. On the flip side, however, is the issue that if there is ONLY the core group, a community can die. Being too heavy handed is just as bad as being too light handed.

I have come to the belief that being communicative as to goals and dreams in a big way with the community is the best way to keep things moving. An open line where community thoughts are taken into consideration — and USED on occassion — as much owner/admin thoughts are. While most sites I’ve admin’d or moderated on have a hard rule about not letting individuals back after banned, I do believe that exceptions can be made. Perhaps I’m too much of a softy but even in our own judicial systems there are opportunities for individuals to make amends and earn back “societal” points, if you will.

So all this said, where are our internet communities now going? Facebook and MySpace are hardly communities. They are, if you will, fly-by-night friends who spam each other with garish comments and applications (it can be fun but let’s call them what they are at times). Blogs like Livejournal and Blogger are forms of massive bookmarks that few people seem to get a chance to read. And our community forums are… well, their permanence and actual cohesiveness seem to be in question these days.

Do you remember newsgroups? If you do, you’ll remember that they were in their hay day during the early formation of the internet up to about the mid-90s when forums began to really appear. It makes me wonder if this is the future of forums: sluffed away in favour of fly-by-night “communities”.

Lemme Tell Ya: Thoughts on the Internet

Ok. So I’m avoiding doing some work. 😛 But I figured I’d put a little more of an update in here. I’m rather impressed with all the flexibility of WordPress thus far. I still find the themes rather limiting (enough to make me want to re-learn CSS and actually create my own — scary, eh?). But as I was mucking about both my blogs today I realized how much things have changed over the last 10-15 years when it comes to how the internet is used.

At one time, during the initial growth spurt of the internet (I’ll put that around 1994) it was about transference of ideas and information. Really, that was what this was all about: sharing ideas, causing conversation and finding solutions to the niggly little problems that we faced (particularly those of us in IT admin roles that managed unique server types). It was simple and plain. No advertising. No flash. Just substance.

Today we see something far different. It is all about flash and bang, and very little substance (unless you dig — if you dig well enough, you’ll find your individual holy grails of info). We’ve actually seen a degradation of trust of information as a result. Find me a news outlet that actually is reliable and doesn’t slant a story (good luck on that). Find me a forum that actually has discussions that are discussions about topics and not the people therein.

I’m still deciding whether this has resulted in a better or worse environment and haven’t come to a conclusion yet. I suppose there is some good stuff here but it’s being overshadowed by everything else. And that’s no fun, lemme tell ya.