Phishing for info on Twitter

Note: I originally submitted this elsewhere to be published but it never did so.. I’ll publish it on my own blogs.

@tarotbyarwen: *poke poke poke*

@syrlinus: yes?

@tarotbyarwen: I got 98% on twittergrader! Squee!

@syrlinus: huh? Wazzat? Lemme check.

I go to the website and see that it asks for a username and password. Warning bells and spidey senses are being alerted. Ok. So maybe it’d didn’t quite happen like that. But, one of the fastest growing social networking tools of late has been Twitter, a quick messaging tool that utilizes UDP packets. It’s a great tool to send out quick updates. It is, to use the analogy, nothing more than a true virtual gab fest. People exchange “info” and talk about almost nothing at all. Seinfeld would be proud. But in recent weeks, a number of sites have popped up, trying to take advantage of people’s egos to one-up each other in regards to their ranking on twitter. That is, the more people who follow you, the better the rating; the more people talk to you with directed messages; the more you talk, etc. (amongst other factors). In a nutshell, how popular are you to the rest of the world.

One way that they do this is request the username and password utilized for twitter. The person logs in with this and then the “attacker” can then use that account to send out spam or steal someone’s reputation.

And online, one’s reputation can pretty much be the only thing that carries or is important, particularly so during these hard times. There are no specific inherent security tools but there are some simple steps that you can do to ensure a secure Twitter experience.

  1. Change your password regularly: The only thing that ever should be static in life is a mosquito pond. Otherwise, everything should change at some point. Passwords are no exception. When online, you should change your password at least every 6-12 weeks. If you suspect or potentially are suspicious that your password has been compromised, change it sooner.
  2. Be complex: Few things in life are simple (other than toast and butter). You’re password should be a complex secret that only you would know or guess. I try to use combinations of things that have some unique meaning to me. For example, I might use Blu3Bl@nk3t since my name is Linus (I don’t but you get the idea). The combination of upper, lower, numbers and special characters as well as the length makes it hard to guess or crack.
  3. Never give out your password: the exception would be the Twitter application itself but only use those that are sanctioned by Twitter or have a high visibility rate (that is, other friends you know – ideally in person – recommend).
  4. Be careful what you say: This method of communication uses non-encrypted method of communication. Because of this, you may not want to trade the latest exciting news from the company about the new product to be released in a couple of months – unless your Marketing department has ok’d that information to be released. Even when talking with colleagues online, watch out for that.

Because of the inherent lack of security in Twitter itself, it’s up to the individual user to practice safe twittering. Be aware, be careful and be thoughtful. Don’t just jump at all the gadgets, ranking sites, etc.

As for Twitterrank, that one got busted the other day as I wrote this, claims that the intent wasn’t username/password harvesting. It may be true but it does highlight the importance of being vigilant without FUDing. That’s the other side of Twitter: news travels fast. 😉

Security Ideas: Back to Basics isn’t a bad thing.

I’ve been pondering the Palin e-mail fiasco of late. It never fails that it’s the simplest of things that leave open doors in environments. I had suspected that at some point this would happen: all the FUD that the overall security industry has heaped upon the average person has dulled their sense of security and awareness. And it’s starting to show itself in today’s environment. Last weeks crash seemed to mimic the crash we’ll likely see at some point in computer security.

Seriously. We should not have mentalities where employees spend their day poking their Facebook applications; that it’s corporately acceptable to never change our default password from the very first one we received; that laptops issued to mobile employees don’t come with security filters to prevent theft of intellectual property. Our environments are far too connected to ignore the simplest of security practices. People are starting to become lax in security in the wrong areas. There is a belief by many that local networks do not need to have security because, well, it’s internal. While we’d like to believe that all employees are here to do a good job and not go over to the competition, it happens.

So the obvious question is what do we do when we’ve pushed people to the limit of their wanting to be security minded and this has resulted in a more lax attitude towards the simplest of security features. So here’s a list of the simplest of things that you can do, whether at home or at work:

Passwords: Always use passwords and ensure they are a combination of lower case, upper case, special characters and numbers. The trick is to create a password that rememberable and doesn’t have to be written down to be recalled. First, let’s consider what not to use: birthdates, names of family and friends, no pet names, no kid names, no names of favourite teams, singers, actors, etc., do not use your SSN/SIN, or other common identifiers.  Now, what should we use? A phrase that you like can be used as the password if it’s got enough varying characters and such. Alternatively, you can use a password generator like the following to create a password and commit it to memory. This is the method I prefer to use and have a variety of generated passwords committed to memory as “regular” passwords that I use.

Secure Network Practices: Regardless of what is being transported on the internal network, some form of network security should be utilized. Since most home environments today utilize wireless this should be easy to do. Products like Linksys WRT54G Wireless-G Router to create a secure local environment. I’ve used this particular brand for the last four years with great success. You can use this to ensure that any connections are protected, at least, by WEP. Again, you can use the password generator to create new passphrases to generate a good key.

Updates: It’s not just Windows that needs updates but also your applications, anti-virus programs and spyware detection programs. Keeping these up-to-date can help address those new virii that are and will be released. When you do your scans, put your system into safe mode and do the scan in that mode. If you run these scans when the system is fully running, it will slow down the progress of the scan and some trojans/virus will hide when the full kernel is loaded.

This is a good enough start but there is more to do and I will be adding those thoughts and ideas over the next few days and weeks. If there is an area of specific interest, let me know.

ARTICLE: Ten Back to School Security Tips for Administrators

With the start of school around the corner, many IT administrators have to prep their environments for the hordes of students that will insist on downloading the entirety of Internet. Interestingly enough, our employees sometimes feel that they should do the same.

While they may not necessarily be visiting unsavory sites, they are likely to visit a variety of other sites that will distract them from their learning or job responsibilities. So what are those things should be done in preparation for the start of the school year (many at little-to-no-cost), whether at the school or in the work environment?

1. Educate your users. This cannot be stressed enough. Even if the site is about flower arrangements, it may be enough to distract users and eat up precious resources. This means users should be reminded that the computer and the network that it uses are the property of the company or the school and should only be used explicitly for reasons related to that organization.

2. Remind users that all things may be public. Whether it’s their activities and where they surf, emails or IMs they send or receive, it is all fair game and that there is no expectation of privacy. Additionally, public social networking sites can be used to connect with colleagues outside of work but common sense about what can be posted on those sites should be used.

3. Ensure that there are firewalls in place not only to protect the corporate environment from attack (outside in) but also firewall rules to limit what exits your network (inside out). It may be an innocuous gaming site but there could be malicious scripts on it that piggyback on connections.

4. Anti-virus and malware detection tools are still tools that should be incorporated into any standard educational or corporate environment. Just because we haven’t heard of any latest attacks doesn’t mean that they don’t exist. New attacks are occurring and new attack vectors are being used. Take, for example, Facebook applications which often grab as much info about a user from their cookies as it can and there is no mechanism to check if it grabs other cookies as well.

5. Take the stance of “less is more” on user environments. In addition to firewalls, anti-virus and malware detection tools, the actual desktop should be hardened. NIST/NSA still provides free hardening guides on the majority of systems. Remove what is unnecessary and only add the minimum of what is needed. If a user needs more, they will ask.

6. For those users that are mobile or heavily connected (the Blackberry crowd), invest in some simple laptop locks, Blackberry protective cases (like those from Otter) or other mechanisms. The Otter, I found, is great for klutzes like me at protecting my Blackberry when I drop it. You can use Roblock to track down lost or stolen Blackberries.

7. Take an inventory. It’s amazing how many companies let their laptops, Blackberries and other devices become property of individual employees. Asset tags and a simple asset tag database can work wonders. It’s important to keep track of those items as lost or wayward devices can add up to additional costs for a company. MyAssetTag.com may be a good site to visit to get such tags and they even have some for PDA/Smartphones.

8. Laptops and desktop LCDs should, by default, come with security screen filters. Laptops in particular should be outfitted these. With researchers and executives on the road, it’s important to ensure that wandering eyes don’t steal proprietary intellectual property. Whenever a new laptop is issued, it should come with a decent security filter. (3M makes an excellent line of these). With a bit of searching you can find some privacy screen filters for Blackberries and other such devices.

9. VPN tokens and the usage of VPN in general for all communications can help ensure that all sessions are protected. This may seem odd for a school to use but when an organization like Blizzard introduces it to improve security on its popular World of Warcraft online game, it’s definitely time to have it as a regular part of school or large organizational life. At $6.50 each, this is a cheap option to ensure that a person is a legitimate member of the community they are supposed to be a part of.

10. Weekly notifications of viruses and ideas to protect the company. The more informed an end-user is, the better it is for your organization. These don’t have to be in-depth but it may be enough that when a user uses their home computer to access work (since many companies are trying to employ telecommuting or 4-day work week options to save money) they protect those machines as well.

Oh, look. We’ve ended back at education again.

More importantly, turn these into good habits and standardized processes. When you close the door to security threats, you get more done faster.

And that means less homework for everyone.