IT Security Blog

It looks like the Hack du Jour, Twitter, has had another high profile data breach.

It seems like we have been around the block on this topic before on a couple of occasions, haven't we?

According to TechCrunch the cause of this most recent data breach isn't stolen Twitter account credentials because of ClickJacking exploits or people who have given up their logins because of look-alike Twitter application sites.  This exploit was far more elementary and one that Twitter could stand to learn a lesson from on their own account signup form: weak passwords.  According to the TechCrunch article, the password to some of Twitter's publicly facing servers was "password".  Maybe they thought that was too easy for people to guess and that nobody would actually try a password as simple as "password" ?  Either way, this is another example of how Twitter needs to take its own security and the security of its users much more seriously.  Strangely enough repeated lapses in judgment does not appear to have slowed their growth.

The portion of the MSNBC article that I linked to in the first paragraph that irked me the most was in the section titled "Dangers Highlighted" where the author states that "The techniques used by the hackers to obtain access to Twitter highlight the dangers of a broader trend promoted by Google Inc. and others toward storing more data online, instead of on computers under your control."  I couldn't disagree more with this statement.   The missteps by Twitter that have caused their recent compromises are not a result of a lack of standards or good security practices by cloud computing, SaaS, or other off-network service providers.  They are a result of Twitter's poor security practices and Twitter's alone. 

Any service provider, construction outfit, or home business who has their own network equipment needs to ensure that they have taken proper precautions to secure those devices.  That includes changing default passwords and identifiers (like SSIDs on wireless access points) all the way through to keeping those devices up to date on security patches and application updates.  These are not practices that are relevant to Cloud Computing providers alone.  To insinuate such in an effort to spread FUD against these types of services is downright irresponsible, in my opinion.  We're talking about best practices that need to be employed by everyone in all industries and form factors.  Perhaps if we did that instead of just talking about it and always looking to point the finger at someone when they make a mistake we would have less people to point fingers at.

Be on the lookout this morning for a phishing scam floating around Facebook asking you to visit http://areps.at, a domain registered only a few days ago to someone named Andrew Morov out of Russia.  (UPDATE 5/21/2009 11:30am MST - According to this CNet article, the domain bests.at is also being used for this scam, registered to the same person as areps.at)

personname:     Andrey Morov
organization:   
street address: Schelkovskiy proezd d.11 korp.1 kv.3
postal code:    105425
city:           Moscow
country:        Russland
phone:          +74956211281
fax-no:         +74956211281
e-mail:         ******@nameclub.at
nic-hdl:        AM5009456-NICAT
changed:        20090515 15:23:43
source:         AT-DOM

Visiting this site will also infect your Facebook profile and cause messages to be sent to your friends inviting them to also visit.  Below is a screen shot illustrating the contents of the message you may receive from an infected friend.







If you do receive any of these, contact the person who sent it to you and ask them to change their password ASAP.  If you believe that you might have fallen victim to this scam, change your own profile password before whoever has hijacked your account changes it for you and locks you out of your own account!

On Saturday, Twitter posted this security alert on its web site to make users aware of a phishing campaign that was going around via Twitter direct message attempting to steal login information for the social networking site. 

Phishing campaigns are certainly nothing new.  So, what makes this interesting or different?

Phishing emails are certainly something we have become accustomed to in our inboxes and they are becoming more popular on personal profile pages on social networking sites like Facebook and Myspace.  In the December version of the MX Logic Threat Report and Forecast the very first prediction we made for 2009 was an increase in (ab)use of social networking technologies by spammers and other cyber criminals. 

Twitter presents a bit of an interesting twist because URLs posted to "tweets" (status updates posted by Twitter subscribers) and direct, private messages sent person to person are shortened using URL abbreviation tools like tinyurl.com and bit.ly.  These types of services allow a cyber criminal to easily hide a potentially malicious or fraudulent URL behind the covers of a legitimate looking one.  For example, a user could unknowingly be directed to a web site that silently injects a keylogger on their PC by clicking on one of these links.  URL abbreviation tools can also be utilized to hide a nasty URL within the body of an email as well so this is not an attack that is solely abused by spammers using social networking technologies.

There is more to this potential threat than just the risk of the redirection to a phishing site.  Cross site scripting and SQL injection vulnerabilities can also easily be exploited using this tactic if the vulnerability is exploitable via URL code injection.  The malicious code can be hidden in the URL, compacted using tinyurl.com, then distributed in an email as a DDoS against a spammers target. 

For the potential risk that sites like tinyurl.com and bit.ly can potentially introduce they certainly do have their place.  Sites like monster.com for example sometimes create URLs that are extremely long when copied and pasted into an email so abbreviating the link address is a great way to keep your message professional looking.  As with all other online threats, diligence is of the utmost importance.  Spam and phishing threats via social networking applications is still new territory in many regards when compared to email (for example) so many users do not think about the potential security ramifications that come along with using these technologies.  That education is occurring rapidly, but is also happening partly by necessity as more and more users are falling victim to quickly evolving tactics on the part of cyber criminals.