IT Security Blog

Last month we discussed the abuse of Twitter's Trending Topics system to increase the ranking of interesting topics so that links can be distributed via Tweets that lead users to phishing and malware sites.  This tactic was a follow up to previous abuses of Google's PageRank system which accomplished the same purpose.

The commonality with those two scenarios is that the cyber criminals had to do work to increase the ranking or interest of a particular topic in order to lure users to infected web sites. 

We are starting to see a new wrinkle where hackers are using already popular Google Trending Topics, search criteria that users are interested in and looking for through Google, to determine what users already want to see.  They are now tailoring their social engineering tactics to create new spam and websites that exploit users' curiosity.  No work required on a hacker's part to organically generate interest.  That interest is already being generated by high profile news stories, which have already shown to be very effective through the many iterations of Storm and Waledac over the past couple of years. 

An example is being reported by Dan Kaplan at SC Magazine where he said (via Sophos) that cyber criminals have created fake websites claiming to show nude videos of Erin Andrews, a popular ESPN reporter, who was recently videotaped through a peephole camera.  These fake websites are being used to inject malware onto curious users' computers.  They could also very easily be used in phishing campaigns to steal user's personal information.

Search criteria for these Erin Andrews videos through Google currently accounts for two out of the top three search trends at the writing of this post. 

As news of the most recent Twitter breach spread and details of what was compromised started to come forth the question that was at the forefront of my mind was "Whatever happened to responsible disclosure?" where you notify the vulnerable party, give them ample time to fix the problem, and if any information is released publicly, it is done after the problem has been confirmed resolved by the vendor.

According to the article on TechCrunch that contains data that was stolen, they "spent much of the last 36 hours talking directly to Twitter about the right way to go about doing that" (where that = the right way to go about releasing the data).  Now I was certainly not privied to those discussions, but I have a hard time believing personally that those discussions involved Twitter saying "yes, please post the information, but just leave out the secret sauce bits."  I don't understand what criteria TechCrunch used such that they are now the governing authority over what is and is not confidential or why they feel they have a right to make that call to begin with.  I am disappointed that a purportedly reputable news organization would feel that they have such privilege. 

In a follow up post TechCrunch attempts to justify their actions by pointing to previous cases where they and another news organization had each taken it upon themselves to post sensitive information.  I guess that means that since there is a precedent for something happening that it somehow makes it right?  They also state within this article that they "break big stories."  Obviously, those that break the big stories get the big press, but let's not also forget that a certain level of responsibility is expected as well.  Saying that "others do it too" as justification for doing anything is just plain juvenile. 

Of course, let's not let the person who leaked the information to TechCrunch off the hook either as they are certainly culpable as well.  At this point nobody seems to know who that person is (at least not publicly).  This mystery person submitted the information with the expectation that it would get published.  Otherwise, why send it to a news organization to begin with.  They baited the hook and TechCrunch bit down hard. 
Whether TechCrunch will end up facing any legal action from Twitter remains to be seen.  Twitter might want to consider at least sending TechCrunch a thank you note for at least temporarily turning the stink-eye from this whole mess away from themselves as TechCrunch appears to be getting flamed worse than Twitter, who had the breach to begin with!

Funny how things work sometimes :)

It looks like the Hack du Jour, Twitter, has had another high profile data breach.

It seems like we have been around the block on this topic before on a couple of occasions, haven't we?

According to TechCrunch the cause of this most recent data breach isn't stolen Twitter account credentials because of ClickJacking exploits or people who have given up their logins because of look-alike Twitter application sites.  This exploit was far more elementary and one that Twitter could stand to learn a lesson from on their own account signup form: weak passwords.  According to the TechCrunch article, the password to some of Twitter's publicly facing servers was "password".  Maybe they thought that was too easy for people to guess and that nobody would actually try a password as simple as "password" ?  Either way, this is another example of how Twitter needs to take its own security and the security of its users much more seriously.  Strangely enough repeated lapses in judgment does not appear to have slowed their growth.

The portion of the MSNBC article that I linked to in the first paragraph that irked me the most was in the section titled "Dangers Highlighted" where the author states that "The techniques used by the hackers to obtain access to Twitter highlight the dangers of a broader trend promoted by Google Inc. and others toward storing more data online, instead of on computers under your control."  I couldn't disagree more with this statement.   The missteps by Twitter that have caused their recent compromises are not a result of a lack of standards or good security practices by cloud computing, SaaS, or other off-network service providers.  They are a result of Twitter's poor security practices and Twitter's alone. 

Any service provider, construction outfit, or home business who has their own network equipment needs to ensure that they have taken proper precautions to secure those devices.  That includes changing default passwords and identifiers (like SSIDs on wireless access points) all the way through to keeping those devices up to date on security patches and application updates.  These are not practices that are relevant to Cloud Computing providers alone.  To insinuate such in an effort to spread FUD against these types of services is downright irresponsible, in my opinion.  We're talking about best practices that need to be employed by everyone in all industries and form factors.  Perhaps if we did that instead of just talking about it and always looking to point the finger at someone when they make a mistake we would have less people to point fingers at.

Poisoning search results with content that leads unsuspecting users to spam or malware content is nothing new.  We've been seeing abuse of Google's PageRank system since early 2008 where spammers would artificially inflate the rankings of their spam web sites and send out email links which emulated the click of the "I'm Feeling Lucky" button on Google's search page to auto-redirect users through Google to fraudulent web sites. 

We are now seeing something similar with Twitter.  According to this post on Mashable's web site, spammers are using the accounts that they are setting up on the popular micro-blogging site to increase the ranking of certain topics so that they will appear in the list of Twitter's most popular topics and organically increase clickthroughs.  In some cases the sites that users are being directed to also can inject malware.

Be careful with these sites because as we have seen with some other Twitter exploits, the possibility exists that you could also have your account credentials stolen and used as another vehicle for distributing Twitter spam.  Twitter has been built to be easy for end users to use and interface with.  This methodology has been great to drive user adoption.  The unfortunate side effect that because of its popularity it has been an increasingly focused target for cyber criminals.

Just about anyone and everyone who is active on the internet is either using, has used, or at least has heard of Twitter, the micro-blogging service that grew in usage by 752% in 2008 and is poised to grow even more in 2009. 

As we know, where there are users, there are hackers.  Any technology that has grown in popularity at the speed of which Twitter has is certain to become a target for information and money stealing cyber criminals.  As such, Twitter has been the target of several application exploits over the last few months including a Samy-like exploit which would force users to follow you, multiple Clickjacking exploits, and two worms dubbed Mikeyy and Stalkdaily just this past weekend.
Funny enough, one of the things that is frequently part of the fallout of numerous security exploits is a drop in brand trust and user confidence.  So far, that fallout does not appear to have taken place with Twitter.  At least based on the reported numbers, Twitter's growth does not seem to have been hampered at all despite the numerous security flaws that have been patched over the past 8 months.  Perhaps this is because there hasn't been a serious incident of data theft or widespread malware infection as a result of one of these exploits.  Rest assured, those are coming!

So, what can we learn as a result of Twitter's recent security woes? 

I believe that one of the most important lessons to be learned from Twitter is the need to ensure security is being built into your product from the concept and design phases, not after the code has been consumed by the public.  This is true for online applications like Twitter as well as boxed software that you buy in the stores.  Don't let your customers be your test bed to identify security risks because you can bet that criminals will find them and exploit them before your customers do.  At that point you have put your customers at risk also.  It is far cheaper and less damaging to your corporate brand and reputation if security risks are identified up front, before any code is launched than to try to retrofit security into a live product.

Up to this point the vulnerabilities exposed on Twitter have largely been considered annoyances.  I was unable to find any reports of identity or financial theft as a result of a Twitter exploit, and again perhaps that is why they haven't been placed under the same microscope that Microsoft and Google have been.  Don't take these proof-of-concept quality threats lightly though as they could easily have been much more nefarious than they were.

Let's take the Mikeyy worm as a primary example.  One of the ways that Mikeyy would spread is by sending Tweets out under the accounts of infected users trying to lure their followers to visit the profile of another Twitter user that exploited a site flaw.  Once that page was visited the user's account was hijacked and Tweets would be sent out as them to their followers trying to trick them into clicking also.  Rinse and repeat.  In this instance the worm was merely spreading out across Twitter to anyone who was fooled into clicking the link presented in the Tweet.  What if this link was forwarding unsuspecting users out to a drive by malware site that installed malware like Storm or Conficker?  In a previous post we discussed how URL abbrevation services can potentially hide an underlying threat vector to redirect users to malware drive-by or phishing sites.  Granted, that example isn't one of a specific Twitter flaw, but it is just another thing that users of the popular service need to be on the lookout for.

In its short existence Twitter has almost single handedly revolutionized how we communicate (in 140 characters or less :) ) online.  Whether you are using Twitter to communicate with friends from school, family, or professionally to keep up on market trends or as another method to increase your brand awareness (a recent report by comScore said that more than 50% of Twitter users are between 25-54 with most users being on the upper end of that scale), Twitter has stormed onto the social media scene and has already become an important part of how people communicate online.  I use it myself.  As such, it creates another avenue by which we need to make sure we educate ourselves and our users about the potential for online threats.