Real Estate Blog - Whale of a Tale - Twitter, Security and You

Home : Blogs : Craig W. Barrett - Hughesville MD Real Estate : Maryland and Virginia Real Estate - Hughesville Real Estate

Whale of a Tale - Twitter, Security and You

Twitter Fail Whale

Phishing Phail Whale

If you were on Twitter over the last week or so, you're probably aware of the latest phishing attempts. What's phishing, you ask?

According to Wikipedia:

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

Phishing is typically carried out by e-mail or instant messaging,^[1] and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Looks like we can add Tweets to that wiki. There were actually two different recent Twitter security events. The second part was a hack into a Twitter support staff's account. I'll get to the second part a little later.

This Isn't the First Time

And it won't be the last. Here's a couple of social engineering "schemes" on twitter over the last several month:

Twply - via @techcrunch -

A service that let Twitter users forward messages that include their user name to their email address.

Sounds good right?

Twply asks if it can send a Twitter message from your account saying that you’ve tried the service. Apparently, lots of people did. Advertisements can be added to the emails sent from @replies. The site was sold within 24 hours for $1200.

So, what people thought would be an efficient way to manage @replies, allegedly quickly morphed into a SPAM machine.

What happended to the username and password data that was collected?

Twitterank - via @adamostrow -

A crudely designed website used to "rank twitter popularity". Users handed over credentials in mass to get what their latest Twitter popularity might be.

I almost fell for this one and I understood why one would try it. It seemed to "measure" Twitter and social media efforts. A number was spit out at the end which showed some "value". Problem was, what details were used to measure that "value"? That's when I began to think about security integration and social media.

The creator of twitterank, Ryo Chijiiwa, @ryochiji @t_rank did explain in an interview with @olivermarks on @zdnetblogs:

I blame the Family Guy. There I was in my hotel room, where I’m staying while in NY for business, watching episodes of The Family Guy on my laptop like any other Joe the Coder on a Tuesday night. But then I ran out of episodes. None of this would’ve happened if there were enough Family Guy episodes to watch on Hulu.

Hi. My name is Ryo, and I’m the developer of Twitterank, which is not some grand scheme to steal thousands of Twitter accounts, but a casual experiment gone horribly horribly right.

Turns out there is algorithm behind twitterank that analyzes @replies:

Similar to how Google’s PageRank algorithm judged a web page based on the number of inbound links and the origin of those links, Twitterank attempts to quantify a Twitter user by analyzing their incoming @replies. In essence, the more people talk to you, the higher your score. So yes, the number you’ll get may not necessarily reflect the number of followers you have, how often you tweet, or even how big your ego is.

Ryo later finishes with this thought:

This episode also started some conversations about phishing, about authentication, and social behaviors.

What happened to the username and password data that was collected?

Social Reputation and Social Capital

I first remember hearing the term Social Reputation, in the social media context, from Jeff Turner aka @respres, more recently the term Social Capital, from Benn Rosales aka @agentgenius and Data Capital from Jay Thompson aka @phxreguy through a comment Chris Messina aka @factoryjoe picked up on Fred Oliveira's post on Twply.

Jeff Turner @respres says:

Imagine the damage a disgruntled seller, buyer. former co-worker or competitor could do by claiming to be you in on-line forums, social networks and blogs. As a Realtor®, your reputation is integral to your brand. You need to monitor that brand and do everything in your power to insure that YOU are in control of that brand.

Benn Rosales @agentgenius says:

Popularity gives you a voice, but social capital makes your message matter- social capital is granted, not purchased, nor demanded. Often times, it is because you have bridged a relationship on less important matters whether it be over a funny video, or ridiculous pictures, and enjoyed conversations that led to larger commonalities leads to a relationship built on trust. (Emphasis mine.)

Jay Thompson @phxreguy commented:

Sigh. I tweeted this am that I was paranoid of giving out a password to a complete stranger. Got a response along the line of “it’s not like it’s a bank account”.

Well, it’s my social media “bank”. I’ve spent a long time building my SM reputation. And someone unscrupulous could wreck that reputation in a few hours. (Emphasis mine.) I just don’t get why so many will blindly hand over a password to someone they know nothing about. (Emphasis mine.)

While I may have heard the terms in some other previous context, when I read their articles the terms in their particular connotations amounted to little more than a notion. Sure I understood their messages, but now I "get it". I don't have the social capital or social reputation Jeff, Benn and Jay have. But that's doesn't mean I shouldn't be socially responsible.

Weak Password Brings 'Happiness' to Twitter Hacker

The second part of the recent Twitter security events was a hack into a popular Twitter user account, which turned out to be a Twitter staffer. How did he do it? He used an automatic password guesser he wrote himself.

This type of attack is known as a Dictionary Attack. He had one part of Basic Authentication, the username and wrote a program that uses English words to get the second part, the password.

Turns out the password was 'happiness':

Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.

He said he decided not to use other hacked accounts personally. Instead he posted a message to Digital Gangster, a forum for hackers and former hackers, offering access to any Twitter account by request.

According to Twitter, 33 high profile accounts were compromised in all, including Barack Obama, Britney Spears, Fox News and others. Once compromised, fake and SPAM messages were sent from the accounts.

High profile accounts who were undoubtedly popular and carried much positive Social Capital. Because of their popularity, any negative Social Capital would probably hurt the Social Reputation of the high profile Twitter users, or least that may have been part of the intent.

What Does This Have to do With Me?

Sure, I'm no Britney Spears either, haha. But it's natural to ask, so what? What does all of this have to do with me? These events don't affect me and amount to nothing more than noise, right? What's the consequence if someone gains access to my Twitter account? I'm not ";;popular";; and don't accept the notion I have Social Capital or feel a need to manage my Social Reputation. Still no risk?

Data Capital

How many of you use the same password across the various social media sites you belong to including Twitter? An example is your blogs. How long have you been writing? Do you value your original content? That is your data capital.

Data Capital via Chris Messina @factoryjoe

Think: Data as currency. Data to unlock services. Data owned, controlled, exchanged and traded by the creator of said data, instead of by the networks he has joined.

We've become so accustomed to giving our username to social sites and their third party vendors.

We've lost touch of what's of real value: Our personal data.

Still not convinced this has anything to do with you? Ok, how about your pocket book, credit profile, and financial reputation?

Got your attention? Thought so.

An Opportunity for Good Data Hygiene

How many of you use the same password for those sites, including Twitter, as your password to access your email? Use the same password for online bill pay for your bank accounts? Which leads to Mortgages, credit cards, etc, etc... And how many of those password are common English words? Remember the Dictionary Attack? You get my drift?

The consequences of poor data hygiene can be dire and this is a lesson we all can and hopefully will learn from. No matter who you are, now's the time to practice good data hygiene. Take this as an opportunity to secure accounts, Data Capital, Social Capital and manage your Social Reputation.

If you are so inclined and you made it through, feel free to follow me @craig42k. Be forewarned... I'm really not that interesting. Haha.

Update 1/13/09 -

I think I'll make data hygiene and security related topics a series. I'll do my best to relate the series to Real Estate and Social Media or how it can affect or improve your business.

Posted by Craig W. Barrett - Hughesville MD Real Estate on 01/11/2009 02:24 PM

Comments (29)

Social Capital in the ActiveRain Channel

twitter, phishing, social capital, data capital, good data hygiene, managing your online social reputation

Post is included in group: Twitter
Post is included in group: Realtors®
Post is included in group: Dedicated Bloggers
Post is included in group: Addicted to Active Rain

29 Comments on Whale of a Tale - Twitter, Security and You

JAN

Wow- thanks for this. You are thorough....

We've gotten some of these emails, one from a good active rain friend of ours, Brigita, but delete will keep you out of harms way.I don't suggest opening any messages from twitter unless you want to become a victim.

Hi Craig - you aren't that interesting?? ;-)

This post certainly is, and it does point out just how important our 'banks' are, as Jay wrote. I don't use the same passwords for any of those kinds of things, but it's still not something to take lightly at all.

Great reminder post for all of us out there in the online world we live in.
Ann

Thanks for your post. Thought it was funny that the day after I decided to jump in Twitter the scam broke. For a while I thought I broke something.

Tony

Well, Craig! This is one freakin' scary post! I'm gonna hop on Twitter right this minute and figure out a new password that I'll actually be able to remember. Yikes!

A lot of info here and insight. It is very important and is a shame that there are so many scams out there per so with all this "phishing". Hopefully everyone can be a little safer in regard to what has happened recently.

Very interesting for sure. We all need to be constantly aware and on our toes every day for things there are many scams out there. It's to bad we need to be so cautious but we do. Better safe than sorry!

Patricia Aulson Portsmouth NH Real Estate

Dear Craig,

Thanks for the warning! This is scary!

Barbara

Craig, I almost didn't read this because so much has been written on AR about the Twitter phishing scams. But gosh, I'm glad I did because this post contains so much more. Thanks for sharing such valuable information... I'm sure it's particularly helpful to a lot of AR Newbies who may not have as much exposure to all things tech.

Great post and all should take warning. passwords should be 8 or more characters, use both characters, number and a symbol in your password. Passwords should never a dictionary word.

It is a shame that it is not 100% safe to surf the internet these days.. thanks for the post.

Hacking into an secured account can catch lots of phish. It seems so real

I had a dozen of them in one day.

Cindy - I'v been working on this one for awhile.

Castellum Realty - Security by obscurity doesn't get business done. Awareness is key. How do you mitigate risk? Ask yourself, do you trust the source? Does the incoming message make sense? I'll be writing about hidden url's soon.

Hi Ann - That's good data hygiene. The idea of Social Capital is real and as Jay put it, he's worked hard to achieve it and it can be lost in a matter of hours given the Data Capital is put into the wrong hands.

Tony - I knew it, it's all your fault. Ha! What's your twitter handle? Share, so we can follow you.

Hey Pat - You're a Mac user, right? There's a nifty password manager you can use for Mac OS X. I'll post the link in a bit or email you if you prefer.

Christopher and Stephanie - True, it's a nasty world. Education and awareness are key. Twitter is making strides to improve their security. I'll post more on that later.

Patricia - Yes, awareness and education is key.

Barabara - Given the proper tools and education you can face just about anything.

Thank you for the awareness..

This is a GREAT post Craig. ANY social network, forum, etc is subject to abuse. Protecting log on info EVERYWHERE is critical. "It's just Twitter" is a crazy response.

Good post. From someone who hasn't tweeted yet the spammers and hackers are already there.

Hey Craig, It happened to me. It really sucks. Now I am afraid to open anything. Had to change all my passwords. So how do find out if someone is using your name and old password on blogs, etc. Why do a few have to ruin a good thing? Thanks for the post and the warning.

Craig~ Too bad there has to be people like that out there. I guess it is just the cold, hard reality! I changed alot of my stuff when I heard about the twitter scam.

I heard about this last week. Most people wouldn't think to worry about their Twitter account. I'm pretty good about not following links to my web sites. But I have to admit, I have clicked some of the Twitter notification links. Fortunately I use MANY different passwords. And I change them frequently as well.

Thanks Craig. ARe you saying all passwords should be different for every place I go?

Margaret - I'm sure glad you didn't skip it over. Hopefully you got some good info out of it. We do tend to get "social fatigue" with topics.

Rebecca - Yes, good point. Passwords should be 8 characters or more and should contain number, letters and special characters. How do you remember such an animal?

For example, tie it to a phrase: Pat Kennedy plays a flute in her lexus. Take the 1st letter of each word, vowels are numbers/special characters and odd numbered letters are capitalized. So the password using Pat Kennedy's phrase is: PkP@f1Hl (please don't use this)

Roland - The internet has never been 100% safe. This Twitter event is not particularly special. I'm simply highlighting it to make a point. Well, several points actually. lol

Bill - Yea, I got a few myself.

Tara - Sure thing.

Hey Jay - I was hoping you'd show up. That's right, protect your personal data everywhere. Remember several years ago the latest hacking craze was to swipe credit info from automatic readers at gas pumps and ATM's? It's not twitter, or facebook, A|R or social media. It can be anytime, anyplace where an opportunity exists for one to capture something of value.

Mike - Spammers and hackers are all over the internet. It's not just Twitter, now go join and tweet.

Lisa - Good question. Jeff Turner @respres wrote an excellent article on managing your Social Reputation. I referenced in my post, but here's a link to his article. It's Your Reputation. Manage It.

I haven't seen all the hoopla on my Twitter account. I must be pretty boring for the hackers.

JAN

It was impossible to miss the disruption or attempt at disruption on twitter. I appreciated the warnings the twitter folk posted and believe that several of us might have been spared the consequences of the madness of our world. Everyone who participates in any way in Internet activities is vulnerable. Twitter today, Active Rain tomorrow, and who knows who else and when, as long as some consider it sport or whatever, to disrupt other people's lives.

Wow! Sometimes all this information is just overwhelming! I just took a class offered on how to use Twitter...I took it on the Dell site. Now I don't know if I want anything to do with it. It's just infromation overload!

Pat - Good question. No, I'm saying use different passwords for email, online banking, social media sites, etc... Group them. That way if one password is compromised, the risk is confined.

Lizette - You probably wouldn't. You might have seen direct messages with SPAM links. Some of the links asked for your username and password. The point of the post, well one anyways, is do you know the source? And do you trust the link?

Eloise - Bingo! You get it.

Barbara - It's really not that bad. It's a very useful site, now go tweet.

If you want some great real estate loan rates visit http://www.zexx.org . Offering rates as low as 4.15%

And look at that, SPAM. See? It happens everywhere.

This blog does not allow anonymous comments