Phishing Phail Whale
If you were on Twitter over the last week or so, you're probably aware of the latest phishing attempts. What's phishing, you ask?
According to Wikipedia:
In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
Phishing is typically carried out by e-mail or instant messaging,[1] and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
Looks like we can add Tweets to that wiki. There were actually two different recent Twitter security events. The second part was a hack into a Twitter support staff's account. I'll get to the second part a little later.
This Isn't the First Time
And it won't be the last. Here's a couple of social engineering "schemes" on twitter over the last several month:
Twply - via @techcrunch -
A service that let Twitter users forward messages that include their user name to their email address.
Sounds good right?
Twply asks if it can send a Twitter message from your account saying that you’ve tried the service. Apparently, lots of people did. Advertisements can be added to the emails sent from @replies. The site was sold within 24 hours for $1200.
So, what people thought would be an efficient way to manage @replies, allegedly quickly morphed into a SPAM machine.
What happended to the username and password data that was collected?
Twitterank - via @adamostrow -
A crudely designed website used to "rank twitter popularity". Users handed over credentials in mass to get what their latest Twitter popularity might be.
I almost fell for this one and I understood why one would try it. It seemed to "measure" Twitter and social media efforts. A number was spit out at the end which showed some "value". Problem was, what details were used to measure that "value"? That's when I began to think about security integration and social media.
The creator of twitterank, Ryo Chijiiwa, @ryochiji @t_rank did explain in an interview with @olivermarks on @zdnetblogs:
I blame the Family Guy. There I was in my hotel room, where I’m staying while in NY for business, watching episodes of The Family Guy on my laptop like any other Joe the Coder on a Tuesday night. But then I ran out of episodes. None of this would’ve happened if there were enough Family Guy episodes to watch on Hulu.
Hi. My name is Ryo, and I’m the developer of Twitterank, which is not some grand scheme to steal thousands of Twitter accounts, but a casual experiment gone horribly horribly right.
Turns out there is algorithm behind twitterank that analyzes @replies:
Similar to how Google’s PageRank algorithm judged a web page based on the number of inbound links and the origin of those links, Twitterank attempts to quantify a Twitter user by analyzing their incoming @replies. In essence, the more people talk to you, the higher your score. So yes, the number you’ll get may not necessarily reflect the number of followers you have, how often you tweet, or even how big your ego is.
Ryo later finishes with this thought:
This episode also started some conversations about phishing, about authentication, and social behaviors.
What happened to the username and password data that was collected?
Social Reputation and Social Capital
I first remember hearing the term Social Reputation, in the social media context, from Jeff Turner aka @respres, more recently the term Social Capital, from Benn Rosales aka @agentgenius and Data Capital from Jay Thompson aka @phxreguy through a comment Chris Messina aka @factoryjoe picked up on Fred Oliveira's post on Twply.
Jeff Turner @respres says:
Imagine the damage a disgruntled seller, buyer. former co-worker or competitor could do by claiming to be you in on-line forums, social networks and blogs. As a Realtor®, your reputation is integral to your brand. You need to monitor that brand and do everything in your power to insure that YOU are in control of that brand.
Benn Rosales @agentgenius says:
Popularity gives you a voice, but social capital makes your message matter- social capital is granted, not purchased, nor demanded. Often times, it is because you have bridged a relationship on less important matters whether it be over a funny video, or ridiculous pictures, and enjoyed conversations that led to larger commonalities leads to a relationship built on trust. (Emphasis mine.)
Jay Thompson @phxreguy commented:
Sigh. I tweeted this am that I was paranoid of giving out a password to a complete stranger. Got a response along the line of “it’s not like it’s a bank account”.
Well, it’s my social media “bank”. I’ve spent a long time building my SM reputation. And someone unscrupulous could wreck that reputation in a few hours. (Emphasis mine.) I just don’t get why so many will blindly hand over a password to someone they know nothing about. (Emphasis mine.)
While I may have heard the terms in some other previous context, when I read their articles the terms in their particular connotations amounted to little more than a notion. Sure I understood their messages, but now I "get it". I don't have the social capital or social reputation Jeff, Benn and Jay have. But that's doesn't mean I shouldn't be socially responsible.
Weak Password Brings 'Happiness' to Twitter Hacker
The second part of the recent Twitter security events was a hack into a popular Twitter user account, which turned out to be a Twitter staffer. How did he do it? He used an automatic password guesser he wrote himself.
This type of attack is known as a Dictionary Attack. He had one part of Basic Authentication, the username and wrote a program that uses English words to get the second part, the password.
Turns out the password was 'happiness':
Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.
He said he decided not to use other hacked accounts personally. Instead he posted a message to Digital Gangster, a forum for hackers and former hackers, offering access to any Twitter account by request.
According to Twitter, 33 high profile accounts were compromised in all, including Barack Obama, Britney Spears, Fox News and others. Once compromised, fake and SPAM messages were sent from the accounts.
High profile accounts who were undoubtedly popular and carried much positive Social Capital. Because of their popularity, any negative Social Capital would probably hurt the Social Reputation of the high profile Twitter users, or least that may have been part of the intent.
What Does This Have to do With Me?
Sure, I'm no Britney Spears either, haha. But it's natural to ask, so what? What does all of this have to do with me? These events don't affect me and amount to nothing more than noise, right? What's the consequence if someone gains access to my Twitter account? I'm not ";;popular";; and don't accept the notion I have Social Capital or feel a need to manage my Social Reputation. Still no risk?
Data Capital
How many of you use the same password across the various social media sites you belong to including Twitter? An example is your blogs. How long have you been writing? Do you value your original content? That is your data capital.
Data Capital via Chris Messina @factoryjoe
Think: Data as currency. Data to unlock services. Data owned, controlled, exchanged and traded by the creator of said data, instead of by the networks he has joined.
We've become so accustomed to giving our username to social sites and their third party vendors.
We've lost touch of what's of real value: Our personal data.
Still not convinced this has anything to do with you? Ok, how about your pocket book, credit profile, and financial reputation?
Got your attention? Thought so.
An Opportunity for Good Data Hygiene
How many of you use the same password for those sites, including Twitter, as your password to access your email? Use the same password for online bill pay for your bank accounts? Which leads to Mortgages, credit cards, etc, etc... And how many of those password are common English words? Remember the Dictionary Attack? You get my drift?
The consequences of poor data hygiene can be dire and this is a lesson we all can and hopefully will learn from. No matter who you are, now's the time to practice good data hygiene. Take this as an opportunity to secure accounts, Data Capital, Social Capital and manage your Social Reputation.
If you are so inclined and you made it through, feel free to follow me @craig42k. Be forewarned... I'm really not that interesting. Haha.
Update 1/13/09 -
I think I'll make data hygiene and security related topics a series. I'll do my best to relate the series to Real Estate and Social Media or how it can affect or improve your business.
Comments (28)Subscribe to CommentsComment