140Char

Over the last week, many people have fallen foul of the latest phishing scam to do the rounds of Twitter. And an unusual number of high profile individuals have been included in the list of users affected, including the Press Complaints Commission, BBC correspondent Nick Higham, the Guardian’s Head of Audio Matt Wells, bank First Direct, and environment minister Ed Milliband.

Environment Minister Ed Milliband caught by phishing scam

Phishing scams have long been endured by most internet users – the traditional mechanism has been via email, but as social networks have becoming hugely popular, they’ve become the vector of choice. And Twitter is particularly attractive as the speed with which messages can spread is combined with the use of short urls, which help to mask the malevolence of the message.

While this is just another example of the huge amount of phishing attempts which exist, the higher profile of these attacks as they affect prominent politicians will hopefully lead to a better awareness and response by governments.

It’s probably a forlorn hope, but for example, here are some things which might change:

• More education about phishing and spam to the ‘general public’ – how about a public awareness campaign?
• More understanding about how normal users can have accounts compromised very easily – for instance, with ‘Three Strikes Rules’.
• More people using offline backups of any content that is valuable or useful to them
• More of a move towards data privacy, and Vendor Relationship Management, to allow users to only share the information they choose with any service provider under strict controls.
• A rethink of the UK Identity Card scheme which includes private businesses taking fingerprint and photos.

Importantly, it should place the risks of Social Engineering alongside those of teenage cyberwarfare specialists taking down defence satellites from their bedroom. If a private company was, for example, storing fingerprint data, you wouldn’t need to target their infrastructure (Although I’m not sure most chemists have a particularly high level of internet security) – you’d use social engineering on their employees via Facebook, Twitter, or offline in person to gain information and access.

Of course, technology can play a part, and I’m sure Twitter will increase their response to phishers in future, particularly as a high profile attack via any platform is never good for PR. But any measures will always be part of a never-ending arms race, and only when every individual is educated enough will there be any noticeable difference…

Stolen Twitter accounts appear to be commanding a premium amongst hackers sharing details on forums.

Data stealing software is a risk to your details for any site, but according to Kaspersky researcher Dmitry Bestuzhev, he’s seen  a Twitter account with just 320 followers offered for as much as $1000. In this case, the three-letter username may have influenced the price.

That compares with Gmail accounts for $82, Rapidshare accounts for $5 per month, and other sites including Skype and Facebook. Bestuzhev also went on to say Kaspersky had detected 70,000 data stealing programmes in 2009, which is twice as many as in 2008.

Twitter is likely to be a preferred route to spread malware as links can spread in near real-time to hundreds or thousands of followers – each of whom can quickly and easily repeat a malware message to their own network.

Malware messages are also hidden by shortened urls, and with the amount of links spread via Twitter, there’s a good chance people are less suspicious than seeing the same links in an email or IM message.

It’s a reminder to make sure you use a unique password which is a mix of alphanumeric characters, and to change it regularly. Be careful of sharing it with third party sites and tools which aren’t using Twitter’s OAuth protocol, and be careful with links being posted by others – even including people you trust.

(Via Computerworld)

The recent Distributed Denial of Service (DDoS) attack on popular social networks was mainly felt by Twitter, which seemed to either be more susceptible or hit harder by the action, resulting in it going offline entirely for a short period.

The concept of Governments using the internet for spreading information or cyberwarfare is not a new one – but the question is how prevalent it is becoming on social networks, and how many users are aware of it happening?

Twitter seems the most likely place for this question to play out – combine a design which lends itself to the fast spread of information, and an average user age which is more likely, as a percentage of users, to be interested in news and events (particularly political), than most social networks.

Examples of the fast spread of news are commonplace, particularly when it comes to natural disasters, such as earthquakes, or human disasters, such as terrorism or fire. And increasingly these pieces of breaking information are being repeated and picked up by unquestioning users seeking to capitalise on the interest, major news organisations, and even shops using it for spam purposes.

Usage of the media by both Governments and unofficial organisations has long existed, but the internet removes the need to engage with ‘official’ media sources to reach a large audience.

And now we’re seeing the potential for Governments or organisations to co-ordinate attacks against popular services. That’s something that print distribution has somewhat protected us against – you might be able to control or attack a printing press in your own country, but it’s harder to exert pressure on foreign media platforms (although not impossible).

But the internet is accessible from any location, meaning that those who don’t believe in freedom of speech or information are able to co-ordinate their attacks on whichever target they deem suitable – and when it comes to media and social networks, we’re relying on the efforts of private companies to respond. And whilst, for example, the UK Government might interject as best it could to preserve a media institution such as the BBC for the good of the country (being a mechanism to effectively reach the population in times of emergency), do we expect – or indeed do we want, Governments to be increasingly involved in attempts to protect social networks and microblogging?

What do you think?