140Char

Over the last week, many people have fallen foul of the latest phishing scam to do the rounds of Twitter. And an unusual number of high profile individuals have been included in the list of users affected, including the Press Complaints Commission, BBC correspondent Nick Higham, the Guardian’s Head of Audio Matt Wells, bank First Direct, and environment minister Ed Milliband.

Environment Minister Ed Milliband caught by phishing scam

Phishing scams have long been endured by most internet users – the traditional mechanism has been via email, but as social networks have becoming hugely popular, they’ve become the vector of choice. And Twitter is particularly attractive as the speed with which messages can spread is combined with the use of short urls, which help to mask the malevolence of the message.

While this is just another example of the huge amount of phishing attempts which exist, the higher profile of these attacks as they affect prominent politicians will hopefully lead to a better awareness and response by governments.

It’s probably a forlorn hope, but for example, here are some things which might change:

• More education about phishing and spam to the ‘general public’ – how about a public awareness campaign?
• More understanding about how normal users can have accounts compromised very easily – for instance, with ‘Three Strikes Rules’.
• More people using offline backups of any content that is valuable or useful to them
• More of a move towards data privacy, and Vendor Relationship Management, to allow users to only share the information they choose with any service provider under strict controls.
• A rethink of the UK Identity Card scheme which includes private businesses taking fingerprint and photos.

Importantly, it should place the risks of Social Engineering alongside those of teenage cyberwarfare specialists taking down defence satellites from their bedroom. If a private company was, for example, storing fingerprint data, you wouldn’t need to target their infrastructure (Although I’m not sure most chemists have a particularly high level of internet security) – you’d use social engineering on their employees via Facebook, Twitter, or offline in person to gain information and access.

Of course, technology can play a part, and I’m sure Twitter will increase their response to phishers in future, particularly as a high profile attack via any platform is never good for PR. But any measures will always be part of a never-ending arms race, and only when every individual is educated enough will there be any noticeable difference…

Stolen Twitter accounts appear to be commanding a premium amongst hackers sharing details on forums.

Data stealing software is a risk to your details for any site, but according to Kaspersky researcher Dmitry Bestuzhev, he’s seen  a Twitter account with just 320 followers offered for as much as $1000. In this case, the three-letter username may have influenced the price.

That compares with Gmail accounts for $82, Rapidshare accounts for $5 per month, and other sites including Skype and Facebook. Bestuzhev also went on to say Kaspersky had detected 70,000 data stealing programmes in 2009, which is twice as many as in 2008.

Twitter is likely to be a preferred route to spread malware as links can spread in near real-time to hundreds or thousands of followers – each of whom can quickly and easily repeat a malware message to their own network.

Malware messages are also hidden by shortened urls, and with the amount of links spread via Twitter, there’s a good chance people are less suspicious than seeing the same links in an email or IM message.

It’s a reminder to make sure you use a unique password which is a mix of alphanumeric characters, and to change it regularly. Be careful of sharing it with third party sites and tools which aren’t using Twitter’s OAuth protocol, and be careful with links being posted by others – even including people you trust.

(Via Computerworld)

Following my previous post on the implications for Twitter of the first large scale phishing attack, I’ve seen a few interesting responses:

First up, @benbarden responded to my concerns over short urls by suggesting that people could host their own, e.g. 140char.com/link1 etc.

A pretty cool idea, and one that Ben is apparently running on a site already (I might have to beg him for a guide!). The only flaw is that a lot of people run hosted blogs, and will therefore still be at the mercy of shortening services. But for those of us paying hosting costs it’s worth considering.

Then the always friendly @mingyeow from MrTweet asked my opinions on a blog post ‘Addressing Privacy Concerns‘. Suffice to say it’s a very eloquent explanation of how and why the developers of one application are aiming to keep your accounts safe:

One of the points raised is that MrTweet will support OAuth as soon as it becomes available, although it won’t answer every security question, because, as they quite rightly say, securityand convenience are always a trade-off.

There’s some really interesting debate around the use of OAuth from both Jesse Stay on LouisGray.com, and Dave Winer.