Summary of the Twitter Security Incidents

One of the 33 pwnd Twitter accounts

I won’t beat a dead horse…we all know that Twitter had a few *security issues* this week. The good news is that usually once something like this happens to a company (especially one that gets so much media attention) things start to change and security gets taken a bit more seriously. Lets remember that Twitter suffers from the traditional security problem of not building an application with security in mind, however, lets hope these issues bring change to one of the most used social media services.

Below is the break down of events with some of my own comments and links to good articles that detail out everything that happened.

#1 Twitter Phishing Attack
I wrote a blog post about this a few days ago. Basically, this is no different then what you see in any other traditional phishing attack except that this is the first time Twitter was targeted on a large scale. Some have even said this was a “worm” because of the way that the phish propagated.

Once a user clicked on the bogus link, entered in their Twitter credentials…their Twitter account was compromised and automatically used to send DM’s (direct messages) to others the compromised user was following. Twitter quickly reacted and worked with blogspot and others to shut down the redirect. However, the web site that hosts the fake Twitter sign-on page is still active and is even being used to phish Facebook users! Why is this not shutdown? Long story but the site is hosted in China and that presents a whole host of issues to get the site taken down. The good news is that if you try to go to the URL in Firefox or Safari the phishing filter kicks in and stops you from going there. I haven’t tested IE 7…and neither should you. :-)

On a side note, I agree that OAuth (or something like FriendFeed’s Remote Key) should be implemented as part of an overall security strategy for Twitter but would not prevent traditional phishing attempts like this from happening (some others share this opinion as well). OAuth is good for authenticating third-party applications (like Twillow or Twitterfeed) that require your Twitter credentials to access your account and do things on your behalf. Lot’s of discussion going on the blogs about this and I’m sure it will continue.

Links that have good information about the Twitter phish: Twitter’s Blog, Naivete: Web 2.0′s biggest security threat and an article over at Twitter Truth

#2 Twitter gets Hacked
This was not related to the phishing incident. Pure weird coincidence that this happened right after users started to figure out what happened with the phishing issue. Ironically, many of us on Twitter (including myself) thought that this was related to phishing after we saw @foxnews get owned but once Britney Spears, Obama and others started showing up with strange tweets many of us knew there was something else going on.

Basically, an 18 year old who wanted to “pen-test Twitter” decided to build a Twitter brute force application that would try common dictionary words against at specific Twitter account. One problem with the current Twitter security model is that there is no lockout policy, meaning, you can try as many failed passwords as you like until you get lucky with the correct password. This guy found one of the accounts used by the Twitter support people (Crystal) and brute forced the password using his tool. Password of “happiness” was found and he was in! There was a password reset feature in the administrative panel that allowed him to reset the password and change the email address of any Twitter account. He didn’t use the accounts himself, rather…he posted that he had access to 33 accounts and gave access to others in a hacker forum that requested the accounts. You can read more about this in the Wired article below as well as see the YouTube video that the hacker put up to prove he did the hack.

Weak Password Brings ‘Happiness’ to Twitter Hacker

How does Twitter get fixed?
Security is always about compromise and with Twitter in particular there has to be a balance between usability and secure features. I was a guest on the SecuraByte podcast the other night talking about the recent Twitter security issues as well as how to secure social media in general. We came to the conclusion that there is no good answer. However, we all agreed that there has to be a mix between technical and non-technical solutions. The technical being better forms of authentication and basic web application security controls (account lockout, email verification..as examples) for starters. On the non-technical side there has to be more basic security education (setting unique hard to guess passwords as an example) focused on the users of social media through lots of different means. There is no good answer to these problems and there are many different opinions but hopefully we can all come to some common ground so we can all make social media more secure for everyone.

Here are a few good links with things that Twitter should consider when re-evaluating the current model:

Ten Security Measures for Social Networking sites – ThreatChaos
Twitter and the Password Anti-Pattern – FactoryCity
The inevitable rise (and fall?) of “twishing” – Jennifer Leggio ZDnet (guest post by Damon Cortesi)

I think we can all agree that Twitter needs to do something soon as the current security model is not sustainable for very much longer.

What are your thoughts on the recent Twitter security issues and social media security in general? How do you think we can we make social media more secure?


First Twitter Phishing Attack of 2009

Welcome to 2009! As many have said…it was just a matter of time before Twitter had a somewhat significant attack…well, here it is! I just had a post up last week about how many of us that use social media just blatantly trust every site that asks us for Twitter credentials. Well if you don’t look at the URL carefully even the security aware could be fooled by this one. Tonight there was a lot of tweets about the following phishing attack….

You will get a DM (direct message) in your email from a user with the following message:

hey! check out this funny blog about you…
hxxp://jannawalitax.blogspot.com

If you click on blogspot link this is basically a redirect to the following fake Twitter site:

Twitter Phishing Site

Looks just like an identical copy of the real Twitter site except for the URL! (don’t go to this URL…)

About an hour after this started going around Twitter it looked like Firefox 3 picked up that this was a reported phishing site and you now get the following message:

Web Forgery Reported

Looks like Twitter and others moved quickly to get the redirect shut down. If ignore the Firefox warning to the blogspot page you get this:

Removed

However, the phishing site is still active and will probably be for awhile. Do not enter in any login credentials at any site other then twitter.com. The fake site in this case is twitter.access-logins.com/login. Note that if you take off the “login” at the end of the URL you are sent to a fake Facebook login page! Looks like these guys have been doing this for quite some time.

One interesting note about this attack…how does someone send you a DM without you following them? There was an interesting hack that is documented here that used to work, however…Twitter fixed this a few months ago. My only guess is that multiple hacked accounts were used to send legitimate DM’s. I’m not 100% sure how DM’s are being propagated in this case but it should be interesting to find out how the attack started in the coming days.

Kudos to the Twitter team and all the Twitter users that retweeted and got to word out. This alone hopefully mitigated much of the threat. I even saw in the Twitter web client that @twitter posted a warning message on the page about the threat. Great work Twitter team!

What if you gave your credentials away to this site?
Change your password immediately! Also, do you use this same password for Facebook, Myspace, email and other sites? Change those as well! Give a password manager like 1password or KeePass (KeePass is free BTW) a try to set unique passwords for every site/application you use. That way if your Twitter account did get compromised, your other accounts are safe. See this post for more information.


What’s behind that short URL?

plz click this short url

There was a good post over at ThreatChaos the other day about a new Firefox extension which will automatically show you the real URL’s of shortened URL’s. What is URL shortening? For example…this long URL:

http://www.google.com/maps?f=q&hl=en&geocode=&q=washington+dc&sll=37.0625,-95.677068&sspn=33.764224,56.25&ie=UTF8&ll=38.905996,-77.023773&spn=0.25915,0.439453&z=11&g=washington+dc&iwloc=addr

becomes…

http://tinyurl.com/9lum95

By using a service like Tinyurl or one of the many other sites available you can easily shorten a URL so your friends don’t freak when you send them long links. When it comes to Twitter it becomes almost mandatory that you shorten that long URL to meet the 140 character limit in your tweets.

What’s the problem?
Getting people to click on a malicious link just got easier with these services. Sure, people will still click on strange URL’s without a mask (even manually typing in strange URL’s as I showed in this post), however, by masking *any* URL with these services a phishing or malware attack can be even more successful.

Also, how can you *easily* see what the real site is behind one of these short URL’s? TinyURL and others offer you a service to “preview” URL’s but many sites don’t offer this and who is actually going to attempt to manually verify what is behind those links? That’s way too much work.

Another problem is that some of these short URL services allow you to obfuscate an already short URL with another short URL. Take for example Xrl.in. The TinyURL above (http://tinyurl.com/9lum95) becomes http://xrl.in/1b0i. This throws off the preview feature of many sites like this. This problem could add multiple redirects and levels of obfuscation to malicious links. All it takes is the right combination of short URL sites.

Right before I was about to post this I saw a post by Jennifer Leggio over at ZDNet regarding the URL redirection issue. She mentions that FriendFeed has implemented a feature that reveals short URL’s if you hover your mouse over the links. This is great…for FriendFeed, what about other more popular social media sites? Check out her article for a good overview of the issue and some interesting information about what other social media sites are doing and not doing about this problem.

The “Long URL Please” Solution
While not 100% perfect this a great start and it looks like the developer is working on improving the Firefox extension and API. You can even use it with other web browsers besides Firefox with a bookmarklet available on his site. Simply click on the bookmarklet and it will transform all the short URL’s on the web page currently loaded.

The Long URL Please Firefox extension will automatically show you the true URL of 30 supported short URL site’s. No hovering over a link or clicking to a site to preview it. It just shows you the link…no extra work on your part. This works great for the Twitter web client as well as any web page that has a link from one of the 30 supported services. One problem I saw was that short URL sites like xrl.in and others will keep popping up (I listed a site above that links 70 of these services). It’s going to take some work from the developer side to keep up with all of these new services. In addition, this doesn’t help with Twitter applications like ones that are Adobe Air based or developed using another type of framework. However, it looks like the developer is working on it and he is trying to get other applications to integrate to his API. Either way, check out this great extension and follow the developer on Twitter to get news on improvements. I look forward to see how this type of extension will evolve.

Short URL’s won’t be going anywhere soon…lets hope social media applications and end users start using them with a little bit security in mind.

What solutions do you think could solve the short URL problem?


Who are you giving your Twitter account to?

Twellow anyone?

It’s always interesting to me when I check out a new Twitter application, it always seems to ask you to “verify” your account or ask you to pass your Twitter user name/password to their application. This of course is done without any protections or any way of knowing what happens to your account information on the other end.

Take for example a recent find called Twellow which is basically a big directory of Twitter users (like the yellow pages). Twellow has some neat features like searching for other Twitter users by keywords and interests. Twellow like many of these types of Twitter applications work by scraping public timelines to populate their site with your information. Twellow asks you to “claim” your profile by putting in your Twitter password. This is where it gets interesting…

To the unsuspecting user it’s tempting to just give your credentials away to every website that asks for it. Twellow is a good looking, legitimate website right? Did you stop to think what could happen to your login credentials? Can you really trust that they don’t record your credentials? The disclaimer says they don’t use your password for anything…you trust everyone right? :-)

What’s your Twitterank?
If you are a heavy Twitter user you may remember the Twitterank fiasco about a month ago. Like many people on Twitter just hearing of a website that will calculate your “rank” on Twitter sounded like a cool idea. No harm in this right? Rumors quickly spread on Twitter and in the blogosphere that Twitterank was a phishing site and that the developer was harvesting Twitter accounts. It ended up that this was most likely a legitimate application…BUT…why do you trust it? Why as social media users do we blatantly trust every Twitter or social media developer out there? No offense to the developer of Twitterank but there are way too many of these sites out there that ask for your account information. A real Twitter phishing site is easy to do using these same tactics. All you need is a legitimate looking website that preys on human weakness…we all want more followers and more rankage, right? For example, if you want to see a spoof Twitter phishing site, check out Twitter Phisher done by the fine folks over at Hak5 (be sure to view source in your browser for some extra lolz).

What’s the fix?
First, social media users need more education. Seriously, don’t just give your credentials away to anyone that asks for it (this actually applies to everything in life). Is your Twitter ranking really that important?

If you did give your credentials away, hopefully you used a different and unique password for that particular account. That way, if your account did get compromised then only one account is compromised, not your entire portfolio of accounts. How do you manage multiple passwords? Give a password manager like 1password or KeePass a try to create and manage unique passwords for each of your social media accounts.

Secondly, social media websites like Twitter need to use better forms of authentication. How about something similar to what FriendFeed is doing by issuing users a “remote key” for all third-party interactions with your account. Of course this isn’t perfect but it’s a step in the right direction. I applaud FriendFeed for having the remote key functionality a required part of the API. BTW, Twitter has been talking about using nifty solutions like OAuth, so do it already @Twitter! HTTP Basic Authentication just doesn’t cut it.

Authentication of user credentials and social media is a big problem…(actually verifying who you say you are is a another topic altogether). What authentication solutions for social media do you think should be adopted?


Analysis of a new Facebook phish

Beware of this wall post!

I just posted an article for Blogsecurify about a new Facebook phish that I stumbled upon. Thanks again to Greg and Tyler for helping out with some of the detailed analysis! You guys rock!

Facebook Privacy & Security Guide Released

Today at the Ohio Information Security Summit I released my Facebook Security & Privacy Guide. This guide gives you suggested “baseline” security settings that you can use when configuring your Facebook account. Obviously, you can adjust these settings based on your own level of risk but it should give you a good starting point.

How did this project get started?
I have been doing several months of research with my own Facebook account as well as gathering the input of other Facebook users to determine what the privacy and security settings would be without loosing the key features of using a social network website…the networking!

Please feel free to distribute this document to friends and family or use it for any security awareness campaigns. I will hopefully be keeping up with any updates to the document when Facebook changes things. I might be putting together a similar document together for MySpace but MySpace is a totally different animal altogether. We shall see! :-)

You can download a pdf version of the guide here.

Exploiting trust in social networks

Over the weekend I posted my first article on Social Network/Media security over at Blogsecurify. You can check out the post here. My next article will talk about the security of third-party applications and widgets for social media applications.

1 4 5 6