I have had a great reply on this topic while going around the USA talking about social media security. During my talk I give an example of why it is NOT okay to allow just anyone the right to follow you or vise versa.
I choose a volunteer out of the crowd. Usually a nice looking woman because…why not. I give a hypothetical situation. We were dating and things are starting to get serious. So serious that I take her to meet my mom for the first time. While we are at my ma’s house, I introduce her to my new brother-in-law. My brother-in-law was in charge of bringing the dinner rolls and once again forgot. He asks her to go to the Italian (not french) bakery down the road with him to get these rolls. She says yes. While they are picking up the rolls he notices that he forgot his wallet and asked her for $4.98 to cover the rolls. She just happens to have $5.00 in her left pocket.
Would she give him the $5.00 and why?
The answer has always been “yes” and because he is associated or was introduced to her by me. There is an applied level of trust set prior to them going to the bakery. Well this level of trust in my opinion can be accomplished within twitter. If I follow you and we start having a friendly conversation(your favorite sports team) I will then go after your friends and family for a small amount to help me with my “cure/run/walk”. All I have to do is introduce myself as your friend as they can see our past conversations in twitter. I have had a over 90% success rate of getting their followers to click my cause link. This success is based on the applied trust between two strangers. So although it is really #kwel to have 70,000 twitter followers it can also cost your friends and family $4.98
For more information feel free…email@example.com
No, this is not an article on the new version or even newly added super hero features for firesheep? #titlefail? Maybe but please read on then decide.
I know firesheep has lost its shiny coin syndrome with most but the attack is still working quite well in the field. While the readers/listeners have been doing a good job of enabling secure browsing options in Twitter and Facebook, we still have a long way to go. Please keep spreading the word and keep pleading to social networking sites to enable secure browsing by default. So, Why the “Firesheep’s Revenge” title? Well these last month’s, a couple of us have been testing common social media monitoring (SMM) tools. These tools are generally used by small businesses, internal marketing, or external marketing companies to help update social media accounts without the hassle of logging into every social networking site individually. We have been testing these SSM’s and found that:
Are not using secure browsing by default, allowing us to hijack sessions. What does this mean? Well by adding your social media accounts into these SMM tools, you are granting the tool permission or full control over that account(s). By gaining control over the tool we are bypassing all the hard work you did by enabling secure browsing in each of your twitter and facebook accounts. Try explaining to the VP of Marketing that even though you checked the “defeat firesheep” box it still works. And not only will it work on Facebook/Twitter but now LinkedIn, Foursquare, ping.fm and Ning accounts all in one interface. Most of the time we were looking at full access to the corporations social media strategy. So, we are right back to where we started, teaching the user that security is usually the last thing on the mind of these rapid development firms. If you do not see the option of “secure browsing”, then please be careful of where you update your social media accounts. Ask your tool makers where this option is located. If they do not have this option then maybe you should look for another tool.
James F. Ruffer III
Kevin Johnson and Tom Eston gave the third and final “Social Zombies” talk at Notacon 8 this weekend. This talk focused on how social networks are using geolocation and the abuse of location based services.
“Social networks have jumped onto the geolocation bandwagon with location-based tweets, status updates, check-ins, mayorships, and more. This doesn’t take into account EXIF, QR codes, and advancements in HTML 5 geo implementations, which are being built into these location-based services. This is often implemented and enabled without the user even knowing it. In fact, geolocation is one of the hottest technologies being used in everything from web browsers to mobile devices. As social networks throw our location coordinates around like candy, its only natural that bad things will happen and abuse will become more popular. This presentation will cover how social networks and other websites are currently using location-based services, what they plan on doing with it, and a discussion on the current privacy and security issues. We will also discuss the latest geolocation hacking techniques and will release custom code that can abuse all of the features being discussed.”
Slides are on SlideShare below:
Today, a credit union in St. Louis, MO called Vantage Credit Union announced that they are offering a service through Twitter called tweetMyMoney to conduct online banking. Banking credentials, PINs and account information are not passed through tweets made via direct message to the @myvcu Twitter account (from the FAQ listed on the bank’s website), only commands to get account balance, recent transactions, etc.
However, there are a few potential security issues/concerns with this type of service. While it seems that VCU has made this system with good intentions, most of these concerns center around the fact that you are putting in requests for account information and even transferring money to other accounts through Twitter which is a third-party service not owned or managed by the bank.
- Plain and simple, Twitter is a third-party service. When you send a direct message (DM) to another Twitter user this message is stored on Twitter’s servers. Not the banks. The bank is simply retrieving these messages. You should never have any expectation of privacy from DMs *at all*. Sure, they are “private” to you and the user you are sending it to but think about who on Twitter’s end might be able to view these DMs. Remember, security at Twitter is not very important currently as we have seen several times in very recent history.
- What about the scenario of a local “man-in-the-middle” attack where someone could be sniffing your network traffic to modify your banking requests? A simple attack like this could easily compromise the users Twitter account. Guess what, people like to reuse user id’s and passwords…we all know where that could lead to. I am not sure if they are using any form of two-factor authentication for their online banking application so you may only need a login id and password to access a compromised online banking account. Again, not sure this is the case with VCU but yes, some banks are still using single factor authentication!
- How about the security of the @myvcu Twitter account you send your direct messages to? Attackers *will* target this account, it’s only a matter of time. You are trusting that the folks at VCU are properly securing this account and there are no vulnerabilities or exploits on the Twitter site to compromise the account as well. It also looks like this account is used for communicating with customers…it could be possible that these credentials could be phished and/or compromised through multiple avenues of attack.
- I question the correspondence authentication codes that they have put in place. Relying on the user to change these multiple codes is an interesting choice. I could see this being spoofed quite easily.
- Lastly, the users of this system could also be targeted if say a user accidentally tweeted something like “#l5d 7” to their followers instead of by DM (known as #dmfail)? Attackers can easily script a bot to look for these patterns and target these users.
I don’t want to knock the folks at VCU as it seems that they are a very “progressive” bank and it looks like they want to push the envelope of new technology. My opinion is that it just seems that there are too many points of security “fail” in this system. Potential failures in the Twitter service, @myvcu account and Twitter users of the VCU system in addition to the third-party privacy concerns all make for something that you shouldn’t be trusting your online banking to. Social networks are not for online banking in any form…srsly.
Thanks to @rogueclown and @nickhacks for the tweets and comments about this new service.
On September 10th Twitter released a new Terms of Service (ToS) that you as a user of Twitter should be aware of. Some of the changes related to privacy and security are noted below with my comments in bold:
- The Content you submit, post, or display will be able to be viewed by other users of the Services and through third party services and websites.
This should be obvious but by using Twitter you should have no expectation of privacy at all (even with a “private” profile).
- In consideration for Twitter granting you access to and use of the Services, you agree that Twitter and its third party providers and partners may place such advertising on the Services or in connection with the display of Content or information from the Services whether submitted by you or others.
Twitter has to make money somehow so don’t be shocked when you see ad’s being generated based on the content of your tweets.
- You are responsible for safeguarding the password that you use to access the Services and for any activities or actions under your password. We encourage you to use “strong” passwords (passwords that use a combination of upper and lower case letters, numbers and symbols) with your account. Twitter cannot and will not be liable for any loss or damage arising from your failure to comply with the above requirements.
This shouldn’t be a surprise either. If your password gets owned by a hacker, Twitter is not responsible. However, I still think that Twitter should require stronger passwords on their end.
- You understand that by using the Services, you may be exposed to Content that might be offensive, harmful, inaccurate or otherwise inappropriate, or in some cases, postings that have been mislabeled or are otherwise deceptive.
Disinformation is a popular tactic on Twitter used by spammers as well as people that want to spread incorrect information about news and other topics. Twitter is not responsible for this type of behavior. You don’t believe *everything* you read on Twitter right? 🙂
- By submitting, posting or displaying Content on or through the Services, you grant us a worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such Content in any and all media or distribution methods (now known or later developed).
Sure, the content you post is yours but whatever you post can be modified, retransmitted, etc by Twitter and third-party apps that interact with Twitter.
- …you have to use the Twitter API if you want to reproduce, modify, create derivative works, distribute, sell, transfer, publicly display, publicly perform, transmit, or otherwise use the Content or Services.
This is the reason that the Twitter API is so open and also the primary reason that spammers and other people with bad intent can take advantage of the service.
- You may not do any of the following while accessing or using the Services: (i) access, tamper with, or use non-public areas of the Services, Twitter’s computer systems, or the technical delivery systems of Twitter’s providers; (ii) probe, scan, or test the vulnerability of any system or network or breach or circumvent any security or authentication measures…
This is interesting to me. So if you are a security researcher you cannot “test” Twitter for vulnerabilities. That would include fuzzing and/or doing simple tests for XSS. So if you find a vulnerability on Twitter and disclose it to them can they delete your account, or report you to law enforcement? Remember kids…don’t test for vulnerabilities without permission first. 🙂
- …or (v) interfere with, or disrupt, (or attempt to do so), the access of any user, host or network, including, without limitation, sending a virus, overloading, flooding, spamming, mail-bombing the Services, or by scripting the creation of Content in such a manner as to interfere with or create an undue burden on the Services.
The part about flooding and mail-bombing the Services relates to the recent Twitter DD0S I suspect.
- Twitter will not be responsible or liable for any harm to your computer system, loss of data, or other harm that results from your access to or use of the Services, or any Content. You also agree that Twitter has no responsibility or liability for the deletion of, or the failure to store or to transmit, any Content and other communications maintained by the Services. We make no warranty that the Services will meet your requirements or be available on an uninterrupted, secure, or error-free basis.
If you use Twitter (or any social network for that matter) don’t assume that it’s “secure”. They don’t guarantee security an you shouldn’t either. Also, if you see the Fail Whale…it’s also not guarantee of service availability. 🙂
These are the main changes that I picked out related to privacy and security. However, you should really read the full ToS as it has gotten more detailed then the previous version. I would suspect more communication from Twitter on future changes to the ToS.
We recently added a presentation that Tom Eston did at the Cool Twitter Conference in Cleveland last week to the presentations section. You can also find it on SlideShare. This presentation should give you some good tips on how to use Twitter safely. Stay tuned for a printable guide and video similar to the Facebook Privacy & Security Guide.
Tom was also interviewed by Dan Hanson from the Great Lakes Geek Show about his presentation as well as other social media security issues.
The following article was just posted over at CNET News regarding the massive DD0S (Distributed Denial of Service) that targeted Twitter, Facebook, LiveJournal and more.
Via CNET News:
A pro-Georgian blogger with accounts on Twitter, Facebook, LiveJournal and Google’s Blogger and YouTube was targeted in a denial of service attack that led to the site-wide outage at Twitter and problems at the other sites on Thursday, according to a Facebook executive.
Read the entire article here.
Today Trend Micro released probably the most comprehensive research yet on the Koobface social network worm. This research details how Koobface works, the malicious payloads it carries and how this worm has spread to all the major social networks. The most recent victim being Twitter. Most alarming is that Koobface will still continue to evolve and is the beginning of a new generation of malware targeting social networks.
Check out the article and download the PDF for the full report. We will also have this link posted in the “Research” section of the site.