Software [In]security: Twitter Security

• By Gary McGraw
• May 15, 2009
• Article is provided courtesy of Addison-Wesley Professional

From the author of
Software Security: Building Security In

Making Your Thoughts as Small and Incomplete as Possible

Just for the record, I don't use Twitter. But if this column were a Twitter entry, it might read something like:

My biggest issue with Twitter turns out not to be a security issue, but rather a content issue. If you thought that blogging led to information chaos, half-baked ideas, and incoherent logic, Twitter ups the ante by making the constituent thoughts as small as possible. Perhaps I'm a Luddite, but I think editors play an important role in the world separating the wheat from the chaff. I'll miss my paper copy of the Washington Post once the newspaper business finally dies. Replacing the daily newspaper with Twitter detritus seems like a lousy tradeoff.

But this is a security column, so lets spend a few minutes pondering the security ramifications of Twitter. I can think of a few right off the top of my head: it's easy to spoof someone on Twitter, it's a perfect vector for malicious code and phishing, Twitter allows dingbats to cash in their last remaining privacy chit, and it has a coolness factor that often overrides common sense.

Spoofing Twits

On the Internet, nobody knows you're a dog. In fact, nobody knows who you are at all. This can be a problem.

Fake websites abound on the Web. A humorous collection of them can be found here. Spoofing an organization is as easy as buying a URL. But it gets worse. The rather largish issue of spoofing the entire Web, first described in detail in 1997 by the Princeton Team, remains a serious problem! Really.

Twitter carries on in the long tradition of Internet spoofing by allowing someone to masquerade as just about anyone they want. In fact, even lowly security guys like me apparently merit spoofers. I have no idea who FakeGaryMcGraw is, but it's not me. The question is whether or not I should care? (Some people apparently do.) It's really not that clever or interesting making fun of someone anonymously. Twit.

Malicious Code: Koobface Targets Twitter

Putting spoofing risks to shame, Twitter makes an excellent vector for malicious code and for phishing. By embedding a URL in a Tweet (less than 140 characters please, so tinyurl may be in order), nefarious persons can cause you to surf to a website with malicious code. Or maybe they can just get you to hand over your credentials.

Lest this sound far fetched, one of the first worms to target Twitter (called Koobface and now on its second wave), used a classic phishing attack. The Tweet in question says jannawalitax.blogspot.com "has a funny video about you" or "a funny post about you" which in theory sends you back to the log-in page of Twitter. But instead of the real login page, a fake page is displayed where many Twitter users happily authenticated themselves with their real credentials (thus handing them directly over to cybercriminals). A second version appears to come from your Twitter colleagues making it even more likely to be clicked on.

Twitter is no more dangerous than any other phishing vector, of course. But it is no less dangerous either.

Privacy? What Privacy?

Finally, there is privacy. Congressman Pete Hoekstra learned the hard way that Twitter peels away yet another layer of the privacy onion. By Twittering the arrival of his Congressional delegation in Bagdad, the Michigan Republican garnered plenty of intense criticism. Did his Tweet compromise the security of the supposedly secret mission (the trip was classified and his location was not to be known)? If not, it's probably only a matter of time before Twitter is mistakenly used to that effect.

This is not an issue exclusive to Republicans. Obama's new CIO Vivek Kundra is a big fan of Twitter and has encouraged his staff to make use of the service. Hopefully they will take into account the public nature of Tweets.

The problem in this case is that nobody seems to realize that Twitter is a public forum. Generation Y is busy confronting this big privacy issue head on. Their Facebook, MySpace, and Twitter-laden pasts sometimes don't help much as they trawl for work during a recession. What you say in public on the Internet is, well, public. Furthermore, what you say and the pictures you post may come back to haunt you when you're not busy doing tequila shots. Hangover anyone?

Meet the New Boss, Same as the Old Boss

Personally, I think Twitter should be rebranded "Touretter," transforming Tweets into "Twitches." Then again that's probably a disservice to poor people who are victims of Tourette's Syndrome. There may be more actual content in tics.

A wise person once opined about writing a shorter note if only there were more time. If we equate additional thought with better quality, then the average tweet has to be electronic equivalent of exclaiming "Hey, look what I can do!" just prior to applying for a Darwin Award.

What the world needs is a large number of unemployed newspaper editors to sort through the Tweets and let us all know what stories to pay attention to. I hear there's going to be a big supply.