TechMiso

Highly popular micro-blogging site Twitter has had a series of widespread security incidents over the course of the last week, culminating when high profile accounts owned by President-elect Barack Obama and Britney Spears were hacked. In addition to Obama and Spears, approximately 30 other accounts had inappropriate tweets generated by this latest round of attacks.

Following these highly publicized incidents, such as the recent Twply issue followed by the widespread phishing scam aimed at Twitter users, one has to wonder what, if anything, Ev and Co. are going to do to improve Twitter’s security.

But is mitigation ultimately Twitter’s responsibility? I say no.

While Twitter certainly shares a portion of the blame for the Twply exploit, the other incidents were straight-up, everyday phishing expeditions. Users visiting the phishing sites consciously chose to hand over their Twitter credentials. It is up to the users to start acting responsibly online, to be held accountable for their actions.

These incidents highlight a problem emblematic of the web in general – phishing is a huge exploit which affects almost every web-based application available. By no means are these types of problems restricted to Twitter.

Phishing is relatively easy, especially for skilled attackers who are looking to cause major damage. But even n00b’s can construct a simple phishing site in mere minutes. Crafting a phishing attack is as simple as stealing a site’s design, placing it on another domain and writing a small script to capture and store the credentials potentially typed in to the logon form. This could literally be thrown together in 10 minutes!

The bulk of the blame has to be placed on users. While most people are not savvy enough to know the in’s and out’s of network security, recognizing phishing is a relatively easy task. As with anything, all it takes is a little education!

I have noted a few problematic user behaviors which lead directly to phishing. All of these area easily mitigated through education.

• The method people use to determine what web site they are currently viewing is a direct contributor to phishing. Sites are commonly identified by familiar visual characteristics – the color, design structure and very specifically defined elements of the site are used to form a quick judgment of the site’s authenticity.
• A lot of people do not bother to look at the address bar to determine their location and will mindlessly click links without ever realizing they have been mislead. Those that do look at the URL do not inspect it deep enough. Seeing twitter.access-logins.com was enough to deceive many people in to handing over their Twitter credentials.
• Blindlessly trusting unfamiliar third-party web-site operators with the keys to your online kingdom is just plain stupid. Far too often people will hand-over their user name and password without ever thinking of the possible implications of such actions. This can be due to excitement over the possibility of playing with a new toy, the false promise of some exciting prize or nifty worthwhile feature you feel you need, or any number of other reasons – people give up their password believing they are receiving something valuable in return.
• Constructing strong, difficult to guess passwords is vital in ensuring your online identity stays intact. All too often people create weak passwords which are easy to remember but are not adequate enough to protect the user accounts to which they are attached. Using insufficient password strength is a vulnerability which is often exploited; this is the attack method used in the most recent Twitter security incident affecting President-elect Obama’s account. The attackers used a dictionary attack to gain access to Twitter administrative tools, which were then used to gain further access to additional user resources. Dictionary attacks are generally only successful against weak passwords.

These behaviors can be stopped once you recognize they exist, and realize these techniques are the vectors attackers use to trick innocent users in to doing things they normally would not do otherwise. Security is a mindset, a culture. Making the conscious decision to start acting secure is easy – following-through is the hard part!

To use an old but very applicable cliché – knowing is half the battle. Now that you are educated on these flawed behaviors, take the time to make the necessary adjustments to your surfing habits to ensure your online identity is not compromised!

Most of all – do not give your password out to unknown, untrusted web sites! Do a little due diligence and verify the quality of service the web site provides before handing over a key to your online kingdom. Doing so will go a long way in ensuring the safety of that kingdom.