Social networking sites have proven to be incredibly popular, but they also are proving to be less than secure.
You have to be agile to keep up with teenagers if you're well into middle age, but you should give credit to those of us who are making an effort. For instance, having Twitter and Facebook accounts is one way to stay in the groove with the Web 2.0 crowd. But you have to be a little careful when you're out there mingling with the hoi polloi.
We took note recently that COMMON and iSociety have collaborated on a joint initiative to go Web 2.0. COMMON now has a Twitter account and also one on Facebook. Plans are to post activities from the upcoming 2009 annual meeting and exposition in Reno, Nevada, (April 26-30) on Twitter as the show unfolds. If you have a free Twitter account, you can follow COMMON activities, and people can then link to you. I have a Twitter account, and if I could remember my password, I would be able to follow COMMON and get a sense of what all the people who are following me on Twitter are doing with their fascinating lives. Hopefully, they're also following someone who is actually more interesting than I, since I'm actually only a pseudo interesting tweeter.
What's really interesting about Twitter these days is that it's been repeatedly hacked. Tweeters (those of us who tweet) have been responsible for automatically propagating a worm after visiting compromised profiles. The site had to discard thousands of tweets in order to get rid of the malicious code. Last weekend, the Twitter staff was trying to deal with several sustained attacks and determined that the vector was a cross-site scripting (XSS) weakness. Users who were visiting the profile of a compromised account were themselves compromised. The result was a string of messages being posted that promoted a Web site called StalkDaily.com, a site similar to Twitter. Following being infected, users began tweeting about stalkdaily.com with messages such as "Dude, www.StalkDaily.com is awesome. What's the fuss?" The first wave affected about 90 accounts. Later in the day, a new wave of attacks hit that displayed similar messages but exploited a different weakness. Some 100 accounts were compromised. A third strike happened on Sunday. The creator of StalkDaily has taken credit for the attacks.
Biz Stone, founder of Twitter, wrote in his blog that the Twitter team "secured the accounts that had been compromised and removed any content that might help spread the worm. All told, we identified and deleted almost 10,000 tweets that could have continued to spread the worm."
Stone said the company takes the attacks seriously and would follow up in pursuing the person responsible. He likened the attacks to one in 2005 on MySpace in which a hacker introduced the Samy worm, a virus that spread to a million users within a mere 20 hours. The worm carried a payload that would display the text "but most of all, Samy is my hero" on the compromised profile of the user. Anyone who viewed a compromised profile would have the payload planted on their page. MySpace filed a lawsuit against the virus creator, Samy Kamkar, who was also charged with a felony. In 2007, Kamkar entered a plea agreement, whereupon he was sentenced to three years of probation and 90 days of community service, and he had to pay restitution to MySpace.
The messages on Twitter last weekend were relatively harmless, but the dangers that Twitter users are exposed to could lead to more serious consequences since most users are accustomed to simply clicking on TinyURL links without using Twitter's preview feature to see where they actually lead. The disturbing thing about the Twitter attacks this past weekend is that the XSS vulnerability was identified earlier by two security researchers, Lance James and Eric Wastl, who work for Secure Sciences Corp. The flaws allow attackers to force unwanted behavior through URL manipulation.
Twitter was hit earlier this year by a clickjacking attack, and 16-year-old actress Miley Cyrus, the lead actress in Disney's TV series Hannah Montana, had her Twitter account hacked, with obscene references posted. Last month, Facebook was hit by an attack similar to the one directed against Twitter this past week.
The whole Web 2.0 phenomenon is fun and is the product of some youthful minds that have tapped into people's desire to communicate and interact frivolously. Obviously, more work needs to be done on these free services to tighten up what is an appalling lack of security. Until it's secured, users should be aware of the inherent dangers in using these services from computers containing any information of value to hackers and thieves.
Safe password management is a must when using these types of accounts. Long and strong passwords that have both uppercase and lowercase letters, numbers, and special characters are important. Using the same password for multiple services is not a good idea, but one at least should use a unique password for banking or payment services.