Twitter users received a scare this week when the popular micro-blogging service experienced a two-pronged attack. First, on January 3, 2009, several Twitterers became victims of a "phishing" scam, where scammers gained access to account usernames and passwords, then sent fraudulent emails to other Twitter users. Next, several high profile accounts were hacked; their "followers" thus received updates that were offensive and slanderous. Famous Twitterers such as President-Elect Barack Obama, Fox News' Bill O'Reilly , and pop star Britney Spears were among the victims of the January 5 prank. For an example of a well-known Twitter user affected by the hacking, see CNN anchor Rich Sanchez's story.
Perhaps these events demonstrate that the Twitter service has "arrived," that no successful site or program experiences zero problems. Yet these two incidents illustrate the problematic issue of security. Despite the number of password protection programs or encryption software that supposedly assure secure passage of information, determined hackers continually find vulnerabilities on Web sites and exploit them. According to Wired's blog, an 18-year-old student claimed responsibility for the celebrity prank, describing the ease with which he gained access to usernames and passwords. Using password generating software, he hacked the account of, incredibly, a Twitter support staff member who used a very basic password. Once he had access, he managed to reset celebrity users' passwords, then posted the bogus messages. In an even scarier development, the hacker claimed he posted affected Twitter users' account information to a Web site, offering the compromised accounts to anyone by request.
Why Users Should Care About Miley Cyrus's Hijacked Account
No harm done, right? The celebrity incident is just a harmless prank, and the first phishing instance did not affect the majority of Twitterers. In fact, these incidents prove how easily social networks can be infiltrated, leading to identity theft and spreading of malicious rumors. According to the Wired article, the hacker also claimed responsibility for hijacking Hannah Montana star Miley Cyrus's YouTube account. A friend of the hacker then posted a
"memorial" video on the site, which stated that Cyrus had died tragically in an accident. The story quickly spread to mainstream media, with Cyrus's publicist immediately issuing a statement that the teen star was indeed alive. With today's social networking technology, such false rumors can spread at the speed of light—during the 2008 presidential campaign, Barack Obama was the subject of so much Internet gossip that his team established a site, Fight the Smears, to counter such stories. Social networks played a big part in spreading these false rumors.
While Twitter declines to release the exact number of current accounts, Tech Crunch speculated last year that over one million visit the site; over three million messages a day are generated. Regardless of exact figures, one can safely assume that the potential number of phishing and hacking victims is alarming. What's worse, users can do little to protect themselves from such an invasion. Social networking sites such as Twitter and Facebook need to greatly improve security for their valued customers. For example, according to the Wired article, the hacker expressed great surprise at Twitter's lack of password protection. Using his password generation program, he was able to enter random characters an unlimited number of times before he finally stumbled upon the correct phrase. Credit card and personal banking sites limit the number of "tries" for a user to type the correct password. If a customer cannot log in after five tries, for instance, that user will have to call the bank or financial institution directly in order to obtain a new password. Having such limits would have prevented the hacker's password generator software from breaking into accounts. While it may be an impossible task to keep current with every single hacking program available, these sites owe it to their users to make valiant efforts. In Twitter's case, a staff support person's account was compromised, a sure sign that even experts struggle to keep up with rapidly developing security and hacking technology.
Are Twitter and Facebook Completely Open with Their Customers?
In the days following the security breach, Twitter responded to users by briefly posting a link to their blog describing the situation. Other than telling account holders to change their passwords and not to click on URLs purporting to be a Twitter login site. On the Twitter Status page, an entry stated that all compromised accounts were "stabilized" and promised more information on the situation. As of January 9, no specific followup has been posted. Has Facebook decided to address the program? Entries on their Help Center: Security page warn against recent worms and phishing scams, but again provides little information as to how they will improve security. Facebook designers claim to use "industry standard and proprietary network monitoring tools" and incorporates "industry standard encryption." The page explains that users may not be able to determine the site's encryption from its URL, but in essence says to just trust them. Users need better assurance that technicians are improving security, and deserve more specific explanations as to solutions. Obviously the social networking sites cannot release too many details about their exact encryption methods, as they might as well just post a banner across their pages saying "please hack us." However, customers are entitled to know how Twitter and Facebook protect their personal information, and deserve better explanations than "don't worry about it, just trust us."
Clearly, these security breaches affect a vast number of people, and could have devastating effects on innocent users. On January 6, frequent Twitterer Sanchez seemingly issued this update to his followers: "i am high on crack right now might not be coming into work today [sic]." While people may chuckle at the prankster's joke, what if it happened to an everyday person? One false rumor could result in that person's job termination. In addition, according to Kaplan, a test preparation and tutoring company, one in ten university admissions officers seek applicants' Facebook pages as an additional tool in assessing candidates. Imagine if an applicant's account was attacked, and unflattering statements about the person's sexual orientation, behavior, or other details were posted. Such false accusations could cost that student a place at his or her desired university. The consequences of such malicious rumor mongering could be even more disastrous.
"A sinister cabal of superior writers."
Article comments
1 - ed dickson
Great article, concise, informative and right on the money.