About this blog

Bob Sullivan

Corporate sneakiness. Government waste. Technology run amok. Outright scams. The Red Tape Chronicles is MSNBC.com's effort to unmask these 21st Century headaches and offer real solutions that save you time and money.

Bob Sullivan covers Internet scams and consumer fraud for MSNBC.com. He is the winner of multiple journalism awards for his coverage of online crime and author of Gotcha Capitalism: How Hidden Fees Rip You Off Every Day and What You Can Do About It. and Your Evil Twin: Behind the Identity Theft Epidemic.

Got some red tape you want Bob to untangle? Write BobSullivan@
feedback.msnbc.com.

What Twitter outage means for you

Posted: Thursday, August 6 2009 at 03:27 pm CT by Bob Sullivan

The best way to get the attention of a classroom full of rowdy kids is to turn the lights off. And the best way to get the attention of Internet users is to essentially do the same thing.

Thursday’s Twitter denial-of-service hack certainly grabbed everyone's attention.  Nothing like a total shutdown to make people sit up and take notice. But relatively speaking, denialof-service attacks are harmless. Everyone's been through it - CNN, Yahoo, Microsoft. Heck, Facebook and LiveJournal were hit Thursday, too, by the social media bandwidth bandit.  (Msnbc.com is a joint venture of Microsoft and NBC Universal.)

But Twitter's been hit by far more serious security issues in the recent past..   Just last month, a hacker wormed his way through Twitter and into personal documents of a company executive.  Earlier this year, a hacker managed to impersonate several high-profile public figures (including President Barack Obama and CNN's Rick Sanchez) by hijacking their Twitter accounts.  Not to mention all the spam, viruses, and malicious links that are finding their way around the microblogging site these days.

Oops, we did it again. We invented a cool new technology, got millions of people hooked on it, seduced them into over-sharing information through a false sense of security, and created a wonderful playground for hackers. E-mail, Web browsers, online shopping, Facebook -- they've all gone through the same growing pains.

It doesn't have to be this way, of course. Last week, the world's best security minds gathered in Las Vegas at the Black Hat/DefCon conference. One year ago, researcher Dan Kaminsky got everyone's attention by threatening to quite literally shut down the Internet. A flaw he discovered could have enabled a hacker to render the Web useless in a few minutes. It was fixed promptly.

This year, Kaminsky was back with a slightly less dramatic flaw: a trick that would have basically disabled "https" and those security locks on Web browsers.  That got fixed too. But still, he's frustrated. The vast majority of Internet perils are avoidable, if companies like Twitter baked security directly into their products.  And still, nearly two decades into the grand public experiment of Internet use, nearly all consumer information is protected by a measly user name and password combination.

"Sixty percent of all attacks are just passwords. Missing passwords, stolen passwords," he said. "We have this technology and it's not working. If we don't do things better it’s going to be a real problem."

Authentication, he explained, is at the heart of all commerce, and all Web transactions. For the most part, we're no further ahead in authentication technology than we were in 1995.

The hacker who attacked Twitter executive Evan Williams' e-mail claims he got in by simply guessing the answer to one of those silly "Forgot your password?" questions, like "What is your dog's name?”  We warned users about this last year.

Still, Twitter used the technology, Williams allegedly trusted it, and now people know what he purchased at Amazon recently.  Criminals who got into his Twitter account used access to "escalate" their way into Williams’ Google Docs account as well, and obtained sensitive information about the company.

Theoretically, it's not that big a deal for someone to hack your Twitter account - everything you say there is designed to be public.  But increasingly, like Williams, Web users are slowly but surely moving everything they do online, and linking it all through various social media and document-sharing tools.

If the thought of not being able to tweet for a few hours bothers you, stop for a moment and consider what might happen if someone was able to access all your online activities, read all your e-mail, or impersonate you and send nasty notes to your boss or wife.

Moving in the right direction
Twitter deserves credit for trying to play catch up. Recently, it quietly instituted a security upgrade - disabling links to known hacker sites.  A positive step, and one that could so irritate- the bad guys, I wouldn't be surprised if there's a connection between this new security tool and the denial-of-service attacks.

Twitter has other enemies, too. Its shining moment came during the recent Iranian uprising, when Twitter proved robust in the face of government censorship.

But the question remains: Why would a service like Twitter set itself up for this string of attacks and bad publicity?  Kevin Haley, director of security response at Symantec Corp., says it's normal "growing pains" for a ragingly successful Internet startup.

"Nobody has a full-blown security plan when they develop their business plan or their site," he said. "At the beginning, you are completely focused on getting your site up and your services up. Anything like security that makes it harder for people to join, you're not going to want to put that into place."

Eventually security problems arise, and then companies address them, he said.
That means you, me, and everyone else who hops on the next great Web thing is really just allowing the creator to experiment with our personal information.

A few hours without Twitter is nothing to be alarmed about.  But today’s incident, and other recent missteps, provide continued hints that things at social media sites aren’t as safe as we perceive.

It’s enough to make you wish that the last hacker to break into a major Web site would turn the lights off when they leave.

RED TAPE WRESTLING TIPS
What does this mean for you?  Once upon a time, it was consumer gospel that you never bought a new car in its first production year.  You let the manufacturer work out the kinks with other suckers for a year before you jumped in. When it comes to exposing personal information, that's a pretty good strategy.  Twitter, Facebook, online document storage, all these services have a lot of promise.  But I'd let these security issues settle down for a while before I trust them with anything meaningful.

Here's a good rule of thumb: Recent celebrity incidents should have taught all of us that anything we say to a police officer during a traffic stop could become public record and end up in front of the whole world --  so it's best not to say anything you wouldn't want everyone to see.  That's a good rule for online services, too. Before you type or post, picture everyone you know reading it. If that gives you pause, you should probably hit the delete key.

Also, it's more important than ever not to use the same password at all sites.  A hacker who breaks into your Twitter account will immediately try to break into Amazon, Yahoo, Hotmail, Gmail, Facebook, and any other ubiquitous site.  Imagine the trouble someone who read your Gmail could cause.

And now's a good time to take a look at those "Forgot Your Password?" links on your favorite sites. If the question is "What was your high school mascot?" and your Facebook picture is you wearing a sweatshirt with a horse on it that says "Lake City 'Stangs," you should change your question.

One theory has a new variant of the Koobface virus responsible for these outages. It’s easy to fall for Koobface, because it can arrive as a tweet that looks like it’s from a friend, with a link to video.  Clicking on unexpected links is always a bad idea, but those clever “bit.ly” links, and their shortened URLs, create a particular hazard. Because you don’t really know where you are going (the landing URL is hidden), bit.ly links are great for hackers, bad for you. Just ask your friend to re-send the full link. That’ll foil most hackers.

Finally, if you are so inclined, send a note to the CEO of the companies involved saying you are very concerned about security. The chief reason security pros like Kaminsky gather in Las Vegas every year is to commiserate on this fact: the marketing department always gets much more money than the security department. You could help their cause by letting companies know that you care about security and privacy.

Become a Facebook fan by clicking here.

MAIN PAGE NEXT POST New fee: Ransom payments for reward miles

Email this EMAIL THIS

14 COMMENTS

Benjamin Franklin once said that two people can keep a secret, only if one of them is dead. So putting your personal thoughts online is just as bad, or worse, as putting them on the local newspaper.

MP, Miami FL (Sent Aug 14, 2009 5:16:41 PM)

All that you say is correct. I have been in the computer industry for 45 years and have seen the problems coming, but the other side of the problem is law enforcement against these hackers and law breakers. We dont lock our houses and businesses with super locks. Our cars dont have chains around them.
We put this same sensitive data in the postal mail without fear. This is true because there are strong laws with enforcement against tampering with the mail or burglars. The police find the bad guys and we lock them up and so the same strong reaction needs to
take care of the internet criminals. Otherwise it will be a constant cyber war with no end.

Lee Duxbury, New York NY (Sent Aug 7, 2009 2:54:59 AM)

I am also concerned about my ISP’s lackadaisical approach to the DOSing for the past 10 months.

Bill (Sent Aug 6, 2009 10:32:08 PM)

I am more concerned about someone DOSing a web site than I am about the web sites security.

Bill (Sent Aug 6, 2009 10:23:29 PM)

As a web developer I can say you're asking too much for cutting edge web security to be built in to Apps. We're already working on razor thin budgets, and adding frankly over the top security from the get go will break the bank.

The cost of higher a security consultant is around 2-5k, and that doesn't include closing any security holes. To get all that done will cost more than developing the app.

Robert Kozik, Oak Creek, WI (Sent Aug 6, 2009 8:27:49 PM)

It interesting that people forget that there is a difference between what is public and what they want to be public. My motto is never to publish ANYTHING on the web I would not want to be made public to everyone.

M Sword Norfolk, VA (Sent Aug 6, 2009 7:54:11 PM)

the president has a twitter account? WHY?

Teresa Mitchell (Sent Aug 6, 2009 7:28:56 PM)

There is a simple way to deal with security questions like "what is your dog's name?" Don't register the correct answers! One common question is for mother's maiden name - which anyone can find on the web, in my case. So when a web site asks the question, I give a fake answer that only I know. That way no one can steal it!

Dale Napier, Houston, TX (Sent Aug 6, 2009 7:27:27 PM)

Thanks for the FYI. Knowledge is power.

jr (Sent Aug 6, 2009 7:19:19 PM)

Unfortunately it's becoming more and more common for online companies to be more concerned about profits than anything else, especially security. They only want to do something to protect the users is when it becomes public that there is a problem.

Chris from Greensboro, NC (Sent Aug 6, 2009 7:09:49 PM)

probably those 4chan kids again.

Steve Burns,cleveland,ohio (Sent Aug 6, 2009 7:05:07 PM)

Uh, FYI the Twitter outage did not capture everyone's attention. Maybe among a certain set of self-involved self-promoters there was a panic attack. But the rest of the real world just kept living their lives and doing their own thing.

Eric, New York (Sent Aug 6, 2009 7:02:43 PM)

Hackers should be sent to jail for long period of time. They cost us millions. I have hos two computer ruined even with security soft ware. The goverment and the internet companies are not doing enough to stop this. If they can find people who trafic child porn on the internet they can find these hackers.

Bob Ontario, Ca (Sent Aug 6, 2009 6:14:09 PM)

Twitter is for TWITS!!
Seriously though, for people to be so engaged into this marlarky is hilarious.
Im glad you twits people went down, i hope more outages in the future!

ARCADIAN (Sent Aug 6, 2009 6:12:04 PM)

SEND A COMMENT

PLEASE READ: All comments must be approved before appearing in the thread; time and space constraints prevent all comments from appearing. We will only approve comments that are directly related to the blog, use appropriate language and are not attacking the comments of others. Firms mentioned in our comment area are welcome to add their own comments.

Message (please, no HTML tags. Web addresses will be hyperlinked):

Your name, city and state (John Doe, Seattle, Wash.):

Your e-mail address (Optional, will be published):

Your website (it's okay if you don't have one):

Remember me? (We'll keep it private)

TRACKBACKS

Trackbacks are links to weblogs that reference this post. Like comments, trackbacks do no appear until approved by us. The trackback URL for this post is: http://www.typepad.com/services/trackback/6a00d83451b0aa69e20120a525fa7d970c

BUY BOB SULLIVAN'S NEW BOOK

Cover_crunched_by_media Bob Sullivan's new book unmasks hundreds of hidden fees and offers step-by-step instructions on how to fight back. Order it here.

Also available as an audio book.

Red Tape Video

RED TAPE ARCHIVES

Bob Sullivan