Aug. 6, 2009 at 6:27 PM ET
The best way to get the attention of a classroom full of rowdy kids is to turn the lights off. And the best way to get the attention of Internet users is to essentially do the same thing.
Thursday’s Twitter denial-of-service hack certainly grabbed everyone's attention. Nothing like a total shutdown to make people sit up and take notice. But relatively speaking, denialof-service attacks are harmless. Everyone's been through it - CNN, Yahoo, Microsoft. Heck, Facebook and LiveJournal were hit Thursday, too, by the social media bandwidth bandit. (Msnbc.com is a joint venture of Microsoft and NBC Universal.)
But Twitter's been hit by far more serious security issues in the recent past.. Just last month, a hacker wormed his way through Twitter and into personal documents of a company executive. Earlier this year, a hacker managed to impersonate several high-profile public figures (including President Barack Obama and CNN's Rick Sanchez) by hijacking their Twitter accounts. Not to mention all the spam, viruses, and malicious links that are finding their way around the microblogging site these days.
Oops, we did it again. We invented a cool new technology, got millions of people hooked on it, seduced them into over-sharing information through a false sense of security, and created a wonderful playground for hackers. E-mail, Web browsers, online shopping, Facebook -- they've all gone through the same growing pains.
It doesn't have to be this way, of course. Last week, the world's best security minds gathered in Las Vegas at the Black Hat/DefCon conference. One year ago, researcher Dan Kaminsky got everyone's attention by threatening to quite literally shut down the Internet. A flaw he discovered could have enabled a hacker to render the Web useless in a few minutes. It was fixed promptly.
This year, Kaminsky was back with a slightly less dramatic flaw: a trick that would have basically disabled "https" and those security locks on Web browsers. That got fixed too. But still, he's frustrated. The vast majority of Internet perils are avoidable, if companies like Twitter baked security directly into their products. And still, nearly two decades into the grand public experiment of Internet use, nearly all consumer information is protected by a measly user name and password combination.
"Sixty percent of all attacks are just passwords. Missing passwords, stolen passwords," he said. "We have this technology and it's not working. If we don't do things better it’s going to be a real problem."
Authentication, he explained, is at the heart of all commerce, and all Web transactions. For the most part, we're no further ahead in authentication technology than we were in 1995.
The hacker who attacked Twitter executive Evan Williams' e-mail claims he got in by simply guessing the answer to one of those silly "Forgot your password?" questions, like "What is your dog's name?” We warned users about this last year.
Still, Twitter used the technology, Williams allegedly trusted it, and now people know what he purchased at Amazon recently. Criminals who got into his Twitter account used access to "escalate" their way into Williams’ Google Docs account as well, and obtained sensitive information about the company.
Theoretically, it's not that big a deal for someone to hack your Twitter account - everything you say there is designed to be public. But increasingly, like Williams, Web users are slowly but surely moving everything they do online, and linking it all through various social media and document-sharing tools.
If the thought of not being able to tweet for a few hours bothers you, stop for a moment and consider what might happen if someone was able to access all your online activities, read all your e-mail, or impersonate you and send nasty notes to your boss or wife.
Moving in the right direction
Twitter deserves credit for trying to play catch up. Recently, it quietly instituted a security upgrade - disabling links to known hacker sites. A positive step, and one that could so irritate- the bad guys, I wouldn't be surprised if there's a connection between this new security tool and the denial-of-service attacks.
Twitter has other enemies, too. Its shining moment came during the recent Iranian uprising, when Twitter proved robust in the face of government censorship.
But the question remains: Why would a service like Twitter set itself up for this string of attacks and bad publicity? Kevin Haley, director of security response at Symantec Corp., says it's normal "growing pains" for a ragingly successful Internet startup.
"Nobody has a full-blown security plan when they develop their business plan or their site," he said. "At the beginning, you are completely focused on getting your site up and your services up. Anything like security that makes it harder for people to join, you're not going to want to put that into place."
Eventually security problems arise, and then companies address them, he said.
That means you, me, and everyone else who hops on the next great Web thing is really just allowing the creator to experiment with our personal information.
A few hours without Twitter is nothing to be alarmed about. But today’s incident, and other recent missteps, provide continued hints that things at social media sites aren’t as safe as we perceive.
It’s enough to make you wish that the last hacker to break into a major Web site would turn the lights off when they leave.
RED TAPE WRESTLING TIPS
What does this mean for you? Once upon a time, it was consumer gospel that you never bought a new car in its first production year. You let the manufacturer work out the kinks with other suckers for a year before you jumped in. When it comes to exposing personal information, that's a pretty good strategy. Twitter, Facebook, online document storage, all these services have a lot of promise. But I'd let these security issues settle down for a while before I trust them with anything meaningful.
Here's a good rule of thumb: Recent celebrity incidents should have taught all of us that anything we say to a police officer during a traffic stop could become public record and end up in front of the whole world -- so it's best not to say anything you wouldn't want everyone to see. That's a good rule for online services, too. Before you type or post, picture everyone you know reading it. If that gives you pause, you should probably hit the delete key.
Also, it's more important than ever not to use the same password at all sites. A hacker who breaks into your Twitter account will immediately try to break into Amazon, Yahoo, Hotmail, Gmail, Facebook, and any other ubiquitous site. Imagine the trouble someone who read your Gmail could cause.
And now's a good time to take a look at those "Forgot Your Password?" links on your favorite sites. If the question is "What was your high school mascot?" and your Facebook picture is you wearing a sweatshirt with a horse on it that says "Lake City 'Stangs," you should change your question.
One theory has a new variant of the Koobface virus responsible for these outages. It’s easy to fall for Koobface, because it can arrive as a tweet that looks like it’s from a friend, with a link to video. Clicking on unexpected links is always a bad idea, but those clever “bit.ly” links, and their shortened URLs, create a particular hazard. Because you don’t really know where you are going (the landing URL is hidden), bit.ly links are great for hackers, bad for you. Just ask your friend to re-send the full link. That’ll foil most hackers.
Finally, if you are so inclined, send a note to the CEO of the companies involved saying you are very concerned about security. The chief reason security pros like Kaminsky gather in Las Vegas every year is to commiserate on this fact: the marketing department always gets much more money than the security department. You could help their cause by letting companies know that you care about security and privacy.