Twitter tries to shore up security in wake of hack attack

By Robert Westervelt, News Editor 06 Jan 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Twitter officials are trying to lock down their systems in the wake of a successful attack against at least 33 high profile accounts that were hacked through the social network's support tools.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The breach took place just days after users reported a fast spreading phishing attack that was attempting to steal passwords and other identifiable information. Among the breached high profile accounts was President elect Barack Obama, pop singer Britney Spears, media outlet Fox News and CNN anchor Rick Sanchez, Twitter wrote Monday in a blog posting.

The social network, which allows users to connect to friends and colleagues and post brief messages in real-time, has grown in popularity in recent months. Twitter has gone through a number of growing pains since it launched in 2006. At times the micro-blogging service had consistent down time as a result of system overload. Some estimate Twitter has grown to well over 3 million accounts and the popularity in corporate environments is rising.

Social networking threats: How can widget malware on social networking sites threaten enterprises? Protecting enterprise networks from the malware on popular social networking sites is a complicated issue. Information security threats expert John Strand gives advice. How to implement and enforce a social networking security policy: For a new generation of employees entering the workforce, social networking isn't a luxury, it's a necessity. MySpace, Facebook ignoring basic principles of security: Social networking websites MySpace and Facebook present a significant security risk to users. Phishing, identity theft keeps law enforcement, researchers occupied: An expert on cybercrime and online scams, Derek Manky, is one of the members of the Fortiguard research team.

Twitter said the accounts that were compromised have been returned to their owners. The hacker exploited a vulnerability in the support tools used by Twitter staff to help people edit email addresses or reset passwords.

"We considered this a very serious breach of security and immediately took the support tools offline," the company wrote in a statement on its blog. "We'll put them back only when they're safe and secure."

The support team has been dealing with a phishing scheme attempting to send direct messages to users with a link to a malicious website. The site looks like a Twitter login page, but steals account names and passwords of victims who attempt to login. Twitter said it has reset a number of passwords to breached accounts as a result of the scheme.

One of the problems is that many users are ignoring common sense, clicking on links from unknown Twitter followers. Mary Landesman, senior security researcher at Web filtering vendor ScanSafe Inc., said in a statement via email that users must rethink using Twitter and other social networks as a popularity contest. Often people add followers and seek them out without even knowing their identity, Landesman said.

Other experts said users should always sign out of an account not being used and take time to confirm whether a link was sent from a friend or colleague.

SearchSecurity radio:

"It's a completely avoidable breach of security -- never, ever enter your login credentials from a website accessed via a link received in email, IM or twitter," Landesman said. "While it must be embarrassing for the celebrities who were impacted, it should concern all citizens when the future president of the United States is among the victims."

At one point the Twitter phishing scheme redirected victims to a bogus Facebook login page, according to researchers at TrendLabs. Other social networks, including Facebook and LinkedIn have also been vulnerable to phishing attacks and social engineering schemes in recent months. TrendLabs recently reported finding a number of bogus LinkedIn profiles used to direct users to malicious websites.

"Malicious links contained in these bogus profiles lead browsers through a series of redirections, but ultimately to malware," said TrendLabs' Ivan Macalintal, an advanced threats researcher who discovered the accounts.

Tags: Malware, Viruses, Trojans and Spyware,  Identity Theft and Data Security Breaches,  Email and Messaging Threats (spam, phishing, instant messaging),  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Malware in Google attacks uses spaghetti code Preparing for future security threats, evolving malware Facebook attacks prompt investments in social networking security Another PDF attack targets Adobe zero-day vulnerability Security report finds rise in banking Trojans, adware, fewer viruses How to prevent rogue antivirus programs in the enterprise How to stop keylogging malware with more than basic antivirus software, firewalls Conficker-infected machines now number 7 million, Shadowserver finds FBI estimates rogue antivirus losses exceeding $150 million Security researchers continue hunt for Conficker authors Identity Theft and Data Security Breaches MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Facebook, McAfee partner to fix social network security issues Hacker pleads guilty to orchestrating Heartland credit card heist MasterCard reverses PCI compliance requirement Verizon report goes deep inside data breach investigations Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Email and Messaging Threats (spam, phishing, instant messaging) Chinese hacker attacks target Google Gmail accounts, top tech firms PDF attack code complicates security analysis, skirts detection Panda warns of American Express phishing scam Active PDF attacks target Reader, Acrobat zero-day vulnerability Yahoo login credentials at risk to hijacking attack The world's top 5 riskiest domains How to secure a .pdf file Top spammer gets four years in jail for stock fraud scheme New Zeus spam poses as Social Security statements Messaging security risks have upper hand on solutions Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary