Last year, when I first started poking around in social media from my security high horse, people asked me what it was like to live in two totally different worlds. Keep in mind I'm no technology thought leader, hacker or researcher -- but I've been working in security for the better part of 10 years and I respect all aspects, from all the different shades of security hats.
My background aside, there is a crossover between the two disciplines and it's not new. While this weekend's Twitter phishing scam is giving people an "epiphany" about the dangers of the Web it was a long time coming, right? Internet threats are not new. Were social media lovers really so naive as to think that Twitter would stay unscathed for long?
In reality, there is nothing spectacular about this recent phishing attempt (one of the malware sites was used in a Facebook scam last summer). It's only a different method of the same madness. Security pros know this. However, it appears that the social media space only woke up this weekend. (Note: The actual Twitter hack, described at the bottom of this post, is a slightly different story.)
Believe it or not, that's not a bad thing. At least it woke up. Watching "the sky is falling" antics from the last few days has been both fulfilling and amusing. Social media bloggers giving their readers security tips is an action that is long overdue -- though I still think most users would be wiser to heed the credence of security experts first.
If you think about it, hackers aren't Web 2.0's biggest security threat. What is? User naivete. That's the one thing that this Twitter scam -- and other social network scams -- have proven.
My Twitter friend Omkhar Arasaratnam said it best when he asked me, "Are Twitter users in 2009 the AOL users of 1999?" In other words, just because we may be "early adopters" of a technology that may soon be ridiculously widespread, we shouldn't assume that everyone knows what they are doing and how to avoid getting stung.
"Like any bustling new community Twitter is full of many users, of varying experience and technical savvy. When the phishing scam hit, it quickly exposed some of the less security savvy users as new invites propagated via DM," Arasaratnam said. "However, Twitter's community allowed information concerning the phishing to quickly spread, and the active user base was quickly educated to the specifics of the attack."
He's right. The user awareness circuit boards lit up like wildfire, with more savvy users helping novice users navigate through the situation safely. While there are some users who still believe that people who aren't yet aware of phishing scams "deserve" to get hit, folks deep in the security trenches understand that we experts represent a small microcosm of the overall Web user base.
"Our security community is small, even with all of the media coverage we get, compared to the amount of computer users, we are but a twinkle." said Rob Fuller, security researcher and security twit. "These realizations have been things security professionals have pushed for years. It took social media to make it 'popular'. "
In the end, this helps the security community and the users at large.
For some good education about the phishing scam, password storage and Web 2.0 understanding of security threats, check out the following blog posts:
On another note, the hacking of the 33 accounts that occurred this morning was confirmed by Twitter to be separate than the phishing incident. According to the company's official blog:
These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can't remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're safe and secure.
Tweet carefully, people.
Photo Credit: Andy Pryke