If it's a story about me, then I'll say so up front.

This is a blog about Truth, Justice and the American Way. The stories are true. No names have been changed to protect anyone's identity, including my own. If the story is about me, then I'll say so right up front. If I don't use a name to identify whom the story is about, then it's because it's not relevant. So please do not call me or e-mail me with your kind condolences or unwarranted congratulations about something that you believe is a cleverly disguised bio from my alter ego. These stories, like my photo, are unretouched.

Monday, November 30, 2009

Twitter “Croaks.” Gone Phishing!

Last week, I had to apologize to Miss Universe. Twice. I hate it when that happens.

You see, she had taken exception to a couple of DM tweets that I had sent her, inviting her to check out an LOL video that “made my day,” and daring her to beat my IQ score. Frankly, I feel pretty confident that I could have held my own on the IQ score. The trouble was, I didn’t send either tweet. Nor did I taunt her with, “Did you know you were in this video?” Or offer to hook her up with Viagra at dirt cheap prices. At least, not on purpose.

Somebody hacked my Twitter account. What a mess! Multiple DMs (Direct Messages) had been sent to virtually every one of the hundreds of people who are “following” me. Bummer. Actually, Miss Universe was pretty nice about it. Others, not so much. I got some fairly nasty “croaks” from people I’d never even heard of. I just this minute invented the term “croak” because the whole word “tweet” has a kind of a nice, fun, upbeat sound to it. And there was nothing nice about some people’s reactions.

I felt real bad about it. At first I was just plain confused; then it became clear what had happened. I was the victim of phishing and I felt violated. Using my account, some hacker dropped a virus in my cookies (goodness, that sounds downright unsanitary) and sent out messages to everyone in my database.

Here’s the deal: social networking sites are tripping all over themselves to embed powerful features that most subscribers will never use, such as digital image or media files with the ability to download content from third-party Web sites. These features are not the kind of worms or viruses that shut your computer down. They just send out messages using your own friend list, or something similar. 99% of them are harmless advertising spam that result from wandering around in YoVille on your Facebook. (Hey, you gave them permission when you adopted your first cow.) But a moderately-proficient hacker can use the features to phish your network with files that, when opened, transfer the virus through that person’s network, and so on, and so on…

Mostly, the public doesn’t hear about nobodies, like me, who get phished. We just change our password, run a virus protection scan, clean out cookies in the browser, and a write a lot of apologies to people like Miss Universe. But I did some research and discovered that having your Twitter account hacked is not nearly as rare as you might have hoped. (Actually, Twitter tries never to use the word “hacked,” preferring instead to speak of having your account “compromised.” Sounds nicer, I guess.)

My research turned up 10 large-scale “compromisings” so far in 2009, covering thousands of accounts. Some of these include high-profile folks such as President-Elect Barack Obama (in January, before the swearing-in), Britney Spears (3 times in 2009), and the official feed for Fox News. Yikes. My personal favorite took place in mid-July, when a hacker broke into the online accounts of various Twitter staffers, including Twitter CEO Evan Williams’ email account. How embarrassing! The attack exposed all sorts of internal documents which were distributed widely and gleefully reprinted by the French website Korben.

As unique as I like to think of myself, my own experience targeted about 750 people, including New York Jets Wide Receiver David Clowney. I only hope that I’m not going to have to apologize to him as well.

Did I bring this upon myself? Well, maybe partly. It turns out that I’m not the only one who can’t retain anything but water these days. The systems are designed as they are because huge numbers of us with college degrees and reasonable IQs are unable to remember a single four-digit PIN number without “hints,” let alone a unique password for every application for which we ever sign up. The result is that 41% of internet users unwisely use the same username and password for numerous internet services, including online banking accounts. Couple this with apps like Ping.fm, which automatically triggers your message to your profile on FaceBook, hiF, MySpace, Plaxo Pulse, Plurk, Pownce, Tumblr, Twitter and Xanga simultaneously, hooking them together like an ecosystem – when one account is “compromised,” the others are likely to tumble like dominoes.

Would I do something as stupid as this? Well…. not any more. Additionally, giving the user an option to guess the name of a pet in lieu of actually knowing a password has just dramatically shortened the odds for an attacker. Does the fact that I had three dogs as a kid, each one named Skippy, show continuing sentimentality on my part or an incredible lack of childhood imagination? You choose. Would I actually stoop to using “Skippy” as my password, let alone my “hint?” Well…..not any more.

There are some things that we simply can’t control. The kinds of DDoS attacks that occurred on August 6th managed to slow both Twitter and Facebook to a standstill by using a network of computers (dubbed zombies) to flood the server with requests for data until the server overloads and comes crashing down. No amount of firewalls on our end can protect us from this, but I so loved the security experts’ analogy of likening a DDoS attack to 15 fat men trying to get through a revolving door at the same time, that I just couldn’t resist working it into this post. Sorry.

I discovered two other interesting miscellaneous pieces of information in my research: The first is that there are Hacker Conventions. Lots of them. All over the globe. The world’s largest annual hacker convention is called DEF CON and it’s held in Las Vegas. Of course it is!! Federal law enforcement agents from the FBI, DoD and other agencies regularly infiltrate DEF CON but they just can’t keep pace with a couple of 18-year-olds with too much time on their hands.

The final remarkable thing is that this past April, University of Wisconsin doctoral student Adam Wilson, by wearing a cap outfitted with electrodes that monitored changes in his brain activity, managed to tweet 23 characters just by thinking. Yup, by focusing on the letters, he spelled out “USING EEG TO SEND TWEET,” among other messages.

You know what this means, don’t you? It will only be a matter of time before some dweeb in a party hat will be able to stand across the room from me at a cocktail party and tweet spam into my head; words that will, no doubt, come rolling uncontrollably out my mouth like a gumball dispenser.

With my luck, I’ll be chatting with Miss Universe at the time. I could just croak!

8 comments:

  1. How do you manage to fit such good information into such a funny article?!

    ReplyDelete
  2. Kay Lorraine (the Biz Bitch)December 2, 2009 at 4:57 PM

    Clearly too much time on my hands. And, thanks, whomever you are!

    ReplyDelete
  3. I LOVE the idea that "croaks" are the opposite of "tweets." Maybe Evan Williams will make the definition official!

    ReplyDelete
  4. Kay,
    Read this with relish, mustard and ketchup.

    Thank you for researching this and posting it. The very first application fun thingy someone sent me on Facebook made my computer go crazy. Now I only use it for socializing, posting on walls, sharing photos. I explain to my dear family members and friends who send me that junk why and I only do it once. Then I just don't feel guilty at all clicking ignore to the superfluous.

    I have experienced "down servers" and have wondered at the cause -- the revolving door scenario. Love it.

    Managing passwords became a critical issue for me when I became an avid blogger. I use a purchased software called Splash ID. You have one master password for it and the rest can be unique as you like.

    I must say, after reading your post, I am a little concerned that I linked Twitter to FB account. I use FB for professional and personal connecting. It is one thing if my account is compromised, quite another if the nonprofit fan page is compromised. I do not have a separate log on for the fan page that I created.

    ReplyDelete
  5. Kay Lorraine (the Biz Bitch)December 3, 2009 at 1:55 PM

    I wouldn't do it but, hey, that's just me! I've been burned, baby, burned....

    ReplyDelete
  6. Sorry you had to go through this. happens to everyone eventually. its fubar.

    ReplyDelete
  7. Kay...I had no idea that you had the ability to write with such spunk and attention to detail. You combined the FACTS with a satirical view point, which is a necessity in our convoluted society...

    Great work!

    ReplyDelete
  8. I just discovered this blog. Hilarious and really well written. Why are you not writing for a living? (And why won't this comment section accept my URL?)

    Aaron Palamaros
    Philadelphia, PA

    ReplyDelete