Good day to you,

Please join us on Facebook and Twitter if you’re a member of those networks.

Twitter – ITSec_SocialNet

Facebook – http://www.facebook.com/pages/Arverne-NY/TITSSNs-Technology-and-IT-Security-Social-Network/176768755352

Thank you and have a great day,

~Brett A. Scudder~

Software [In]Security: Twitter Security

By Gary McGraw

Date: May 15, 2009

http://www.informit.com/articles/article.aspx?p=1350268

Article is provided courtesy of Addison-Wesley Professional.

Content issues aside, Twitter has some potentially serious security issues. Gary McGraw, author of Software Security: Building Security In, details these vulnerabilities.

Making Your Thoughts as Small and Incomplete as Possible

Just for the record, I don’t use Twitter. But if this column were a Twitter entry, it might read something like:

My biggest issue with Twitter turns out not to be a security issue, but rather a content issue. If you thought that blogging led to information chaos, half-baked ideas, and incoherent logic, Twitter ups the ante by making the constituent thoughts as small as possible. Perhaps I’m a Luddite, but I think editors play an important role in the world separating the wheat from the chaff. I’ll miss my paper copy of the Washington Post once the newspaper business finally dies. Replacing the daily newspaper with Twitter detritus seems like a lousy tradeoff.

But this is a security column, so lets spend a few minutes pondering the security ramifications of Twitter. I can think of a few right off the top of my head: it’s easy to spoof someone on Twitter, it’s a perfect vector for malicious code and phishing, Twitter allows dingbats to cash in their last remaining privacy chit, and it has a coolness factor that often overrides common sense.

Spoofing Twits

On the Internet, nobody knows you’re a dog. In fact, nobody knows who you are at all. This can be a problem.

Fake websites abound on the Web. A humorous collection of them can be found here. Spoofing an organization is as easy as buying a URL. But it gets worse. The rather largish issue of spoofing the entire Web, first described in detail in 1997 by the Princeton Team, remains a serious problem! Really.

Twitter carries on in the long tradition of Internet spoofing by allowing someone to masquerade as just about anyone they want. In fact, even lowly security guys like me apparently merit spoofers. I have no idea who FakeGaryMcGraw is, but it’s not me. The question is whether or not I should care? (Some people apparently do.) It’s really not that clever or interesting making fun of someone anonymously. Twit.

EDITOR’S NOTE

For more on how Twitter spoofing affected then President-elect Obama early in 2009, see John Traenkenschuh’s article Passwords: So Important, Yet So Misused.

Malicious Code: Koobface Targets Twitter

Putting spoofing risks to shame, Twitter makes an excellent vector for malicious code and for phishing. By embedding a URL in a Tweet (less than 140 characters please, so tinyurl may be in order), nefarious persons can cause you to surf to a website with malicious code. Or maybe they can just get you to hand over your credentials.

Lest this sound far fetched, one of the first worms to target Twitter (called Koobface and now on its second wave), used a classic phishing attack. The Tweet in question says jannawalitax.blogspot.com “has a funny video about you” or “a funny post about you” which in theory sends you back to the log-in page of Twitter. But instead of the real login page, a fake page is displayed where many Twitter users happily authenticated themselves with their real credentials (thus handing them directly over to cybercriminals). A second version appears to come from your Twitter colleagues making it even more likely to be clicked on.

Twitter is no more dangerous than any other phishing vector, of course. But it is no less dangerous either.

Privacy? What Privacy?

Finally, there is privacy. Congressman Pete Hoekstra learned the hard way that Twitter peels away yet another layer of the privacy onion. By Twittering the arrival of his Congressional delegation in Bagdad, the Michigan Republican garnered plenty of intense criticism. Did his Tweet compromise the security of the supposedly secret mission (the trip was classified and his location was not to be known)? If not, it’s probably only a matter of time before Twitter is mistakenly used to that effect.

This is not an issue exclusive to Republicans. Obama’s new CIO Vivek Kundra is a big fan of Twitter and has encouraged his staff to make use of the service. Hopefully they will take into account the public nature of Tweets.

The problem in this case is that nobody seems to realize that Twitter is a public forum. Generation Y is busy confronting this big privacy issue head on. Their Facebook, MySpace, and Twitter-laden pasts sometimes don’t help much as they trawl for work during a recession. What you say in public on the Internet is, well, public. Furthermore, what you say and the pictures you post may come back to haunt you when you’re not busy doing tequila shots. Hangover anyone?

Meet the New Boss, Same as the Old Boss

Personally, I think Twitter should be rebranded “Touretter,” transforming Tweets into “Twitches.” Then again that’s probably a disservice to poor people who are victims of Tourette’s Syndrome. There may be more actual content in tics.

A wise person once opined about writing a shorter note if only there were more time. If we equate additional thought with better quality, then the average tweet has to be electronic equivalent of exclaiming “Hey, look what I can do!” just prior to applying for a Darwin Award.

What the world needs is a large number of unemployed newspaper editors to sort through the Tweets and let us all know what stories to pay attention to. I hear there’s going to be a big supply.

© 2009 Pearson Education, Inc. Informit. All rights reserved.

800 East 96th Street Indianapolis, Indiana 46240

Wed Apr 29, 2009 10:52am EDT | http://www.reuters.com/article/technologyNews/idUSTRE53S1A720090429

SYDNEY (Reuters) – Today’s Twitters are often tomorrow’s quitters, according to data that questions the long-term success of the latest social networking sensation used by celebrities from Oprah Winfrey to Britney Spears.

Data from Nielsen Online, which measures Internet traffic, found that more than 60 percent of Twitter users stopped using the free social networking site a month after joining.

“Twitter’s audience retention rate, or the percentage of a given month’s users who come back the following month, is currently about 40 percent,” David Martin, Nielsen Online’s vice president of primary research, said in a statement.

“For most of the past 12 months, pre-Oprah, Twitter has languished below 30 percent retention.”

San Francisco-based Twitter was created three years ago as an Internet-based service that could allow people to follow the 140-character messages or “tweets” of friends and celebrities which could be sent to computer screens or mobile devices.

But it has enjoyed a recent explosion in popularity on the back of celebrities such as actor Ashton Kutcher and U.S. talk show host Oprah Winfrey singing its praises and sending out “tweets” which can alert readers to breaking news or the sender’s sometimes mundane activities.

President Barack Obama used Twitter during last year’s campaign and other prominent celebrities on Twitter include basketballer Shaquille O’Neal and singers Britney Spears and Miley Cyrus.

Twitter, as a private company, does not disclose the number of its users but according to Nielsen Online, Twitter’s website had more than 7 million unique visitors in February this year compared to 475,000 in February a year ago.

But Martin said a retention rate of 40 percent will limit a site’s growth to a 10 percent reach figure over the longer term.

“There simply aren’t enough new users to make up for defecting ones after a certain point,” he said in a statement.

Martin said Facebook and MySpace, the more established social network sites, enjoyed retention rates that were twice as high and those rates only rose when they went through their explosive growth phases.

Both currently have retention rates of about 70 percent with Facebook having about 200 million users.

“Twitter has enjoyed a nice ride over the last few months, but it will not be able to sustain its meteoric rise without establishing a higher level of user loyalty,” said Martin.

(Writing by Belinda Goldsmith, Editing by Miral Fahmy)

© Thomson Reuters 2009 All rights reserved

Twitter worm underscores social-networking vulnerabilities

Good day to you,

I would like to take this opportunity to share some very critical information with the self employed and home based business owners about the state of The IT Security Threats Landscape ~TITSTL~ and how it affects you. This is a discussion I have every day as more and more people in these categories are finding out the real effects and impacts of these threats are not excluding them and that they fall very much into the mix of it. As the economy tightens its grip on our lives, those who are being laid off are turning to home based and self employed business thus sparking an increased growth in this area of business. The SMB space has grown tremendously since his recession and to that end has become a serious security issue for us security professionals as we look across the IT Security Threats Landscape horizon.

Therefore, the reality of the issue must be faced thus bringing the question of, what am I to do about it.

I have published numerous articles on these threats, preventative measures and how to deal with the security issues of today and tomorrow on my blogs but I am going to do this as a summary of those here.

First let me say this, if it requires a security patch (let’s just keep it at security for now), it is vulnerable.

What does this mean?

Simple, any operating system, Microsoft, Mac, Linux, Solaris, you name it, that requires a security patch for any reason is vulnerable. The patch is to prevent exploit of the vulnerability right so it is a security risk.

I had to get that out of the way so that we wouldn’t get into the ridiculous argument of which is more secure than the other. The way I see it is simply that, if a door is left open for anyone to come through it, the length of time left open versus the threat that comes through it is just as critical. So, any open door is a threat no matter where. What comes through it may differentiate the severity. They all have their insecurities at some point but how the vendor/developer addresses it lessens the impact and wide scale visibility of the issue. While some may announce these vulnerabilities and findings, other may patch/update them behind the scenes thus limiting the visibility and knowledge of the user.

Second, anti-virus alone is NOT going to protect you from the threats of today. It takes a multi-layered approach and as such, the various layers of protection must be enforced. So telling yourself that you have anti-virus protection on your PC is being as naïve as saying the threats doesn’t affect me and i’m not worried about them. While it is true that most anti-virus vendors are bundling multiple threat protection/prevention layers into their solutions, the proper configuration becomes the caveat to that solution. While many deploy with an out of the box config, there will be tweaks needed to customize it to your environment and needs. So one must understand what is being deployed and if it will provide the layers of protection needed.

So why is IT Security so serious for me as a self employed or home based business?

Well, ask yourself these questions,

What is it that you do and how do you do it?

Do you use email?

Do you send emails to customers/clients/partners/associates/potential clients?

Do you leverage the powers of social networking/media (Twitter, LinkedIn, MySpace, Facebook, Ning and the list goes on) today?

Do you use IM for personal and/or business use?

Do you browse the internet for data/information on whatever you’re working on or researching?

Do you do online banking or shopping?

Do you download multimedia contents from the web (music, movies, flash videos, etc)?

Do you download online presentations (PDF, PowerPoint)?

Did you know that PDF files presented one of the biggest security risks over the past 2 years but is the most widely distributed online document format?

Do you have a printer or some media player connected to you system(s) at home or in the office?

Do you have any applications running on that system aside from the operating system?

Do you know of the Breach Notification Law in your state and what it means for you?

When was the last time you downloaded a keygens or crack file to open full access to that app or game you really wanted but didn’t want to buy/pay for?

Maybe you didn’t crack/keygen it but someone did and opened a backdoor which planed a rootkit or some nefarious threats on your system(s). What happens when you use that for business purposes, what are you spreading to those you collaborate with?

Well by now i’m sure you’ve caught my drift and I don’t have to get technical for you to see how you’re affected. All these questions pose security risks in various ways and are able to be stopped, prevented and protected if the proper education, awareness and measures are put in place. Don’t ask if you’re affected or if I should be taking these things seriously, you must. You are as much a risk to me as I am to you if the proper steps are not implemented to secure your system and the data/information you have sitting on it about me, you and those you collaborate with.

That system is being used for personal and business use and at some point the access to/from or by a threat is heightened because of the lack of separation of the two. A system that is used by everyone in the home should not be the same used for doing your business. When someone in the home decides to crack that app and opens that backdoor, you’ll never know what can come through it and what your risk factor will be or are. Separate the two, business is business and personal is personal. The cost of a system today is much more affordable than a few years ago so it shouldn’t be a problem to get an extra one.

You are not a small business because you have 5 people working for you. You are not a small business because you only have 5 computers in your office or where you decide to conduct your business. To me as a security professional you are not a small business (home based or in an office) when you have records/information and access to 5000 people. A doctor who has an office with 5 employees and 8 systems managing 4000 patients’ info is not a small business in my eyes. If you’re a consultant running your own business and you manage systems or information for your clients you’re now there biggest risk because it’s your responsibility to control that. Every PC must be secured whether it is connected online or not as you never know if/when it will cross the line. This is how I see security.

When you decide to start doing business today you must consider the role you play with those in which you will be doing business and the kinds of interaction you will have with them. When sending an email from an infected system (whether you did or the resident worm) it is still coming from you and the possible effect on the recipient(s) can be adverse which may lead to legal issues.

When using social network can enhance your presence and what you do significantly, it is also an area of heightened risk both personally and professionally. Know the need and use it accordingly. Social networks are the future of collaboration but one must decide why the need and create the separation. If it’s for personal use one should always remember the impact on themselves as they are now putting themselves out there to the world. If for business, one should decide on how they want to be seen and what they would like the world to know about them and what they do. Social networking is a great thing to have and use, it’s the management and control of that presence that matters. The threats people face on social networks are the same they would face outside of it but just through a different medium. Educate yourself on these things and you will be ok.

As for the Breach Notification Law, most people didn’t even know of such laws about digital contents and its security. I strongly suggest you take a look at the law of your state and understand the legal and financial issues it presents for you. Learn it, know it, and understand it. If in doubt, reach out.

The active Conficker worm should be enough of an eye opener for you and if you don’t know what it is then you may have bigger problems that I thought. Security is not just about you, it’s about your way of life today both on and offline. I am not here to scare you but it is better to know before than after as the damage control, legal and financial issues after the fact is much worse and a very daunting issue.

As for the online scams, phishing and SPAM, it is only going to get worse and until you educate and make yourself more aware of and about them, you may fall victim to them as they are craftier than ever.

Ok so I have chatted enough and now you’re saying this is too much so I will leave a few articles of reference.  Feel free to contact me if you’d like to discuss further and in more details.

The Conficker Worm – my review

A grim day for browser security at hacker contest

State Security Breach Notification Laws as of December 16, 2008 and the Conficker worm

IT Security Education and Awareness 04-09 #1 – IT Security is a people problem, not an industry one

Apple Mac users warned of web-based malware threats RSPlug-F Mac Trojan horse distributed via HDTV website

TITSSN leverages the Twitter network for critical alerting, notification and network happenings (meetings and events) as of April 1st 2009

Security/Privacy Awareness 03-09 #1 – Do you understand the breach notification law is in your country/state, do you know what it means, all are affected.

Thank you and have a great day,

~Brett A. Scudder~

The IT Security Attaché

Good day to you,

Over the past year I have been looking for a service that would allow us to create a centralized alerting system for critical security related news, alerts, notices and inter-network happenings (meetings, events, workshops). I have been studying the Twitter network and its growth, usability and service capabilities and I must say that I am very impressed by its sheer simplicity but extensive use and features. As the fastest growing social network today, Twitter allows the ease of signing up, connecting to other Twitter members, activating the SMS device notifications and the use of short text based updates.

This presents a number of possibilities that we can use to build a global alerting system that will aggregate all the various places where threat notification and alerts are being disseminated and channel them into our own system through Twitter. As a network of professionals, business executives and people of influence with high responsibility for critical infrastructures, we need a system that will allow the instant option of opting in and out of alerts and activating the mobile alerting system. It also needs to allow two way communications between the system and those who subscribe to it so in the event of something critical happening, we can have up-to-the-minute updates coming on from anyone anywhere.

For these reasons we have decided to use the Twitter network as our alerting and notification system for IT Security related outbreaks, threats and notices. It will also serve as a notification system for our events, meetings and happenings. Two separate accounts have been created to manage these alerts/notices.

Effective April 1^st 2009, TITSSN’s ITSecureAlerts and TITSSNHappening have been activated as a part of the TITSSN v.2010 network upgrade.

Over the past few days we have experienced a heightened sense of alert and awareness from the Conficker worm and its pending effects on the target date of April 1^st. There was such a need for pertinent development info and updates as the target day drew nearer, and even on the day that people were reaching out for any kind of heads up they could get, they were coming in from all over. Now we’re able to capture these and have them sent out in a prudent managed fashion. All future alerts and updates on such issues will be handled by the IT Security Alerts (ITSecureAlerts) notification system which will monitor the development and progress of these kinds of threats and post pertinent info for its followers.

TITSSNHappening will broadcast our event updates and happenings and will always maintain the current info for whatever is coming next from the network.

Please follow accordingly and help to spread the word to anyone who wants to be kept in the know in the event of such critical IT Security issues. We may not always have the luxury of time on our hands but we can have the luxury of a working system of alerts and collaboration in times of need.

Thank you very much and have a great day. We apprecilove your business and support and look forward to serving you more.

~Brett A. Scudder~

The IT Security Attaché | http://theitsecurityattache.com  | Blogs http://theitsecurityattache.com/blogs

President/CEO/Chairman/Founder/Security Architect

~TITSSN ~The IT Security Suite Network~ | http://titssn.net | TITSSN’s Blogs http://titssn.net/blogs

Brett.Scudder@titssn.net (877) 539-8614 / (718) 928-6516

We are Security – your Security – our Security – IT Security. Our Security is Safe and Secure.

A Managed Security Services/Value Added Resellers Provider (MSS/VAR-P)

My LinkedIn profile – http://www.linkedin.com/in/titssn | TITSSN’s IT Security Forum Board http://titssn.net/forum

Follow me on Twitter http://twitter.com/TITSSN | Facebook http://www.facebook.com/people/Brett-A-Scudder/1161704997

So I checked out the Twittervision and trust me, it’s intelligent thinking on the part of the developor. This is like a Twitternomics and getting more scary by the day. Soon we’ll have a Twitterdemic on our hands. Now that’s scary.

I thought  saw a what……

Check it out. Suffering sucatash lol

I wonder is Tweety and Silvester have a Twitter account, hmm.

This is Twitterriffic.

Good day to you,

This week will be a crazy one for me and I am trying to stay on top of the things I have to do. So for the next day or two I will cut the phone lines and will only be accessible via email, IM and text messaging. I have to work on TITSSN v.2010, my new ENGAGED initiative, the MESS, The Security City, The Community Coalition and the new Ready Rockaway Disaster/Emergency Preparedness infrastructures and that’s a handful. So, if I appear a bit “unreachable” it is for these reasons.

I’m having a challenge with the development of the SecuriCity and I am now looking for a graphics designer who is good with flash and the works. I need to city to be lighted at nights and my designing skills don’t extend that far . Anyway, it’s still an awesome design and i’m trying to make my April 1^st launch.

I missed my system refresh cycle this month and so i’ll have to push that back for next month as there’s so much to do before the new month comes. I have to find a new pass phrase and change all online accounts and infos before April 1st.

All these things will be centralized on my attaché website and i’ll have to update that as well.

Sounds like a lot doesn’t it?

It really isn’t once you get a hang of it.

So, please feel free to reach out to me if needed via the mediums I mentioned as I will be crawling into my lil box and working within it for the next day or so. Lots of fun, goodies and resources coming so it’s all good and i’m very excited.

I’ll be tweeting all the way so you know the deal.

Have a great day,

The IT Security Attaché

Hi all,

~Brett A. Scudder~
The IT Security Attaché