The dangers and joys of social networking
I've never been a big fan of social networking sites.
I'm not on Facebook. Or Myspace. Or LinkedIn. Or Bebo. Or Orkut. Of course, I have to follow what's happening on these services as they are very popular. And I have set up placeholder accounts on them to prevent someone from posing as me. But I don't really use them. And when I monitor these sites, what I can see is that they are more and more targeted by online criminals.
The hundreds of millions of users on social networking sites have made them major targets for cybercriminals, who take advantage of the trust people have in their communities of friends. But when people see phishing attacks targeting Facebook, they often get confused. When phishing sites are targeting online banks or credit card companies, it is easy to understand that the motive of the attacker is money. So why would anybody try to steal Facebook accounts? For exactly the same reason: to make money.
Facebook is a phishing target because there is implicit trust between Facebook friends. If your brother sends you a Facebook message or status update saying "Hi, check this out" with a link, are you going to click on the link? Most likely you would. And this is why Facebook accounts are stolen. They are stolen to send such messages and to get people to click on links that take them to malicious websites, where drive-by-exploits infect their computers. It is these exploits, such as keylogger attacks to get their credit card numbers, which make the money for the criminals.
Implicit trust was the reason why email worms used to be such a big problem many years ago. Your friend would get infected by an email worm, which would then send infected emails to all the addresses found from the address book, posing as your friend. We got rid of email worms but now we have these social network attacks to worry about.
Although most of my professional interest in social networking sites was around investigating frauds like these, I decided to take a look at Twitter. I gave myself a trial period of couple of months to decide if Twitter is useful or not. And if I wouldn't find it useful, I would quit using it. During the trial months I learned that Twitter is actually quite useful as a professional tool.
Many people don't really understand what Twitter is all about. They think it's a system where people can tell others about their daily chores ("just had corn flakes for breakfast!"). This is not what Twitter is for.
Twitter is at its best when experts in their own field share notes, links and pointers to important developments they see. In the field of data security, that could be a note about a new vulnerability, a major outbreak, a phishing run or something else. Today, the place where you would hear about it first would be Twitter; not the news or the blogs.
I plan on continuing to use Twitter. The neat thing about Twitter is that you don't need to even sign up. It's all public. You can just browse anyone's Tweets or make a global search on twitter.com.
Before Twitter, when something major was happening the first warnings and initial discussion about it would be in private -- via e-mail, private mailing lists and text messages. Now much of that would happen in Twitter -- in public. And you don't even need to have a Twitter account to follow it.
As an example, let's say that a major website gets hacked. Just by searching for the site's name in Twitter, you could see the very first warnings, read what the buzz is and get the first expert opinions.
This applies to real-world events as well. Before Twitter, if there was a major event like an earthquake, most of the people on location would communicate about it via text messages. You can't see other people's text messages, so you would be out of the loop. But today, many of those same people would communicate via Twitter, with public Tweets that you can see and search.
Twitter continues to grow. And for us working in security, it's great to see that Twitter is full of interesting figures from our own field.
Try it. I've liked it.