Twitter Phishing: Protecting Yourself

215693116_8e4a24d11c_m

A funny thing happened on the way to the forum. Or at least, a funny thing happened over the weekend with regards to Twitter, spam and phishing (from Chris Pirillo). I really had no plans to outline my thoughts on the scam, because it is already being covered ad nauseum. However, I feel like I have to anyway.

The scam operates like any typical Windows worm and begins with a DM from a victimized Twitter follower. That direct message contains a link to a malicious (and unnamed) domain that screams “password stealing”. Nevertheless, gullible Twitter users click on the link and enter a page that looks an awful lot like the Twitter.com login screen (okay, it looks identical). The user enters login information thinking they are logging into Twitter and, in the blink of the eye, a malicious site has access to your Twitter account information.

215693116_8e4a24d11c_mThis is a very important concept to get. The user inadvertently gives Twitter account login information to a malicious site. I will rail more on this concept in a bit. Keep it in your mind.

The malicious site then proceeds to send DMs with the infectious link on behalf of the user. I have gotten seven of these in the past 24 hours.

Folks, Twitter is like email. You can be infected by the innocence of friends, Please be careful. You really don’t want a malicious sites having access to confidential business ideas, your common and unchanging password that you use everywhere, or intoxicatingly passionate messages to your lover. Be wary of this scam and tread lightly. If you get a message like this, contact the sender and advise them to change their password immediately. Unlike email worms, you cannot be affected by merely looking at the DM – only by clicking the link.

There are several problems here, as there are with most internet security problems. One is the technical problem (site can login and perform actions on your behalf). The other is a psychological problem (Twitter users giving away their username and password to untested, unvetted and untrusted third parties).

Twitter promises that they are working on a solution to the technical problem and that it will look like some form of OAuth, an authentication protocol similar to OpenID for application to application authentication. OAuth, when instituted, promises to provide a passwordless trust and authentication framework that should solve the problem that requires third party Twitter apps to request a users login information. However, for all their promises and the urgency that is increasing among developers, Twitter does not seem to be in a hurry to provide this protocol.

Additionally, computer users have been relentlessly brainwashed by anti-virus companies, corporate computing policies and other persistent reminders, to adhere to basic security practices. Don’t open attachments from unknown users. Run anti-virus. Use hard to guess passwords and change them often. And so on. And so forth. Folks, these concepts are basic life-guiding principles and apply on the web too. Don’t give away your username and password to anyone. Ever. Unless they are vetted and trusted by you and you understand what the ramifications are.

In the absence of an OAuth-style technical release from Twitter, and the lack of consistent user discipline, it is my recommendation that Twitter users no longer provide third party apps with their login information, regardless of how compelling the app is. It is not safe and it is an unwise security practice that flies in the face of everything you have been learning for years when it comes to your own personal computing practices. Twitter apps are defined as anything Twitter related that is not directly on the twitter.com domain.

Maybe Twitter will get serious about their security here.

Photo Credit: dinobirdo

The Xbox Experience: A Great Improvement That Still Lacks

xbox-360-logo

Microsoft is clearly getting hipper with their offerings. The company that has been notoriously committed to offline products, like their Windows operating System and productivity suite, Microsoft Office, to the detriment of their online offerings seems to definitely be moving into the internet space more. They are, in fact, trying to own the online space now which is a significant internal company departure from the past.

As recently as yesterday, speculation was that the ill-branded Live! Search could be rebranded in a much more internet friendly way. Kumo.com anyone? Their IM client… well, no one uses it.

xbox-360-logoOf course, they have jumped headfirst into the incubation industry by launching BizSpark, which seeks to provide promising young companies with technical resources, such as their server offerings, and human and business resources to help these investment companies, mostly web based startups, become viable.

Naturally, one of the odd players in the Microsoft ecosystem has been the Xbox 360 platform. It is a killer gaming platform (I am an avid Xbox Gamer) and their online gameplay over Xbox Live is second to none. It has always lacked any kind of cohesion for an online service though. Especially in 2008, where Facebook and Twitter rule the day and it is rare to find someone who is not on some kind of social networking platform.

So a few months ago, when word leaked out about a complete overhaul to the Xbox Live experience, there were many of us who were excited about a modernization with significant incorporation of social networking elements. With the launch the other day, some of that has been delivered.

The Xbox Experience, as it’s called, is a significantly streamlined dashboard making it extremely easy to access common items, such as the Xbox Marketplace. Incorporation of online video giant, also dabbling in the social networking space, Netflix makes the Experience worlds better. It is possible to watch Netflix “Instant Play” queue items directly via your Xbox Dashboard. Sweet, if the video quality was better. Putting this aside, the mashup is a great step in making the Xbox an entertainment hub.

However, significant issues remain. A “big bling” element to the new Xbox Experience, is the new avatars. Going through a wizard the first time I logged in, reminded me a bit of creating your Tiger Woods 2008 character. Though this is fine in creating a personalized environment, I find no purpose for an avatar except to snap a proverbial photo and making that photo your “avatar photo”. I would much rather designate an actual graphic or picture as my avatar, in much of the same way most social networks allow you to.

The storyline falls apart more when you login to manage your Xbox Live account from the web and discover they have not incorporated any further way of getting at your data. Microsoft would do well to develop robust APIs that would allow players to get an XML or JSON feed of achievements, gamerscores, last/currently played games as well as other social network elements.

Why not provide a much more efficient “friends” method that would allow players to have wish lists, friend challenges, friend groups, as well as a unique element I call “tip sharing”. Tip sharing would be a forum element where a friend could share intel about a game (say Fallout 3) and I could “download” that tip into my Xbox Live user account. When I reach the Farrugut West Metro station in Fallout 3 and my friend has discovered something, the game could feed me that intel from a friend.

Another social element would be the concept of a “lifeline” where, if I’m stuck during a game, I could get immediate assistance (in-game or otherwise) from my friends through screen sharing, instant message (kill Live! Messenger and use OpenAIM, please) or other “helper” element.

Let’s make it really social and make it possible for gamers to find other gamers in their area and schedule times together (if you have to, use a modified, online, lite version of Sharepoint or Exchange Server to make this happen).

Of course, a natural tie together, via OpenSocial, with other social networks, possible use of OAuth for data access and login, status messaging and comment, and other “social elements” would really flesh the Xbox Experience as useful in 2008.

What are your thoughts on the Xbox Experience?

Facebook se enfrenta a OpenSocial

Facebook ha decidido ofrecer su plataforma de programación al resto de los networks sociales, picándole adelante a Google y su esperado OpenSocial.

Google OpenSocial surgió como una respuesta a la Plataforma Facebook, ofreciéndole al resto de los networks sociales la oportunidad de crear aplicaciones que pudieran inter-operar entre los distintos sitios. Pero OpenSocial todavía no está listo y aún falta mucho por definir sobre su funcionamiento.

Facebook responde ahora con PlatformArchitecture, permitiéndole a cualquier website aprovechar el lenguaje de programación de Facebook. De este modo, cualquier website podrá ofrecer a sus usuarios gran cantidad de aplicaciones que ya existen para Facebook.

Estas iniciativas permiten que usuarios de networks sociales utilicen servicios ofrecidos por otros websites (iLike, por ejemplo) y que compartan experiencias con miembros de su mismo network social (Zombie, Acuario, etc).

Lo que falta es una herramienta que permita a los usuarios de un network social interactuar con los usuarios de otro network social. OpenID, OAuth y XFN son tres iniciativas encaminadas a lograr esto, pero que necesitan ser simplificadas (¿con deNerd-a-tex?) para poder ser entendidas y utilizadas por el grueso de la población.

Si te interesa saber más sobre estas tres iniciativas, déjanos un comentario aquí en la página y desarrollaremos el tema en una columna futura.