Twitter Phishing: Protecting Yourself

215693116_8e4a24d11c_m

A funny thing happened on the way to the forum. Or at least, a funny thing happened over the weekend with regards to Twitter, spam and phishing (from Chris Pirillo). I really had no plans to outline my thoughts on the scam, because it is already being covered ad nauseum. However, I feel like I have to anyway.

The scam operates like any typical Windows worm and begins with a DM from a victimized Twitter follower. That direct message contains a link to a malicious (and unnamed) domain that screams “password stealing”. Nevertheless, gullible Twitter users click on the link and enter a page that looks an awful lot like the Twitter.com login screen (okay, it looks identical). The user enters login information thinking they are logging into Twitter and, in the blink of the eye, a malicious site has access to your Twitter account information.

215693116_8e4a24d11c_mThis is a very important concept to get. The user inadvertently gives Twitter account login information to a malicious site. I will rail more on this concept in a bit. Keep it in your mind.

The malicious site then proceeds to send DMs with the infectious link on behalf of the user. I have gotten seven of these in the past 24 hours.

Folks, Twitter is like email. You can be infected by the innocence of friends, Please be careful. You really don’t want a malicious sites having access to confidential business ideas, your common and unchanging password that you use everywhere, or intoxicatingly passionate messages to your lover. Be wary of this scam and tread lightly. If you get a message like this, contact the sender and advise them to change their password immediately. Unlike email worms, you cannot be affected by merely looking at the DM – only by clicking the link.

There are several problems here, as there are with most internet security problems. One is the technical problem (site can login and perform actions on your behalf). The other is a psychological problem (Twitter users giving away their username and password to untested, unvetted and untrusted third parties).

Twitter promises that they are working on a solution to the technical problem and that it will look like some form of OAuth, an authentication protocol similar to OpenID for application to application authentication. OAuth, when instituted, promises to provide a passwordless trust and authentication framework that should solve the problem that requires third party Twitter apps to request a users login information. However, for all their promises and the urgency that is increasing among developers, Twitter does not seem to be in a hurry to provide this protocol.

Additionally, computer users have been relentlessly brainwashed by anti-virus companies, corporate computing policies and other persistent reminders, to adhere to basic security practices. Don’t open attachments from unknown users. Run anti-virus. Use hard to guess passwords and change them often. And so on. And so forth. Folks, these concepts are basic life-guiding principles and apply on the web too. Don’t give away your username and password to anyone. Ever. Unless they are vetted and trusted by you and you understand what the ramifications are.

In the absence of an OAuth-style technical release from Twitter, and the lack of consistent user discipline, it is my recommendation that Twitter users no longer provide third party apps with their login information, regardless of how compelling the app is. It is not safe and it is an unwise security practice that flies in the face of everything you have been learning for years when it comes to your own personal computing practices. Twitter apps are defined as anything Twitter related that is not directly on the twitter.com domain.

Maybe Twitter will get serious about their security here.

Photo Credit: dinobirdo

Tech Predictions for 2009

As we gear up for 2009, there remains many questions about the economy and the growth curve of the technology industry. As a team, we have come up with predictions for 2009. Ray Capece, Venture Files editor for Technosailor.com and I make our predictions.

As always, these are predictions. Last year, we were dangerously accurate with our predictions and would like to think that we have a good understanding of the business and technology marketplace in 2009.

Ray’s Predictions

  1. By now, all VC firms have had the ‘triage’ partners meeting — where they decide, whether existing portfolio companies will 1) receive additional funding, because they’re generating revenue and have the prospect of getting cash-flow positive; 2) be shut down (and recapture any remaining cash); and 3) receive no additional funding, but be left to their own devices (to get funding however they might on their own). In 2000, there were a good many in category #2, since dot.com rounds were in the $10s of millions; now, with social-networking investments averaging around $1M, there will be little cash if any to recover. But I predict there will be many in category #3 (also known as ‘the walking dead,’ since they’re burning their cash, no matter how slowly, till it’s gone.)
  2. Online advertising revenues in 2009 will continue to fall, as inventory outpaces demand. I *don’t* see the $$ flowing from other media to online offsetting this downward trend.
  3. Consumers have discretionary (albeit small) $$$ to spend. In times of bleak economy, they seek distractions (gaming and feel-good entertainment), and will happily pay $0.99 for iFart. The hope for developers in the social networking space will potentially lie with commerce in real and virtual goods. Facebook and the others need to make this extremely easy for third parties, and it will most certainly happen in 2009. (Yes, despite what others are saying about FB’s party line.)
  4. Consolidation always picks up in down times . . . good, small apps facing a difficult fund-raising environment reset their valuations lower, and robust companies with solid funding swoop in to pick up the team and technology on the cheap. It began in the fourth quarter with Pownce and others, will continue throughout 2009.
  5. As an extension to this prediction — we’ll see more Intellectual Property for sale on eBay.
  6. Apple will continue to grow its mobile share as others fumble about. Watch for new BlackBerry Curve to become the defacto standard for ‘button lovers.’

Aaron’s Take: While I agree with most of Ray’s predictions, I’m more bullish on early round VC. Even though we won’t see as much investment as we have, I believe it will still happen and companies that have already been funded will probably continue to receive investment funds, even if on down valuations, as long as they are somewhat viable. The reason is that most funds are long-haul investments of about 10 years.

Aaron’s Predictions

  1. Consolidations will occur en masse this year. Small companies with angel funding or Series A funding will be lumped into bigger conglomerates as the acquisition threshold is low.
  2. Brightkite will be acquired by Facebook, as poignantly pointed out by a commenter over at Read Write Web.
  3. The second Google Android-powered G2 phone will be released to T-Mobile in Q1. As the first one was a proof of concept that had little impact, the second iteration will be an essential release to prove the Android platform. No other carriers will take the platform until the concept is proven, but T-Mobile is already there and will be the victim for the second release.
  4. Twitter will *not* be acquired, but an advertising/partnership business model will emerge in Q2.
  5. Apple will release 3 new products this year. That is it. Their growth will continue upward but will see a decline over growth patterns of previous years.
  6. Net Neutrality will take a massive hit in 2009 with governments and companies looking to defend themselves in a down economy. The result will be regulations that will allow the big telecoms survive. Too big to Fail. Unless it’s the general public.
  7. No clear winner in the “single identity” space. OpenID fades, fbConnect gets fleshed out and adopted by many while Google Friend Connect makes significant inroads with others. An emerging war akin to Bluray vs. HD-DVD emerges between Facebook and Google with the internet world divided evenly among the two. Blogs and social networks will tend toward Facebook while bigger sites and services, possibly including newspaper walled gardens, trending toward Google.

Ray’s Take: Aaron’s crystal ball looks pretty good to me . . . except that, like Jonah in the whale’s belly, Twitter will be devoured.

La Intersección de los Círculos Sociales

¿Quiénes están incluidos en tus networks sociales? ¿Que criterio utilizas para incluirlos? El tema se puede poner de lo mas controversial. Hay personas cuya meta es tener la mayor cantidad de “amigos” en Facebook, por ejemplo. Otros hacen un esfuerzo por limitar su exposición en estos networks. Si la utilidad de un network social depende del número de conexiones que tengamos (y esto es debatible: cantidad vs. calidad), ¿en qué momento comienza a decrecer el beneficio que obtenemos?

Tenemos también el caso de nuestros amigos de la vida real y aquellos de nuestra vida online. ¿Como incluimos a un grupo dentro del otro? Si un amigo de la infancia quiere conectarse por Twitter, ¿como afecta nuestra relación si lo rechazamos? Es posible que no queramos mezclar un grupo con el otro, sin que esto signifique que nuestro nivel de amistad haya cambiado. Si eliminamos a un amigo de nuestra lista de Facebook (quizás porque nos manda muchas invitaciones del juego de los Zombies), esto no significa que seamos más o menos amigos… aunque mucha gente pueda tomárselo así.

Podemos dividir nuestras relaciones en varios círculos concéntricos: la familia, los amigos, los conocidos, los agentes (vendedores, repartidores, proveedores, etc). Pero también podemos tener círculos paralelos en la vida offline, en la vida online, en la oficina, etc. A veces estos círculos se conectan entre sí, a veces no. A medida que un mayor número de nuestros amigos comienza a utilizar herramientas sociales online, esta intersección se hace más evidente y más dificil de separar.

Tecnologías como OpenSocial, Plaxo Pulse, Facebook PlatformArchitecture, OpenID, etc. que prometen permitirnos interconectar nuestros networks sociales, ofrecen esperanzas de que algún día podremos mantener todas nuestras conexiones ordenadas, separadas e interconectadas a la vez. ¿Será 2008 el año?