Only Just Beginning: Twitter message could be cyber criminal at work
I have blogged (here and on the (ISC)2 blog) about potential security issues in the rising use and hyper marketing of Twitter, so I found this CNN story (which only scratches the surface of the risks) of interest, Twitter message could be cyber criminal at work.
“Cyber criminals have been targeting Twitter users by creating thousands of messages (tweets) embedded with words involving trending topics and malicious URLs,” Sean-Paul Correll, a threat researcher for Panda Labs, wrote recently on a blog for the company.
Frankly, I find it socially irresponsible that a number of people are jumping on the Twitter bandwagon for highly critical applications. Are they not aware that Twitter was designed as an open, unreliable, insecure communications channel? Twitter has been, and is, easily hacked into and abused. A number of folks do not seem to understand that any communications media, the more popular it becomes, the more it will be used by criminals.
Recently there has been a lot of activity about stock trading with Twitter. Even if you think you know a source of a twittering tweet is reliable, and someone sends you a message and says “Buy Amazon Now!”, you run the risk of the account being hacked into or simply masqueraded (identity theft). If you subscribe to a channel, you cannot be assured the channel has not been compromised. Folks who advocate Twitter as so great just don’t understand. Twitter is less reliable and less secure than an SMS message or a phone call. In fact, Twitter is less reliable than plain-old email.
Remember the old saying “On the Internet no one knows you are a dog!” ?
I don’t mention this because I dislike Twitter. I have no opinion other than it is a trendy open communications channel that has many vulnerabilities in a dangerous world of many threats. Risk is the intersection of vulnerability, threat and impact (criticality). So, the more impact you have the higher the risk. It is really simple. Understanding risk is not rocket science.
As long as you are tweeting about your dog, your favorite movie, or marketing your latest product, or the beer you are drinking, you have low risk because a security breach is low impact. However, if you are doing anything with high impact, you are heading into a very dangerous zone.
High Vulnerability * High Threat * High Impact = High Risk
Anyone who is advocating Twitter for mission critical applications is socially irresponsible. There is a huge difference in movie stars tweeting their thoughts and prayers versus executing a million dollar transaction based on information received from an insecure and unreliable communcations channel.
Twitter was not designed for algo trading (high impact applications), for example. It was designed for people to say “Hey, here is what I am doing now!” (low impact). If we start to look beyond the basic security issues, we will find more complex issues. I have already addressed some of these in an earlier post. Folks who believe Twitter is great source of rumor-mill intelligence for automated, split second algo trading do not understand how easy it is to inject false, misleading, and fraudulent information into the stream of Twitter messages.
Twitter was not designed for mission critical applications. Twitter was designed to answer the question “What are you doing now?” in an informal (and not secure nor reliable way). Of course criminals are going to use Twitter for promoting their fraudulent Pump-and-Dump stock trading schemes! Marketeers have already seen the potential, and are “tweeting their wares” constantly …. and this is only just beginning!
Do not be fooled by the marketing hype. Enjoy Twitter, but do not use Twitter for mission critical applications (unless it is seriously redesigned from the ground up to be secure and reliable). There are better communications channels for high-risk applications.
Filed under: Complex Event Processing, Cyberstrategics, Threats and Vulnerabilities, Use Cases
