If you are a regular Twitter user, you might have noticed that half of the world seems to have become a spy catcher of late. It turns that catching a spy via Twitter is easier than you might think. It also has some consequences for  social capital, information security and general communication noise too.

You are a very fortunate individual if you have escaped the torrent of (somewhat spammy) messages from the spy catcher application. It is doing a rather good, and therefore bad, job of turning Twitter into Facebook – or rather the bad old Facebook of a while ago, with the legendary sheep throwing, pirates, vampires and sea of noise generated by that genre of social applications.

Got You! Via Twitter

The success of Spycatcher is a proof point of another unsettling trend: Notice how easily people hand over their username and passwords to a relatively unknown (and potentially untrusted) third party.

There has been a long term problem with twitter third party applications. The first generation of applications required users to enter their username and password on the third party site, where they were stored, so that the 3rd party could get access to the user’s Twitter stream, to do whatever wonderful things it did. It sounds relatively innocuous, but actually it sets a rather bad precedent. It is referred to as an anti-pattern, a commonly bad solution to a problem. It is bad because it teaches people how to be phished.

From Catching Fish to Helping Phishers

Phishers spend their time trying to get users to hand over password details, so that they can gain access to accounts. Twitter has a bad anti-pattern problem, and it knows it, since the Twitter ecosystem trains users to hand over their security details to third parties. To tackle the issue Twitter has added OAuth to the service. It provides a way for third parties to validate users, without storing the username and password. However, this doesn’t solve the whole problem. People are still handing over passwords. So, back to catching those spies…

Increasingly third party Twitter applications are not only logging in to pull down information, but they are actively sending tweets from users accounts (including @ messages and Direct Messages) on behalf of, and in the name of, the user. And why wouldn’t they? If a developer can get away with using a bit of a user’s social capital to promote their application, they probably will. Spycatcher is a particular case in point.

From Bad to Worse

The annoying messages it tweets are one thing, “captured this”, “assassinated that”, they can be blocked. However, over the weekend things took a turn for the worse when I started getting private direct messages from the people I follow asking me to join. Now, either my friends have suddenly all switched to the same writing style, or these were automated DMs. I’ll let you take your pick.

Twitter direct messages are my most trusted communications channel, since only people I have chosen to follow can send me messages (oh that my mobile phone was the same), and the messages generate alerts in near-real-time. So, when people start spamming me via that channel I sit up and take notice. There is another reason too. Because URLs that arrive via that channel are usually from a trusted human, I tend to trust the links. I shouldn’t of course, and neither should you. Combined with anti-patter behaviours, it is all too easy to receive a DM with a link and a “Benjamin, use your Twitter ID to check your security here” – you can see where that heads. If I was being dozy, 5 minutes later all of the people who follow me would be getting the same message. Injecting malware, or carrying out phishing attacks it all too easy. People need to realise that the twitter stream is part of their on-line identity, and to guard security credentials well. It was a little while back that Britney Spears and Barack Obama had their login details compromised.

What to learn?

• Don’t hand over your user name and password unless you are 100% sure where they are going, and what will be done with them.
• Use different passwords for different services. That way any damage should be limited to one service. If your Twitter password is the same as your on-line banking one, fix that quickly!
• Change your passwords every so often. Yes, I’m sounding like the moaning IT guy, but this does make a difference to your security.

I expect to see more and more applications using the social capital of their users to promote them – that has been the model on Facebook, and now it’s coming to Twitter. As for Spymaster, I’m not sure if it should be called spam master rather than spymaster (if you want to play please turn off the notifications I hate having to unfollow people). I’m surprised their hasn’t been a bigger backlash against it.

Perhaps it is a sign of the shifting user. We have reached the “sheep throwing” phase of the social networking platfrom life cycle. It’ll take it as a sign of Twitter entering adolesence already.

Related Posts

• Tweetcamp London – Beyond 140 Characters
• Replying Via Twitter
• Not So Private Data
• It’s The Phone – Even in Crisis Comms
• Broadband Maslow and the Hierarchy of Human Needs

We all understand the concepts of physical security reasonably well: Locks, Doors, Alarms, Security Guards… With the new digital universe we need to be just as conversant with information security. The front page headline of Computer Weekly last week was a good reminder: “More intruders found behind firewall, says 2008 Information Security Breaches survey.”

The report is based on the recent Information Security Breaches survey (PDF and PDF of executive summary) conducted for the Department for Business, Enterprise and Regulatory Reform, and reports a ten fold increase in hackers inside the firewall

An attention grabbing article, but there are some things of note. Because corporate cyber defences are working well, criminals are targeting home PCs and careless web surfers. Having failed to hack us in the office, they are after us at home. The IT team has always been concerned about the security of remote workers, now they will be even more so.

The launch of the report coincided with the start of the InfoSec security show London this week, which featured all of the major vendors showing their latest wares. Security is increasingly moving from network-based firewalls, to desktop-based software. This approach makes securing remote or home-based machines easier.

In the article, Jim Norton, senior policy adviser at the Institute of Directors, suggested firms use honeypots (servers designed to appear to contain valuable information). I wouldn’t say that was good advice. Using honey pots is a bit like guarding parked cars by putting a very expensive looking one in the middle and hoping the criminals hit that first.

Enterprise security measures are working increasingly well. What we have to watch out for now is social engineering attacks, such as emails that result in unwittingly handing over login information or personal details. Be on your guard, as these methods, including “phishing” e-mails, are becoming more and more sophisticated.

The threat is not just our personal or corporate information ending up in the public domain, it is also the risk of loosing valuable data. Yet another reason to have a good back up policy, be it for your family photos or corporate trade secrets!

Reference: Information Security Breaches survey (executive summary)

Related Posts

• Caught by a Spy – Easier Than it Sounds
• Not So Private Data

The issue of identity information isn’t as simple as private or public, unshared or shared. In the Internet age, searchablility and discoverability are also factors, as well as the more granular way we can choose to share data. Computers give the illusion that we can control what we share and who we share it with. It is just that, an illusion.

I get a handy example if I google for the excellent and insightful Fred Basset – yes, I did just use google as a verb, please don’t stone me. In the results page I am overwhelmed by information on the cartoon character, rather than the new media expert. Fred is hidden in the camouflage of a mass of other data. Security by obscurity – he’s hidden in plain sight. If I Google for Benjamin Ellis, I account for most of the first page of results – your mileage may vary searching with Google from other countries (just for fun, e-mail the first page of results from where you live!). I’m not working as an SEO consultant for myself, there just seem to be less Benjamin Ellis’s out there, so I can’t hide.

Digital information has a rather free-flowing nature. Its natural tendency is to ‘escape’ from where we put it. Unhappy accidents like the recent HMRC fiasco are a reminder that it has a characteristic that physical property does not: it can be replicated, indefinitely.

If I mark something as ‘private’, to share with my ‘closed’ social network, I am reliant on those friends not making it public – either purposefully or accidentally. For example, if they tweet it on twitter, then it is indexed in Google by default. In the same way, companies rely on employees keeping information confidential. The difference is that data spillage now happens more easily, with our increasing connectedness.

There is an interesting characteristic of digital conversations that take place in social media, and that is a form of digital ‘spill’. The characteristic springs from the mismatch between peoples’ social graphs – your set of friends/contacts and mine may have some common elements, but they also have differences.

If we ‘chat’ between ourselves via the Facebook (using the wall feature) or Twitter, the differences in our social graphs cause shards of the conversation to propagate our beyond the original circle. That can be bad, or it can be good. One of the most interesting things about Twitter is the accidental conversations. It is the closest thing to creating that business haven of innovation, the water cooler conversation. With more and more remote workers, and reliance on external specialists, business will need these tools.

The reality is that Facebook is just describing the real world of social relationships. There is nothing new here. ‘Social graphs’ have existed since humans first started raising children and gathering food together. Now we have a common place word to describe the phenomenon, and tools, like Facebook and Linkedin, that have digitised the information and enabled us to study it as never before.

Data has the rather nasty habit of being permanent, sometimes inconveniently. I recently stumbled upon an email I sent to a mailing list in 1988, which is now a web forum. There is my email, in all of its glory. Thankfully I wasn’t too embarrassing as a teenager, but none-the-less, it is quite a sobering fact that something I wrote twenty years ago is right there, neatly indexed on Google.

The real world of information security, especially around identity, is messy. Tools like Facebook are gradually drawing attention to old issues and creating new ones. In the first few decades of computing, the challenges were in the technology, in the next, I suspect the challenges reside elsewhere.

Having a universal digital identity has efficiency benefits, but it also has big data privacy challenges too. It takes discoverability to a new level, which means that integrity is going to take on a whole new meaning, however good your security is.

Related Posts

• Who’s are you? The Question of stolen (bits of) identity
• Caught by a Spy – Easier Than it Sounds
• FOAF – Building Networks With a Friend of a Friend
• Going Hyper-Local – Location Based Internet
• The Rather Complex Issue of Identity