Twitter attack wave; real site-cracking edition.

The latest round of Twitter attacks took place seemingly last night, and these new ones took advantage of a legitimate site security flaw in Twitter's interface to compromise accounts.

Quoting the Twitter blog:

The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend. These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can't remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're safe and secure.

Blah, that's a pretty gloomy thing to come in to work on a Monday morning. I don't feel for the coders at Twitter...

But this highlights a bunch of points that normal people (non IT people!) don't yet appreciate;

Any computer connected to the Internet can be subject to a break in (especially the one you're reading this post from).

Big brand IT shops with big budgets aren't immune, even if they have been as diligent as they can with security.

Security is a cat and mouse game. As smart as security people are, the crooks are just as capable.

tl;dr .. We're back at That Password Thing... Change your twitter password as soon as you can. I doubt the public outside of Twitter will know how deep these guys got into the system before the compromise was noticed.

This blog isn't immune by any stretch of the imagination, so I'm not posting this from some mountaintop of smugness. It's only a matter of time before someone finds a hole in Wordpress, or a plugin I'm using, or in the base operating system of my server, and bam I'm pwnd.

Finally; we, being humans, need to move past our current methods of authentication. Not to some weird draconian Big Brother type system where one central command corporation has the full rights to this data, but an open system based on tried and true methods of cryptography and digital signatures.

Making it easy and portable to prove who you are is the next leap in online communications. Literally establishing trust relationships with real people using digital keys to solidify the trust of others in what is being posted.

Map CAPS-LOCK to Control in Ubuntu and Mac OS X.

I dislike CAPS-LOCK. It is a key that has not made much sense to me since the Commodore 64. It's one of those odd legacy keys from lord knows when in antiquity. One of the most annoying things about CAPS-LOCK is that it has great placement on the keyboard.

One of the most useful keys for a *NIX geek is Control. It's the all purpose key on the command line.

So if you're into Linux or FreeBSD or anything in between, mapping CAPS-LOCK to Control can really speed you up and save your wrists a lot of strain. Your pinky can now reach Control without having to do that funny pivot down and left or right.

If you just dislike the CAPS-LOCK key, as in it gets in your way while you're trying to type, this is also a good option to 86 it as well.


One option you have is to buy a keyboard where CAPS-LOCK is already replaced by a hardware-mapped Control key, like the Happy Hacking series of keyboards (my personal favorite keyboard, just barely inches out the Model-M for best keyboard ever).

So here are two ways to map CAPS-LOCK to Control. One in Ubuntu Linux (7.10 and up) and one in Mac OS X.

Ubuntu Linux with Gnome

1. Click on System -> Preferences -> Keyboard
   
2. Click on the Layouts tab
   
3. Click on Layout Options...
   
   
   
4. Expand Ctrl key position
   
5. Select the Make CapsLock an additional Ctrl. radio button.
   
   
   
6. Close, boom done!
   

Apple Mac OS X 10.5

1. Click on Apple -> System Preferences
   
2. Go to Keyboard & Mouse
   
3. Click on Modifier Keys
   
   
   
4. Select the Caps-Lock Key pulldown
   
   
   
5. Set it to Control
   
   
   
6. Boom! Done.
   

And then if you're a total obsessive like I am, you can do this sort of thing...



A neat feature of FreeBSD 5; it gives you the option to map CAPS-LOCK globally to Control during the install process.

Unrelated Side Note:

THIS was so cool it actually made me a little angry.

C64 USB keyboard

Twitter probably needs an API key generation system to thrive

There's a big bad phish going around on Twitter today. Likely either related to the Twply thing or seriously emboldened by it.

One of the first things I considered when I looked at the Twitter API was that it was wonderfully open, and ripe for abuses. Coupled with a Phishing attack there are a lot of powerful methods to disseminate viruses, malware, and to collect passwords. LOTS of them.

From the Twitter blog:

It looks as though this particular scam sent out emails resembling those you might receive from Twitter if you get email notifications of your Direct Messages. The email said, "hey! check out this funny blog about you..." and then provided a link. That link redirected to a site masquerading as the Twitter front page.

Anyway one thing that might help stem the tide of Phishing attacks, and API-service type attacks (Twply style trust attacks, where they say they're going to do something, and all they really do is take your data), an API key system, or a drastic evolution of the current API method.

It's not like I'm saying anything radical, actually, this is likely in the works at the volcano/skull island that houses Twitter's developers, but it's more the shape of things to come. You'll likely see a slightly more complex and less "impulse buy" friendly API system emerge. Hopefully safer than the seat of the pants insecure method used now.

And as Pete Cashmore says, it might be a sign that Twitter is "for real".

About that password thing...

I re-twitted this alarming post from @JennKim last night regarding a Twitter scam site

@JennKim Think twice before leaving your Twitter password http://tinyurl.com/7wq2gt

From the article linked above...

Twply, the Twitter site that promised to email your replies to your inbox while protecting your password, appears to have tweeted a promotional message for the service on your account even if you opted out of this option. To add insult to injury, the site was sold today on Sitepoint for $1200, just one day after launch. The site, which required you to enter your Twitter password, has now sold that confidential data to the winning bidder - site user worldbuyer.

Sucks! Also I'm sorry if you are reading this and were burned by this service. BUT, yeah, never trust anyone with your passwords.

This is the new face of the electronic security compromise. People don't put the importance of security on their online passwords as they do with, say, the PIN number for their bank cards.

If you spend a lot of time online, you really, really should. Why?

People use the same passwords for multiple sites.

It is unfortunate but it's a reality that won't change as long as we are human. The password system does sort of suck, but it's what we have now until the populace gets comfy with digital keys. You don't have to have a different password for every occasion, but I try to have three or four rotating strong passwords I use at different sites. The bad news on this front is some places (often financial firms) won't let you use strong passwords with characters like @ # $ % or & in them. Dumb but true. So what ends up happening is that people will pick the weakest but most compatible password they can remember and they'll use it everywhere.

We also use the same login for multiple sites.. more on that below.

Fix: Generate 3 good passwords and try to use a password manager with your PDA or phone. You don't have to use the password manager every time, but it can help jog your memory when you forget.

Website security is always much worse than you think.
Take it from an insider; if a website wants your username and password so that it can access another website on your behalf, it is going to store that username and password in a database in PLAIN TEXT, no encryption and with the most basic of protections.

It is only marginally better, often, if you are submitting your username and password to a forum. The passwords might be encrypted, but that encryption can be reversed as well. It's worth it to a hacking group to decrypt a series of passwords, and they always have the horsepower to do it (think Storm Botnet).

Fix:Don't trust any of these places. Even Facebook! I couldn't believe Facebook wants me to input my GMail username and password so that it can scrape my address book for friends. The audacity... Sure it works, but now your GMail account and password are on record in a Facebook database somewhere, for EVAR. When the Badguys get into that database, they have your account and password info.

Badguys will compromise your accounts, even if you think they aren't important.
So now a website is hacked, let's say via SQL injection or a straight buffer overflow. No matter how, the Badguys now have access to your username and password. What can they do with it?

1. Cross-reference your username with a domain-name database to see what you have registered. yourname.com is now a target of domain jacking.
   
2. Try your username and password combo at places like GMail and Hotmail. If you signed up to twitter as exampledude, and your hotmail account is exampledude@hotmail.com.
   
3. They read your e-mail to find out what banks and online financial institutions you use. Paypal, etc. They are now closer to having access to your money.
   
4. They scrape your e-mail accounts for users and send them viruses, personalized, from you. They send you viruses from your friend's addresses. Personalized Phishing may be on the horizon as well.
   
5. If they have access to your e-mail accounts, they can take your domain. If that domain has e-mail accounts associated with it, they now own those too and the cycle repeats.
   

I could keep going like this. tl;dr it's a domino effect. The badguys get one compromise, and they can keep going with that unless you've used good username and password hygiene.

There's a lot of excitement around social networking and mashups right now. There's a great sense of community and optimism towards anything to do with it. It's refreshing, but I think in that atmosphere people drop their guard a bit in the hopes that everyone intends only good.

But, this is still the Internet.

From Tim O'Reilly's Radar: Thoughts on "In Distrust of Movements"

I wanted to bring attention to this post on Tim O'Reilly's blog about a post on another blog that is a reprint of an essay by Wendell Berry.

Got all that?

In any event Tim's post will bring you down a really interesting rabbit hole relating to a huge basket of issues from food sustainability to the current state of the US economy.

I'm still digesting, and clicking on link after link.

oblique: Dictionary.com Word of the Day

http://feeds.reference.com/click.phdo?i=1659755b284c5836c3e15694f72ee480


--
From the iPod of Simon Carr
Ineocom Technologies
http://www.Ineocom.com

My Book for my Time Machine

Just picked up this WD My Book 640 GB drive for use with Time Machine from Best Buy Canada, before I go all Reuserist in 2009. This is sorta my final call to buy new crap before my experiment kicks in. So a 640GB external for $109.99 is a pretty good deal[1].

This new drive does serve a vital purpose; acting as my Time Machine backup, replacing the 250GB drive that was starting to do the click of death, and the old drive was technically too small to actually back up the primary drive in my new iMac.. So all things considered I don't feel too bad about the purchase of this new awesome fast external. It also looks like a book. Pretty.

I ran into some challenges. If you just plug it in to your Mac, it's formatted as an MS-DOS filesystem. That's fine for compatibility because everything in the world can read that, but I'm trying to use it for exclusive Mac Time Machine backups. Opening up Disk Utility, I couldn't manage to remove the partition on the drive, which came up as the device "596.2 GB WD 6400AAV External Media", with the partition "My Book". After doing some digging I found the answer (macosxhints, always, awesome)..

Warning before you start: This procedure will wipe all the included files on this drive. Personally I had no use for them, but you may want to save them.

To clarify this URL, here's the visual;

Image 1:, rather than select the partition on the device, select the device. This will give you the "Partition" tab, between "Erase" and "RAID". Pick Volume Scheme: 1 Partition. Name your partition, pick "Mac OS Extended (Journaled)" if you are going to use it for Time Machine as I am, and then select "Options..."

Image 2: Inside options, pick "Apple Partition Map". By default it will have "Master Boot Record" selected, which is where Disk Utility runs into trouble.

Click ok inside Options, and then Apply, and vavoom, you're off. If you want to feel safe about the change you can always remove the partition again and re-create it. From there you just have to configure your Time Machine.

This drive is also advertised as 30% more energy efficient than standard systems. I can guarantee that's the case for the drive that it's replacing.

Points of Interest

Disk Utility

Time Machine propaganda

The sale at Best Buy Canada

Footnotes
[1] Oh, yes Internet, I know... if I scoured the dregs of online computer stores I'm sure I could find some better door-smasher deal. I'm not going to weep tears over $15 worth of savings that would cost me a virtual $30 of hassle (and shipping perhaps). /snark_mode OFF :)

Technorati Tags: apple, backups, gadgets, hardware