HOWTO: Protect Yourself On Twitter (Lessons Learned From The StalkDaily/Mikeyy Worms)
UPDATE: This article was written prior to the return of the Mikeyy virus, but the advice remains relevant and is good practice.
Thus far, nobody really knows what happened yesterday on Twitter with the StalkDaily explot. There’s been some speculation and the good news was that Twitter moved quickly to eliminate the problem. A 17-year old by the name of Mikeyy Mooney has claimed credit for the script, and looks responsible for the latest one that is doing the rounds (or is being scapegoated/glorified).
Twitter claims that nothing was jeopardised and I’m inclined to believe them. Still, when I recommended folk reset their passwords yesterday I was quite surprised at how many responses I got claiming that this course of action was either unnecessary or mad.
Here’s what I think: even if there was no risk to your password, why take the risk? If StalkDaily or whoever was responsible managed to find a way to add a script to my profile through a loophole on Twitter, what’s to stop them, or that script, doing something else?
Surely a policy of ‘better safe than sorry’ applies in all cases like this? You can always change your password back if you later discover there was no threat to your security. Hindsight is twenty-twenty.
StalkDaily received enormous publicity – indeed, it was this blog’s best-ever day. We doubled our subscriber rate and got a huge amount of mentions within the Twittersphere.
On the flip side, because of its success, it’s opened the door for copycat attacks, such as Mikeyy, which is currently running riot. I’d expect a few days of similar activity within the stream. Hopefully Twitter will continue to be on the ball.
In the meantime, what can we do to protect ourselves, both now and in the future?
1. Use A Twitter Client
Both StalkDaily and Mikeyy seem to be spreading via visits to user profiles on Twitter.com. You can’t do this within a Twitter client so by using an application like TweetDeck you can eliminate a lot of the initial risk.
2. Avoid Visiting User Profiles On Twitter.com
This applies only during periods of worm infection. Certainly do not visit any user profiles that are obviously infected or make referencing to having been. Use common sense here. If somebody is making repeat tweets about a product or website and it seems out of character, avoid their profile (or direct messages).
3. Change Your Password
Again: why take the risk? I hope there has been no major exploit of user accounts, but just in case there has, is it not entirely sensible to be careful? It’s good practice to change your password regularly – certainly every 90 days or so. Make sure your password is complex and at least eight-characters in length. Use a password generator if you need some ideas.
4. Clean Up Your System
Download Spybot or a similar application that scans your system for malicious software. Run it today and then frequently thereafter. Again, there is no evidence that StalkDaily or anything else on Twitter exploited your machine but why take the chance?
5. Politely Warn People Who Are Clearly Infected
It’s pretty amazing how many people seemed unaware they were infected by the worm(s) until being told. If you see somebody is clearly infected – and it was obvious with StalkDaily and Mikeyy because everybody sent out the same tweets – then let them know with a polite reply. Don’t visit their profile, and don’t announce to your followers that they are infected, as this just increases the chance the other people will visit their profile, and may well hurt their reputation. (Indeed, consider deleting your warning tweet once they have resolved the issue.) Infection is nobody’s fault – it’s always accidental – but you can do your part to make sure infected users are aware of the problem.
6. Be Wary About Clicking On Shortened URLs
This absolutely applies only during a period of infection. Twitter is built around a 140-character limit and shortened URLs are an essential part of that system. However, if you’re at all concerned about a shortened URL, consider a service like ExpandMyURL, which allows you to check exactly where that link will lead.
7. Keep Your Eyes Open
Be sensible on Twitter, this week and in the future. This will not be an isolated incident. There’s no need to panic – this isn’t the T-Virus – but be mindful when visiting websites or user profiles on Twitter, certainly if you have any reason to be suspicious.
Regularly check your own profile to see if you are or have been sending out tweets that you did not write. If so, always delete them, use Twitter search to find a solution, and take action. Monitor Twitter’s status page closely.
You might consider a subscription to security expert Graham Cluley’s blog. Graham was very on-the-ball about the worms and seems to know his stuff.
Bonus Tip
If you use Firefox, install the free NoScript extension. This blocks all XSS exploits and will protect you on Twitter from worms that are similar to StalkDaily and Mikeyy.
(Or consider buying a Mac – it appears that the Mac has strong enough built-in security to resist XSS exploits.)
Conclusion
A lot of people have been impacted by StalkDaily and others over the past 24 hours. Twitter acted quickly to resolve the situation and one positive from malicious attacks is that they expose loopholes that can be closed to prevent similar and more damaging hacking attempts in the future. StalkDaily didn’t really do much harm, but now that exploit is closed it prevents a more dangerous assault from taking place.
Possibly, it’s exposed our own loopholes, too, as users. There is definitely no need to panic – Twitter contains very little personal information about us and the likely worse-case scenario of a total hack would be losing your account – but by following the advice above and taking precautions about how you engage with Twitter or any other network you can significantly reduce the risk of this happening to you again.
Like this post? Subscribe to my RSS feed and get loads more!
Loading ...
Twitter lied – the attack was not over and it continued today on Sunday too.
There’s a 0 day way to protect yourself from XSS attacks – use Firefox and install NoScript; the latter blocks XSS attacks (and more).
Thanks for your tip Amanda.
I meant to mention NoScript when I wrote the piece but forgot; has been added now.
Does anyone know if there is an equivalent add-on for Google Chrome?
All great advice but I would have to disagree on Number 1 “Use A Twitter Client” – I think one may be just trading one potential vulnerability for another. While there may have not been any public vulnerabilities on TweetDeck or other Twitter Apps does not mean there will no be.
The guys at pauldotcom podcast recently exposed their use of base64 use in passing the users password.
reference: http://www.pauldotcom.com/wiki/index.php/Episode144
Also, TweetDeck like many other apps are built upon other platforms. In the case of TweetDeck Adobe Air. Air makes me a bit nervous as it recently came out of Beta and Adobe has not had the best track record to date with vulnerabilities.
I am not picking on TweetDeck as other Twitter apps cause me the same amount of concern.
Just my 2 cents!
Tim
Thanks for your comments Tim. In regard to recommending external apps in this piece, it was in direct relation to the recent worm attacks on Twitter, which specifically exploited Twitter.com. Some folk said they’d been infected using TweetDeck but I saw no direct evidence of this myself (unless you visited an infected Twitter.com profile via clicking on a link within TweetDeck.)
Moreover, as I’ve written elsewhere within this blog, TweetDeck is incredibly stable. It almost never crashes (at least, for me), is hard to knock over, and often keeps on plugging away while the fail whale is thwarting the Twitter.com masses.
I agree that TweetDeck is not infallible; certainly, if it moves beyond its current Twitter share (of 9-10%, I believe) into something sizeable it will almost certainly be a target to hackers. That’s typically the way it works – they target the popular applications (IE, Norton etc) to get the biggest chance of exposure. But until that happens, every new thing is going to focus predominately on Twitter.com itself, and one thing these worms have shown this Easter weekend is that the development there isn’t as tight as we would have liked. Equally, it’s good to know that these exploits have been closed (hopefully, for good) before something a lot nastier had a look.
Thanks again for your insight.
Your advice to change passwords is good, but I was astonished and disturbed to read “You can always change it back once all the fuss is over.” That’s a VERY bad idea! If a password has been stolen, the cracker is not going to politely forget the password when “the fuss is over”! He/she is going to keep it and attempt to use it in future. NEVER re-use a password that might have been cracked! PLEASE edit your post to remove that sentence so that it won’t be followed by any of your readers who don’t have a good understanding of security.
My point was that if the issue wasn’t password-related, you could always change it back. Obviously if it was, you wouldn’t. In this case, it wasn’t.
I think you need to make that a lot clearer in your article. It wasn’t obvious that that was your point, and not everyone will understand that changing a password back is bad if the password has been cracked. Remember that people could be reading this article long after this particular incident is over and might take your advice at face value.
Yes, fair comment. Have edited the paragraph. Thanks for your thoughts.
Cool. Thanks.
If you want to delete my posts you are most welcome to. They serve no purpose now and I regret my harsh tone in the original now that I know what you meant.
No, it’s fine. Unless you feel very strongly about it, I’d rather preserve the community and leave you with the credit. Thanks.
Your link to LinkNark doesn’t work. Have they gone out of business since this post was originally published?
Sure looks that way. Shame, but you can use http://expandmyURL.com instead.
Sheamus,
Thank you very much for info about http://expandmyURL.com!