Shaun Stanislaus’s Tech blog

Just another WordPress.com weblog

FBI accuses Twitter user of massacre threats

An Oklahoma City man who allegedly threatened on Twitter to turn a tax protest into a massacre has been arrested on suspicion of making interstate threats in what is believed to be the first federal prosecution based on posts made to the micro-blogging site.

The FBI arrested Daniel Knight Hayden, 52, after agents identified him as Twitter user CitizenQuasar. Using the micro-blogging site, Hayden allegedly threatened to start a “war” against the government at the Oklahoma City Capitol where a “Tea Party” tax protest was planned.

“START THE KILLING NOW! I am willing to be the FIRST DEATH!,” read a message posted at 8:01 p.m. on April 11, which was followed by, “After I am killed on the Capitol Steps, like a REAL man, the rest of you will REMEMBER ME!!!” Another post said: “I really don’ give a (expletive) anymore. Send the cops around. I will cut their heads off the heads and throw the(m) on the State Capitol steps.”

Hayden directed many of his tweets toward another Oklahoma City man he erroneously thought was an organizer of the protest. Wired tracked down Earl Shaffer, a 68-year-old retiree who Hayden allegedly tweeted about, including posts with his phone number.

“He seemed to know stuff about me, but I don’t know how or why,” Shaffer told Wired. “He called me a few days before that tea party and let me know somehow he got my name as one of the organizers. I don’t have the energy.”

Shaffer told ZDNet Asia’s sister site CNET News.com that he has never met Hayden and is unnerved by the situation.

“I have no idea who this guy is,” Shaffer said. “It is very much a concern that he mentions my being killed.”

One of the last messages posted to the site on April 15 says CitizenQuasar is “Locked AND loaded for the Oklahoma State Capitol. Let’s see what happens.”

Hayden was arraigned on April 16 and released to an Oklahoma City halfway house, according to various media reports.

The U.S. intelligence community has expressed concern that terrorists might use Twitter to coordinate attacks. A draft Army intelligence report prepared by the 304th Military Intelligence Battalion and posted to the Federation of American Scientists Web site examined the possible ways terrorists could use mobile and Web technologies such as the Global Positioning System, digital maps, and Twitter mashups to plan and execute terrorist attacks.

This article was first published as a blog post on CNET News.

Advertisements

April 28, 2009 Posted by | IT News, Security | , , , , , , , , , , , , | Leave a comment

Twitter spoofing: The next logical exploit

First it was spoofing e-mail, then IM, and now spoofing Twitter is the new means of exploit. How attractive really is the ROI for attackers?

I just completed an article titled “URL shortening: Yet another security risk“, in which I discussed URL shortening and how phishers/attackers subverted it to drive unsuspecting users to malicious Web sites.

After reading the many comments, I was happy to note that in general users are getting savvier about misdirection exploits.

This appears to apply to Twitter as well, even though messages or tweets, with shortened links make it more vulnerable.

Fortunately, Twitter has an additional advantage in that we the users get to pick who can send us tweets. This capability significantly reduces the risk simply because you know who’s sending you the message.

Well, maybe not
I’ve just finished reading an article by Washington Post’s Brian Krebs titled “Twitter security hole left accounts open to hijack“. It seems that it’s not that difficult to spoof Twitter messages.

Krebs quoted Lance James a security researcher and author of “Phishing exposed“:

“Anyone could authenticate and hijack a Twitter account by using SMS spoofing services, such as my-cool-sms.com, or phonytext.com. These Web sites allow users to mask what phone number they are texting from by letting the user input whatever phone number they want to appear in the from field.”

Oh great, this totally negates the one advantage that Twitter had over IM and e-mail. It’s not hard to see that phishers/attackers would want to leverage SMS spoofing along with URL shortening to redirect victims to malicious Web sites.

Help from the cellular network operators
One good thing that Krebs alluded to was the fact that SMS spoofing may only work if the attacker is located outside of the United States:

“Twitter co-founder Biz Stone wrote in an e-mail.[Mobile] carriers in the U.S. have their own systems for blocking SMS spoofing. Indeed, most U.S.-based mobile carriers have put in place measures to block SMS spoofing on their networks. But this is generally not the case for international mobile networks.”

It appears that United States is one of the few countries forcing cellular carriers to clamp down on SMS spoofing. That’s great, but spoofing Twitter messages is still possible just about everywhere else. I’ll give you two guesses where most phishing and malware exploits originate, and the first one doesn’t count.

Proof of concept
H Security (a German security company) verified that SMS spoofing works in an article titled “Twitter spoofing fix fails in UK and Germany“. The article provides the following details of the process:

“In the UK, we had a mobile phone associated with a Twitter account. By taking only the number of the mobile phone and setting it as the sender field on PhonyText then sending an SMS to +447624801423, the UK number for sending SMS tweets, we were able to see our message appear in the tweets on the honline page.”

The article goes on to explain what this potentially means:

We then promptly removed the association between the phone and the Twitter account. An attacker could have created a message directing followers to malware sites, to other risky locations on the web, or posted tweets designed to ruin the reputation of the account owner.”

What this means
First, the ability to spoof a Twitter message enhances all the normal misdirection schemes that are already in play. The fact that shortened URLs are common place in Twitter messages makes it even easier to pull the scheme off.

The damages from the SMS spoofing and URL shortening exploit can be as simple as malware being loaded on victims’ computers to as complex as stealing sensitive financial information from the victims. Also a cruel joke could be played on Twitter accounts that don’t have unlimited texting. It would be easy to run up some monster phone bills as noted in the Twitter support section:

“Twitter charges you nothing, but how much it costs to use Twitter with text messaging depends on your text messaging plan. Standard text messaging rates (such as international text messaging fees) do apply. Consult your service provider to ensure that your text plan covers your Twitter usage.If you’re using our international number, give your provider the Twitter phone number you’ll be using to see if you’ll incur extra charges. If you’re using Twitter from outside of the US, please consult your carrier, as every provider has a different policy.”

Final thoughts
Following spoofing’s logical progression was easy for the phishers and malware creators of the world. Yet, from the comments I’ve read, it seems like it’s getting harder for them to find chinks in the armor. That’s good and should be heartening to all of the people who are trying to keep the Internet the amazing place it is.

Still, there needs to be awareness and vigilance as long as the possibility of a ROI is perceived by the dark side.

April 15, 2009 Posted by | hacker, IT News, Security | , , , , , , , , , , , , , | Leave a comment