Shaun Stanislaus’s Tech blog

Just another WordPress.com weblog

Twitter tools | Great for now, but will they last forever?

In the broad social networking space, Twitter is unique in that there are a large number of free applications available. IT pro Shaun Stanislaus shares some thoughts on this broad area of accompanying tools for the service.
—————————————————————————————–

Recently, I mentioned that I am a fan of Twitter. One of the nice things about Twitter is that there are so many applications to allow you to post or tweet compared to other social networking sites. It is easy to tell how someone tweets, from your homepage you can see when and how a person has made their tweets. Figure A below shows my tweet about writing this very blog:

Figure A

This shows that I used the Twitter Opera widget to make the tweet as an add-on to the Opera browser for my Twitter feed. Looking closely at Twitter there is a wide distribution of tools people use to tweet. This is primarily because the Twitter API is very straightforward and well documented for application developers to follow.

But, there are so many tools out there. Here are a few of the popular Twitter applications and Web sites:

Trillian: A powerful all-in-one applet for many social networking services.

Bit.Ly: A nice follow-up from a URL shortening service.

Tweetie: “The Mac people love it”

Tweetdeck: Another social network consolidation application.

Twhirl: Multiple service consolidation, URL shortening, image posting with pictures.

Twitterfeed: A blog to Twitter application.

Twitterfon: iPhone and iPod Twitter application.

Twittelator: Another iPhone Twitter client.

Ping.fm: A multi-service consolidation client.

Twitterfox: A Firefox extension for the popular browser.

Twitterrific: Mac and iPhone Twitter application.

Ubertwitter: Mobile device Twitter client.

Seesmic: Twitter and Facebook client.

Tweed: Palm-based Twitter client.

Twaitter: A time-delayed Twitter posting application.

Twinbox: An Outlook-based Twitter client.

TwitterBerry: A BlackBerry-based Twitter client.

And that is just a quick look at what people are using to post. Of course you can go fully old-school and post via the web browser.

With all these tools out there, a number of points need to be made. Above all else, all of the Twitter tools won’t be around forever. Some of these organizations will fail or the Twitter API will be updated and the applications won’t support it without further development. The other important thing to consider is the source of these tools. This goes for any community-developed or open source application. Simply think about what you are using for your Twitter stream (or any other social networking service) and the origin of the software. Further, if you are running some sort of business off a Twitter application – make sure you can move everything you do to another application if needed.

July 28, 2009 Posted by | Uncategorized | , , , , , , , | Leave a comment

FBI accuses Twitter user of massacre threats

An Oklahoma City man who allegedly threatened on Twitter to turn a tax protest into a massacre has been arrested on suspicion of making interstate threats in what is believed to be the first federal prosecution based on posts made to the micro-blogging site.

The FBI arrested Daniel Knight Hayden, 52, after agents identified him as Twitter user CitizenQuasar. Using the micro-blogging site, Hayden allegedly threatened to start a “war” against the government at the Oklahoma City Capitol where a “Tea Party” tax protest was planned.

“START THE KILLING NOW! I am willing to be the FIRST DEATH!,” read a message posted at 8:01 p.m. on April 11, which was followed by, “After I am killed on the Capitol Steps, like a REAL man, the rest of you will REMEMBER ME!!!” Another post said: “I really don’ give a (expletive) anymore. Send the cops around. I will cut their heads off the heads and throw the(m) on the State Capitol steps.”

Hayden directed many of his tweets toward another Oklahoma City man he erroneously thought was an organizer of the protest. Wired tracked down Earl Shaffer, a 68-year-old retiree who Hayden allegedly tweeted about, including posts with his phone number.

“He seemed to know stuff about me, but I don’t know how or why,” Shaffer told Wired. “He called me a few days before that tea party and let me know somehow he got my name as one of the organizers. I don’t have the energy.”

Shaffer told ZDNet Asia’s sister site CNET News.com that he has never met Hayden and is unnerved by the situation.

“I have no idea who this guy is,” Shaffer said. “It is very much a concern that he mentions my being killed.”

One of the last messages posted to the site on April 15 says CitizenQuasar is “Locked AND loaded for the Oklahoma State Capitol. Let’s see what happens.”

Hayden was arraigned on April 16 and released to an Oklahoma City halfway house, according to various media reports.

The U.S. intelligence community has expressed concern that terrorists might use Twitter to coordinate attacks. A draft Army intelligence report prepared by the 304th Military Intelligence Battalion and posted to the Federation of American Scientists Web site examined the possible ways terrorists could use mobile and Web technologies such as the Global Positioning System, digital maps, and Twitter mashups to plan and execute terrorist attacks.

This article was first published as a blog post on CNET News.

April 28, 2009 Posted by | IT News, Security | , , , , , , , , , , , , | Leave a comment

Top 13 Twitter Don’ts

The number of new Twitter users has soared over the past few months, as the microblogging service has taken the media by storm. If you’re one of those new users, you may be baffled by Twitter’s peculiar culture, or nervous that you’ll commit some kind of microblogging faux pas.

Don’t worry, we’re here to help. While there aren’t specific rules for how to use Twitter, avoiding these 13 Don’ts will help you fit right in—and may even gain you some adoring new followers.1. Don’t live-tweet TV shows. @CorinneIOZO warns that lots of people use DVRs or watch shows on Hulu these days, so spoiling big moments (“OMG, the smoke monster was actually from outer space! No way!”) is a major no-no. As an alternative, tweet an inside joke that the show’s viewers will get, but that doesn’t give away any important details.

2. Don’t say anything that could get you fired or prevent you from getting a job. @JoelSD points out that if your tweets are public, they really are open to everyone, as has been demonstrated time and time again.

3. Don’t be boring. A simple rule that @kmonson follows is “Never tweet about food or the weather.” If your friends see one more “Good morning Twitterverse!” or “I had some awesome corn flakes for breakfast,” you’re getting un-followed.

4. Don’t forget the Twitter lingo: RT is retweet, and @name is how you respond or give props to someone. Feel free to be generous with both your RTs and your @s.

5. Don’t tweet more than ten times a day, or more than five times an hour, says @JasonCross00. It gets annoying and takes space and attention away from other Twitterers’ links and observations. If you have that much to say, maybe it belongs on a blog.

6. Don’t reply to every single tweet. As @seanludwig points out, it gets old fast.

7. Don’t tweet drunk, cautions @whitneyarner. Just like in real life, your followers might get a kick out of your drunk tweets, but you’ll probably regret them in the morning.

8. Don’t tell us about something cool or life-changing without a link or picture (use a service like TwitPic for your photos, and a URL shortener like TinyURL or is.gd for your links).

9. Don’t retweet something and leave off the original Twitter poster. Always give credit to those who wrote it first.

10. Don’t ignore people who send you a direct message or a reply, says @LanceUlanoff. Part of the Twitter experience involves conversing with your followers when possible.

11. Don’t #hashtag every topic. After a while, your topics will be ignored.

12. Don’t whine about people not following you, pleads @SaschaSegan. If you’re good at providing interesting stuff and you’re patient, you’ll get the followers you crave so badly.

13. Don’t tweet your bathroom habits. Seriously. Just don’t do it.

April 20, 2009 Posted by | Uncategorized | , | 13 Comments

Twitter spoofing: The next logical exploit

First it was spoofing e-mail, then IM, and now spoofing Twitter is the new means of exploit. How attractive really is the ROI for attackers?

I just completed an article titled “URL shortening: Yet another security risk“, in which I discussed URL shortening and how phishers/attackers subverted it to drive unsuspecting users to malicious Web sites.

After reading the many comments, I was happy to note that in general users are getting savvier about misdirection exploits.

This appears to apply to Twitter as well, even though messages or tweets, with shortened links make it more vulnerable.

Fortunately, Twitter has an additional advantage in that we the users get to pick who can send us tweets. This capability significantly reduces the risk simply because you know who’s sending you the message.

Well, maybe not
I’ve just finished reading an article by Washington Post’s Brian Krebs titled “Twitter security hole left accounts open to hijack“. It seems that it’s not that difficult to spoof Twitter messages.

Krebs quoted Lance James a security researcher and author of “Phishing exposed“:

“Anyone could authenticate and hijack a Twitter account by using SMS spoofing services, such as my-cool-sms.com, or phonytext.com. These Web sites allow users to mask what phone number they are texting from by letting the user input whatever phone number they want to appear in the from field.”

Oh great, this totally negates the one advantage that Twitter had over IM and e-mail. It’s not hard to see that phishers/attackers would want to leverage SMS spoofing along with URL shortening to redirect victims to malicious Web sites.

Help from the cellular network operators
One good thing that Krebs alluded to was the fact that SMS spoofing may only work if the attacker is located outside of the United States:

“Twitter co-founder Biz Stone wrote in an e-mail.[Mobile] carriers in the U.S. have their own systems for blocking SMS spoofing. Indeed, most U.S.-based mobile carriers have put in place measures to block SMS spoofing on their networks. But this is generally not the case for international mobile networks.”

It appears that United States is one of the few countries forcing cellular carriers to clamp down on SMS spoofing. That’s great, but spoofing Twitter messages is still possible just about everywhere else. I’ll give you two guesses where most phishing and malware exploits originate, and the first one doesn’t count.

Proof of concept
H Security (a German security company) verified that SMS spoofing works in an article titled “Twitter spoofing fix fails in UK and Germany“. The article provides the following details of the process:

“In the UK, we had a mobile phone associated with a Twitter account. By taking only the number of the mobile phone and setting it as the sender field on PhonyText then sending an SMS to +447624801423, the UK number for sending SMS tweets, we were able to see our message appear in the tweets on the honline page.”

The article goes on to explain what this potentially means:

We then promptly removed the association between the phone and the Twitter account. An attacker could have created a message directing followers to malware sites, to other risky locations on the web, or posted tweets designed to ruin the reputation of the account owner.”

What this means
First, the ability to spoof a Twitter message enhances all the normal misdirection schemes that are already in play. The fact that shortened URLs are common place in Twitter messages makes it even easier to pull the scheme off.

The damages from the SMS spoofing and URL shortening exploit can be as simple as malware being loaded on victims’ computers to as complex as stealing sensitive financial information from the victims. Also a cruel joke could be played on Twitter accounts that don’t have unlimited texting. It would be easy to run up some monster phone bills as noted in the Twitter support section:

“Twitter charges you nothing, but how much it costs to use Twitter with text messaging depends on your text messaging plan. Standard text messaging rates (such as international text messaging fees) do apply. Consult your service provider to ensure that your text plan covers your Twitter usage.If you’re using our international number, give your provider the Twitter phone number you’ll be using to see if you’ll incur extra charges. If you’re using Twitter from outside of the US, please consult your carrier, as every provider has a different policy.”

Final thoughts
Following spoofing’s logical progression was easy for the phishers and malware creators of the world. Yet, from the comments I’ve read, it seems like it’s getting harder for them to find chinks in the armor. That’s good and should be heartening to all of the people who are trying to keep the Internet the amazing place it is.

Still, there needs to be awareness and vigilance as long as the possibility of a ROI is perceived by the dark side.

April 15, 2009 Posted by | hacker, IT News, Security | , , , , , , , , , , , , , | Leave a comment