Monday, January 11, 2010

Top 10 Facebook and Twitter security stories of 2009

Social Networking Hacks

Facebook and Twitter was highly in news throughout 2009, and naturally the social networking sites became magnets for hacker attacks and sparked other types of privacy concerns. CIOs have expressed doubts about the social networking sites, and these stories show there is good reason to be worried. Here, in chronological order, are the top 10 security and privacy stories concerning Facebook and Twitter from the past year.

Jan. 6: Hackers hijack Obama's, Britney's Twitter accounts

Hackers gained control of more than 30 famous Twitter accounts, including those of Barack Obama, Britney Spears and Fox News. Twitter locked the accounts down quickly and restored control to their rightful owners, but not before the hacked accounts were used to send out nasty messages.

Twitter said the accounts were hacked into using the company's own internal support tools. The breach was considered serious enough that Twitter took the support tools offline until they were secured.

April 11: Twitter wrestles with multiple worm attacks

Worm attacks kept Twitter's security team busy for several days, as the site scrambled to identify infected accounts and delete rogue tweets. "Early on Saturday, April 11, the Mikeyy worm started to spread via Twitter posts by encouraging you to click on a link to a rival micro-blogging service," PC World reported. "As soon as you clicked on the link your account would be infected and begin to send out similar messages encouraging your followers to visit StalkDaily. Then your followers would become infected and the worm's infection rate would grow. You could also catch the worm by viewing infected profiles on"

Four attacks were launched between April 11 and 13, but no user account information was stolen.

May 18: Phishers, viruses target Facebook users

This headline could probably be written any day of any year, but we'll just pick a story from May, when identity thieves hit Facebook with phishing attacks designed to gain passwords for profit. Other examples from 2009: A password reset e-mail reported in October turns out to be a virus; again in October some hacked Facebook applications were leading users to fake antivirus programs; and in November hackers used a sexy photo of a woman to lure people to an attack Web site.

July 15: Twitter/Google Apps hack raises questions about cloud security

Twitter executives were victimized when a hacker obtained and distributed more than 300 confidential documents that concerned Twitter's business affairs and were stored on the hosted Google Apps service. Insufficient password strength seemed to be the root cause, and Twitter co-founder Biz Stone said Google was not to blame. The hacker reportedly also claimed to have compromised the Twitter accounts of co-founder Evan Williams, his wife and several employees. Williams denied this, but said his wife's e-mail account was compromised.

Aug. 4: High-profile organizations ban Facebook, Twitter

The U.S. Marine Corps formalized a ban on social networking sites such as Facebook and Twitter, saying "these Internet sites in general are a proven haven for malicious actors and content and are particularly high risk due to information exposure, user generated content and targeting by adversaries." The ban applies to Marine Corps networks, but does not prevent Marines from posting to social networks on their own time.

The Marines were not alone in taking such action. More than half of CIOs have completely prohibited use of social networks during company time, according to a Robert Half Technology survey of more than 1,400 CIOs from U.S. companies with at least 100 employees.

Aug. 6: Twitter victimized by distributed denial-of-service attack

Twitter was taken offline for two hours by a distributed denial-of-service attack, the first Twitter outage lasting longer than five minutes since June 16. Twitter continued to battle the distributed DoS attacks for several days, experiencing several more short outages. The same attack also targeted Facebook, but merely slowed the site down rather than taking it offline. The attack was reportedly politically motivated, and may have been related to the Russia-Georgia conflict. Politics may also have contributed to another Twitter outage on Dec. 18, in which a group called the "Iranian Cyber Army" claimed to take Twitter offline.

Aug. 14: Twitter used to manage botnet

A security researcher at Arbor Networks found that hackers were using Twitter to organize a botnet, the name given to a network of infected computers that does the bidding of bad guys who manage it.

"Botnet owners are continuously working on finding new ways of keeping their networks up and running, and Twitter seems to be the latest trick," the IDG News Service reported. "A now-suspended Twitter account was being used to post tweets that had links [to] new commands or executables to download and run, which would then be used by the botnet code on infected machines."

The account was suspended and investigated by Twitter's security team, but appeared to be one of a handful of similar malicious Twitter accounts.

Oct. 30: Facebook awarded $711 million in spammer case

Facebook used the legal system to fight back against a spammer who had gained access to user accounts, winning a judgment of $711 million against one Sanford Wallace. Wallace allegedly obtained login credentials for user accounts, and used those hijacked accounts to send spam that linked to phishing sites, sought to collect more Facebook account credentials, or linked to commercial Web sites that paid spammers for referrals.

"While we don't expect to receive the vast majority of the award, we hope that this will act as a continued deterrent against these criminals," Facebook said. Wallace may also face jail time.

Dec. 8: Facebook shuts down Beacon program, donates $9.5 million to settle lawsuit

Facebook found itself on the other side of the courtroom when plaintiffs filed a class action lawsuit alleging privacy violations in Facebook's Beacon program, which let third-party Web sites -- such as Blockbuster, Fandango and -- distribute "stories" about users to Facebook. Facebook did not admit to any wrongdoing, but ultimately agreed to shut the Beacon program down and donate $9.5 million to create a nonprofit foundation to promote online privacy, safety and security. The same week, Facebook also set up a new advisory board designed to improve user safety.

Dec. 9: Facebook unveils controversial new privacy settings

Facebook unveiled new privacy settings that it said were designed to give users more control over what information they share, but users reacted in anger after the overhaul led many to inadvertently expose content that was previously set to private.

"Great ? job. Now everyone who isn't even my friend can see my profile," one user complained.
Some of the problem came down to confusion over how to apply the new settings.

If used correctly, the settings do allow users to hide most of the content on their profiles. Still, the incident led to some negative attention for Facebook, and the site backtracked somewhat, making it easier for people to prevent others from seeing their friend lists. The story isn't over, as the Electronic Privacy Information Center has asked the Federal Trade Commission to investigate the changes in Facebook's privacy options.

These stories was originally published at Follow the latest developments in security at Network World.

No comments: