Hey shortformblog, you’re mostly wrong.
Because Twitter cannot prevent the type of attack which has caused so many brands to loose their twitter account - malware (specifically keyloggers) logs the users credentials when they log into twitter.com, which the attacker then uses to make a perfectly “legitimate” login at a later time.
How do you prevent this as a user, given that its the #1 vector of attack for these big name brand hijackings? Use a computer that you know isn’t infected with MalWare. How do you ensure that a computer doesn’t have any malware? Never connect it to the internet (or if you do connect, only use twitter.com, and not browsing or emailing).
Does this make sense for the average user? Not at all. Does it make sense for a global brand or news agency who want to avoid what happened to AP? Easily. The $1200 hypothetical laptop is far cheaper than the damage to a brand from a high publicity hijacking.
The reason that I say “mostly” is that twitter could prevent this by using Google Authenticator or some other form of two-factor authentication. This would be unneeded for a normal user, but would allow big brands to add the extra security. I suspect that Twitter is probably working on this right now, and that this announcement is just until it is deployed.
You realize these accounts are used by multiple users and organizations as large as AP use third-party apps, right? And that numerous people use that single account, right? And that social media pretty much only works because you can share links? This solution is not realistic. It’s a band-aid solution until Twitter gets its stuff together.
The problem here is that large brands have been asking for that two-factor solution for at least two years (Facebook launched it two years ago, and Google has had it for years), and now, Twitter is feeling some serious pain because they only hired someone to work on the two-factor thing within the past six months.
They can’t block such attacks because they haven’t built out their system to deal with them.
If Twitter was serious about protecting its users, it would have been working on this solution before it got to this point, especially considering the seriousness of the problems being raised and the size of the brands it was courting. But instead, they’re playing catch-up. The best solution to bad security is being proactive.
The hypothetical dedicated laptop is not the problem. The fact that the hypothetical dedicated laptop was required in the first place is the problem.
» Wait a sec … the FBI had them? Well, funny story about that. Back in March, the group says they gained access to a computer owned by an FBI official. Just by chance, they found a file on the agent’s desktop titled “NCFTA_iOS_devices_intel.csv” — a long list of 12 million UDID identifiers for iOS devices, along with a number of other pieces of personal info. AntiSec released just 1 million of the UDID numbers (which you can analyze here to see if you were nailed), but it’s worth keeping in mind that the odds may not be super-high of getting hit. There are 410 million iOS devices on the market, as of July. The problem for many is that the FBI reportedly had this info in the first place. What did they need it for, and why was it sitting on some dude’s desktop?
UPDATE: The FBI says that there is “no evidence” they had a file like the one described above.
twentysomethingfloater says: in the words of ed love, “C’MON SON”. Those pws were basic, ya’ll gotta step your game up some degrees. I mean, ya’ll a pretty big deal, of course people are gonna try to hit you.
» SFB says: We had secure passwords. Matt was making a joke. We worked very hard to prevent this from happening after the first round — to the point of removing app access from the backend — and apparently that wasn’t enough. We’ll work harder to ensure security in the future. — Ernie @ SFB
In her last days, my mother occasionally became confused....”
One of the perks of being an early employee...
Over the last 90 days, the Digg...
» Trying to learn from St. Paul: In 2008, the Republican National Convention was held in St. Paul, Minn., where protesters often got violent and police confrontations were common. No one was seriously injured, but many were arrested (including journalists). Because St. Paul was one of the smallest cities to host a national political convention, its security and enforcement was slightly unprepared. Tampa is taking no chances this year. ”We’ve extensively studied St. Paul,” said Tampa City Attorney Jim Shimberg. “We’ve had meetings with folks in St. Paul, to find out what went well and what went wrong.”
» It hasn’t been a great summer for cyber-security, particularly when you consider how many well-known companies keep getting caught with lackluster security in place. So, how many more of these stories do you think it will take before major corporations quit storing user data in plain-text format?