12 tips of Christmas - A safer Twitter for 2010

Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

12 tips of Christmas - A safer Twitter for 2010

• 12 apps OAuthing - For Twitter statistics, analysis, or alternative web interfaces, stick with OAuth-based applications. OAuth is a secure method of allowing application developers to access your Twitter information. Applications using OAuth will redirect you to Twitter to confirm the application's request for access to your account. Websites that directly ask for Twitter credentials are often well-disguised phishing attempts.
• 11 snoopers snooping - Treat the tweet-o-sphere as if you were standing in a pub. Don't disclose personal details that could be used to impersonate, track, or allow unnecessary contact. If you were in a pub and a stranger asked "Where do you live?" you wouldn't likely respond "2000 Main St., Apartment B." Instead, you might say "the East side."
• 10 tweeps a-stalking - If you are comfortable being tracked by friends, family, stalkers, and governments, then by all means continue to post your GPS coordinates. Many mobile Twitter applications can post your position within a few feet using the GPS in your phone and these are on by default. I recommend that everyone disable this feature. Always explore the options menu in Twitter applications you are using.

 

• 9 careful retweetings - Don't blindly retweet links. Always thoroughly check out a link before sending it on. Many spam attacks are socially engineered tweets that depend on blind retweeting to gather more users into the scam.
• 8 scammers bilking - Be wary of Direct Messages from those you don't know. Many users fall victim to phishing attacks every day and their accounts are often used to lure you to scam-laden URLs. These accounts will send you DMs with shortened links that could be malicious.
• 7 links a-lengthening - When shortening URLs, use a service that lets other users easily preview where they are going. Many companies offering these services do provide ways for users to automatically expand URLs, including Bit.ly (Or add a plus sign on the end of the URL), TinyURL, and is.gd.
• 6 so-called deletings - Delete doesn't mean it's gone. You can now delete tweets, but unlike emails, they cannot be rescinded. Deleted tweets may no longer show up in your timeline, but the message will have been delivered to mobile phones over SMS and to third-party Twitter clients that will not forget your indiscretions.
• 5 not-so-private tweets - As with Facebook, privacy on Twitter is not so private. Protecting your tweets provides a degree of security, but you still rely on your friends to avoid falling victim to a scam. Hackers depend on the trust we have for our friends and family and will use their accounts to gather your most personal details.
• 4 friend impersonations - Be wary of Direct Messages from your friends if they seem out of context. As with random DMs, you may wish to check the shortened link at longurls.org. When my friends send me DMs like "Increase your followers by 4000%!", I know that it's time to pick up the phone and let them know they have been compromised.
• 3 @spam alarms - Follow @spam for recommendations and alerts related to Twitter scams. Don't click links in emails appearing to be from Twitter either, always use a client, or the twitter.com website directly to confirm followers, reply to DM's, etc.
• 2 password changes - If you feel your password may have been compromised change your password immediately. What is less obvious is that you must also revoke access to the Twitter API for any applications you are using and re-register them. If the criminals who have stolen your credentials still have API access they can continue to impersonate you.

 

• And avoiding those fake celebrities - Verify the identities of people you follow where possible. If you are following a company (like Sophos!) or a celebrity, you can often find their real twitter ID on their website. There are more than 50 variants of Britney Spears, many of which are scams.

 

 

This article was written by Chester Wisniewski of Sophos and is published here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware protection.