Things You Need to Know About Twitter Security
There has been more than one story in the news recently about Twitter accounts being hijacked. The most recent examples of note include the accounts of Britney Spears and famed blogger/entrepreneur Guy Kawasaki. These issues have highlighted some potential dangers of using the service, or really social networks in general. Have you encountered security issues with Twitter or other social networks? Share with WebProNews readers.
Amit Klein, CTO of Trusteer, a security firm, who counts the nation’s largest direct bank, ING Direct, among its customers, feels that Twitter account hijacking is an issue that more people need to be aware of. WebProNews asked Klein a few questions about it, and the following is the resulting Q&A session.
WebProNews: Please talk a little bit about what is happening when Twitter (and other social network) accounts are hijacked.
Amit Klein: Typically, criminals hijack Twitter accounts in order to spread malware. That is, they abuse the hijacked accounts to post messages to all the "followers", with a link to a site that serves malware. In the Guy Kawasaki incident, for example (not a classic account hijacking, but still a malware spreading campaign), of the 139,000 followers, it is estimated that hundreds got infected. Earlier this year, accounts of 33 celebrities (among them Barack Obama - 1.6 million followers, and Britney Spears - 2.1 million followers) were hijacked.
WPN: How big of a problem is hijacking of Twitter (or other social network) accounts?
AK: This is quite bad, since a twitter account enables one to send malware links and plain spam to all followers. Of course - the more followers, the more widespread the attack is.
WPN: How common is it?
AK: Over the last 10 days, we’ve seen two high profile incidents, in which an account was abused to serve spam and malware. One is the Guy Kawasaki incident, and another is Britney Spears.
WPN: Has it been limited to "high profile" accounts, or is it becoming common for regular users as well?
AK: Obviously the media covers only the high profile attacks (celebrities, politicians, etc.). We believe that attacks against more average accounts are also taking place - quite possibly via mass production utilities.
WPN: What are the dangers that come with it?
AK: The most obvious danger is that a hijacked account can be used to serve malware and spam automatically to all a user’s followers. An account can be hijacked a long time before it is abused. Attackers usually wait for the right opportunity to hit as many users as possible.
While twitter is currently used to spread malware, it’s a perfect platform to commit fraud as well. Followers trust the messages that come from the person they follow, while in reality the message could be spam trying to convince followers to fall to a scam. A very simple example would be a request to donate a small amount of money to charity (for example to support the situation in Iran). The link would go to a fraudulent website that records credit card numbers. A high profile account that sends such a message could result in hundreds of thousands of compromised credit cards.
Another example is false rumors about companies and stock, which could result in pump and dump attacks.
WPN: What can users do to protect their accounts?
AK: To secure their Twitter presence, users needs to take several actions:
1. Protect their twitter credentials - users need to be vigilant and keep on the look out for Twitter phishing attacks, and pharming (DNS poisoning) attacks. Users can install client side security tools that ensure they are only providing their Twitter credentials to the genuine twitter website. In doing so, they will protect their credentials against keyloggers or malicious browser plug-ins ("man in the browser" attacks).
2. Control and protect their twitter information. As tempting and convenient as it may be, using 3rd party applications and services that enhance Twitter may increase the exposure of users to abuse. Every website which is allowed to automatically post to a user’s Twitter account adds attack surface that criminals may exploit.
WPN: Please feel free to discuss anything else related to the subject that you feel people should know.
AK: Somewhat akin to phishing, is a practice called "twitter-squatting", wherein names of people/organizations are registered by fraudsters (or sometimes pranksters). It makes a lot of sense to monitor for such registrations, or better yet, to register brand names and individual names as early as possible to thwart such attacks.
Another threat associated with Twitter is abusing "Trending Topics" to serve malware. The attack involves sending many tweets (with malicious links) with some special keyword in them, so that this keyword will show up as a trend in the "Trending Topics" list at twitter.com. A user that views a sample tweet for this keyword and clicks on the malicious link will be served malware.
Both examples show how well established web attacks carry over into the twittersphere. Cyber squatting is a well-known practice on the web, which is now occurring in Twitter. Likewise, search engine poisoning is a common practice on the web, and now in Twitter also.
Security-wise, Twitter should be treated both as an individual website with its own potential security issues, and as a microcosm into which many existing web attacks can be mapped. This makes securing Twitter harder than protecting typical websites.
Wrapping up
WebProNews would like to thank Amit for sharing the above insight into Twitter security issues. Has your Twitter account ever been hijacked? Have you been a victim of Twitter abuse of any kind? Tell us about it.
Hashtags Now Linking in Twitter
Twitter has started linking hashtags in tweets to Twitter searches. A few other Twitterers have started to notice as well:

The move makes sense, considering that the hashtag phenomenon has reach tremendous popularity. They often appear in the trending topics.
The move also illustrates a greater emphasis being placed on Twitter Search, which only this year has become a focus of the company. It wasn’t that long ago that it was added to the Twitter home page, and it is already sparking big interest in real-time search throughout the entire search industry.
Realty Company Sues Craigslist Over User-Generated Ads
Craigslist is reportedly being sued for trademark infringement. A real estate company in Texas called First Call Properties is saying that it began posting ads on Craigslist in March, and that after that, a competitor called AAA Apartment Locating began posting ads using phrases like "first call," "call first," and "call us first."
According to MediaPost, First Call named Craigslist, AAA and two individuals as defendants. The case has been sent to Federal Court.
Clearly, this is not the first time cases like this have made the news. It’s just the first time that Craigslist has been on the receiving end of such a suit. Google has certainly been there. MediaPost’s Wendy Davis points out that these cases don’t usually get too far in court, but one between Google and Geico was settled.
 
"This is misguided in any number of ways: first, as long as the ad itself is not confusing such that the reader (or a moron in a hurry reader) would think that the ad is from the original company rather than the competitor, there’s not likely to be a trademark violation," says Mike Masnick at TechDirt. "More importantly, even if there is a trademark violation, it should not be Google’s liability, since they’re simply the service provider. The liability (if there is any) would be on whoever created the ad."
There is another interesting aspect to the Craigslist case. According to MediaPost, First Call also says the AAA ads are libelous, and say things like "First Call Properties is a Scam," but Davis points to a section of the Communications Decency Act, which says sites can’t be sued for libel based on user-generated content.
It will be interesting to see the outcome of this case. Craigslist could settle, but based on past Google experience, it will probably just disappear.
FriendFeed Offers Real-Time Search
Today FriendFeed has launched a real-time search feature. Now when you perform a search on the service, you will be presented with real-time results as they roll in. That means you don’t have to continuously refresh for the latest results.
If you’re searching a particularly hot topic, you might find it hard to even browse results because they’re coming in so quickly. Luckily FriendFeed has acknowledged this.
"While we were testing this internally, we could barely keep up with the non-stop activity regarding Michael Jackson (That’s when we knew we needed a pause button)," says Jim Norris on the FriendFeed Blog.

You can access real-time search on FriendFeed by using the regular search box, but you can also use advanced search options and saved searches and still get real-time results. You can also embed a real-time search on your site:
On another FriendFeed-related note, the service released some new themes the other day. These allow users to customize their pages to suit their personal tastes with regards to aesthetics.
Google Blog Search Gets New Features and a Gadget
Google has launched several new features for Google Blog Search today. These are: RSS AND Atom feeds, an iGoogle gadget, a "hot queries" features, and a "latest posts" feature.
RSS and Atom Feeds
Google says the addition of the feeds has been its most requested feature for Blog Search. Users can subscribe to specific topics or stories. There is a "subscribe" heading in the left-hand column on the site, and underneath that are links for Atom and RSS.

iGoogle Gadget
The gadget lets users embed the Google Blog Search front page on their iGoogle homepage (or other pages that are compatible with iGoogle gadgets). Within the gadget, users can customize the topics they want to follow and "drill into" stories as they wish.

Hot Queries
Hot queries is a feature that has actually been added to the Google Blog Search front page. It’s pretty much what it sounds like. It listsl searches that are currently popular in Blog Search. Google says it’s "an easy way to quickly dive into the trending points of conversation on the web." If you’re not a Twitter user, it’s probably a good alternative to Twitter’s trending topics.

Latest Posts
Latest posts is also an addition to the Google Blog Search homepage. It shows new posts from popular blogs. "While Hot Queries highlights what people are looking for, Latest Posts lets you find out about stories even before people start searching for them," says Google on the company blog.

I’d say the new features are an upgrade for Google Blog Search. Would you agree?
Google and Bing Tips for Site Architecture Issues
Google and Bing have both talked about site architecture issues lately on their blogs. Site architecture is an important part of search engine optimization, and crucial to ranking.
"You can have great content and a plethora of high quality inbound links from authority sites, but if your site’s structure is flawed or broken, then it will still not achieve the optimal page rank you desire from search engines," says Rick DeJarnette of Bing Webmaster Center.
If you have time, and site architecture is not your strong suit, I would suggest reading both Microsoft’s post and Google’s, but to sum them up, here a few tips from each of them.
Bing’s Tips
1. Use descriptive file and directory names
2. Limit directory depth
3. Limit physical page file size
4. Externalize on-page Javascript and CSS code
5. Use 301 redirects for moved pages
6. Avoid JavaScript or meta refresh redirects
7. Implement custom 404 pages
Google’s Tips
Google starts out by talking about some site architecture myths, and also shares a couple slideshows (they talked about the topic at SMX London).
Finally, they offer these tips:
1.  Check that your robots.txt file has the correct status code and isn’t returning an error
2. Keep in mind some best practices when moving to a new site and the new "Change of address" feature recently added to Webmaster Tools.
3. Review the settings of the robots.txt file to make sure no pages — particularly those rewritten and/or dynamic — are blocked inappropriately.
4. Make good use of the rel="canonical" attribute to reduce the indexing of duplicate content on your domain.
As I said, Google and Microsoft both have plenty more to say on the topic in their respective posts. The Bing post is actually the third installment in a series.
The Top MJ Song, Album & Lyric Searches
If you’re tired of hearing about Michael Jackson already, I’m sorry, but he’s still dominating the news and the web. He’s still responsible for two of the trending topics on Twitter at this time (Michael Jackson and MJ).
You’ve probably read about the effect Michael’s death has had on the web. It also had a huge impact on people downloading and buying his music. It had a big impact on searches as well. Hitwise has released some data about the top Michael Jackson songs, albums and lyrics that were searched for after his death.

"For retailers and publishers looking to prioritize merchandise and content, one measure to predict demand among consumers is through search data," says Hitwise’s Heather Dougherty. "When looking at the variations of searches that included the search term ‘michael jackson’, we classified the top 1000 terms from the week ending June 27, 2009, to find the most popular song & album and lyric searches. Many searches were very broad, looking for the ‘best’ and ‘top’ michael jackson songs, but the specific songs & albums that were searched most were Thriller and Off The Wall. Searches for lyrics were also common, with the most popular being ‘Beat It’ and ‘Billie Jean’."
Here are the top five in both categories.
Top 5 Songs & Albums
1. Thriller
2. Off The Wall
3. You Are Not Alone
4. Bad
5. Ben
Top 5 Lyrics
1. Beat It
2. Billie Jean
3. You Are Not Alone
4. Bad
5. Ben
I guess the real question is how long will this Michael Jackson mania last? On the whole, it will probably last for an eternity, much like that of Elvis, but as far as dominating the web, it’s bound to simmer down sooner or later. How long do you think it will be before Michael Jackson is no longer a trending topic on Twitter? Share your thoughts.
7 Behavioral Targeting Privacy Principles
Today a group of key trade groups released comprehensive privacy principles for use and collection of behavioral data in online advertising. These are self-regulatory principles to protect consumer privacy in ad-supported interactive media that will require advertisers and Web sites to clearly inform consumers about data collection practices and enable them to exercise control over that information.
Groups involved are the American Association of Advertising Agencies (AAAA), the Association of National Advertisers (ANA), the Direct Marketing Association (DMA), the Council of Better Business Bureaus (BBB), and of course the Interactive Advertising Bureau (IAB).
"Consumers deserve transparency regarding the collection and use of their data for behavioral advertising purposes. I am gratified that a group of influential associations – representing a significant component of the Internet community – has responded to so many of the privacy concerns raised by my colleagues and myself,” says Federal Trade Commission (FTC) Commissioner Pamela Jones Harbour.
What Google Has to Say
Google recently testified in Washington regarding privacy and advertising. Highlighted in the testimony were three main topics:
- Google’s main advertising products and the benefits Google believes online advertising brings to advertisers, online publishers, and individual Internet users
- Google’s approach to privacy, specific steps that the company takes to protect users’ privacy, and the release of interest-based advertising
- Ideas and recommendations for how to better protect Internet users’ privacy with respect to advertising, as well as more generally
You can read the entire testimony here (pdf).
In a post on Google Public Policy Blog today, Google Managing Policy Counsel Pablo Chavez talked about the principles and Google’s own behavioral-based or "interest-based" advertising.
"When we launched our own interest-based advertising product in March, we worked hard to include several innovative features to give users more control and information — including ads labeled ‘Ads by Google,’ a tool called the Ads Preferences Manager (which lets users view, add, and remove the categories that are used to show them interest-based ads), and the choice to opt out of interest-based ads altogether," says Chavez.
"One of the key strengths of the principles is the fact that they apply to a broad range of companies participating in online advertising — advertisers, publishers, and ad networks," adds Chavez. "Of course, for any self-regulatory effort to be effective, there has to be some kind of enforcement process. Between now and early 2010 — when the principles are expected to be implemented — the Better Business Bureau and Direct Marketing Association, two of the groups involved, will work to set up that process to make sure it has real teeth."
The Principles
So what are these principles? There are seven of them:
1. The Education Principle
2. The Transparency Principle
3a. The Consumer Control Principle
3b.The Consumer Control Principle (applies to service providers)
4. The Data Security Principle
5. The Material Changes Principle
6. The Sensitive Data Principle
7. The Accountability Principle
I won’t get into all of the specific details of each one here, but you can read the entire document here if you are interested. Either way, it is good to see that these organizations are taking consumer privacy this seriously.
YouTube About to Become Higher Quality
YouTube has doubled the size of what users are now able to upload at a time. Until now, users were only able to upload 1GB, and now they can upload 2GB. This means longer videos with higher resolutions.
YouTube product manager Ryan Junee also points out that users can upload large HD files directly from their cameras. Essentially this means, we will start seeing a lot more quality (at least picture-wise) videos on YouTube.

Junee shares a couple tips for linking to and embedding HD versions of videos:
- To share a link to the HD version of your video, simply append &hd=1 to the end of the URL. This means the video will start playing in HD as soon as someone follows the link. Cool, huh?
-  To embed the HD version of a video on a website or blog, click the ‘customize’ button to the right of the embed box on the video page. Some options will appear; simply check ‘play in HD’. The embed code that’s generated will cause the video to start playing in HD as soon as a viewer clicks play. We recommend embedding HD videos at the largest size (853x505) for maximum enjoyment.
The increased uploading limit should do nothing but make YouTube a better place to watch videos. The more high quality content that is uploaded, the more people will be likely to stick around and watch more of it.
Facebook App for iPhone 3.0 98% Done
iPhone 3.0 users waiting for an updated Facebook app apparently won’t have to wait too much longer. Its developer Joe Hewitt posted a Facebook note outlining the update’s new features, and saying that it is 98% done.
Here’s a screenshot of the note, listing the features:
As you can see from the above image, a lot of people like this. We’ll see if the enthusiasm translates to actual use of the product.
In other Facebook news, the company is getting ready to roll out some new privacy settings. WebProNews sat in on a conference call discussing them earlier today, and from the sound of it, users are going to have a lot more control over what posts they share with what friends.
Not only will these new settings simplify privacy controls, but they will allow users to keep their status updates more relevant for their friends. You can read more about that and checkout Facebook’s slideshow here.









