Jun 03 2008
Is Twitter a security risk?
I use Twitter, it’s a fun tool to keep half an eye out on some of my friends and other interesting people are doing right now. I think it’s a pretty decent communication tool. But like many tools it’s easy to over communicate. Some of the people I follow have started using Twitter mashup Brightkite and are using it to send pictures with location information to Twitter. I trust that folks like Mediaphyter are savvy enough to carefully regulate their information, but I have to wonder if the average marketing or purchasing person is?
I’ll argue that Twitter is just one more form of data leakage that we have to be aware of as security professionals. Twitter isn’t more of a problem than email, VoIP or any other communication medium. It is easy to broadcast a message to a large audience, but only in 140 characters at a time. We just don’t have any security tools for dealing with Twitter yet. Of course, given it’s history of downtime, that may not be a big concern.
Given the proliferation of social networking technologies such as Twitter, FriendFeed and Facebook, it’s becoming increasingly easy give out information that may reveal more about the internal workings of companies than we’d like. No filtering technology we have is going to cover all of the ways for information to flow into these tools, from web pages to cell phones to desktop apps. All of the social networking tools are going out of their way to make access easier, which makes our job harder.
Training may be the only solution to this problem, but the human element has always been the hardest to secure. Not that we shouldn’t try.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Martin,
I, too, often wonder about the plethora of information getting shotgunned out to social network sites. I think it gets even more intriguing when you consider the aggregation services (FriendFeed, Tumblr, SocialThing). Those are one-stop shops for all sorts of activity on a given user. Moreover, people may “protect” their tweets on Twitter, for example, but those same entries get sucked into the aggregators, as the user has provided appropriate credentials for the aggregation site to retrieve posts.
That having been said, I’m still into these services (though I try to remain diligent about managing my info).
-Zach
Zach,
Between the aggregators already available and a few custom scripts, I’m willing to bet you could get a pretty comprehensive picture of a company easily. You might even get some real juicy tidbits from time to time. I wouldn’t be surprised if someone hasn’t evolved a tool to do some corporate tracking and alerting, based on social network traffic.
Martin
I think it’s just a case of being a responsible user. I wouldn’t post anything that would be considered confidential or even a gray area on Twitter or any social network for that matter. As you say – definitely a question of education. They can all be great tools for business, though.
Martin,
I posted a bit of response.
http://blog.joelesler.net/2008/06/is-x-security-risk.html
I agree with Joel’s blog to some degree — any information bearing vehicle could be a data risk if you don’t have a responsible user at the helm.
The bigger security issue I see with Twitter, which is something that Ryan Naraine brought up a couple weeks ago, is the combination of bots and spammers + URL redirection services that don’t let people see what they are clicking. The concerns for people clicking on potentially malicious sites is high.
I had a quick phone conversation with Biz from Twitter today about this as well as some of the other issues the company has been facing. But I think the bots/spam/potential malicious URL is something that could impact FriendFeed or Plurk or SocialThing or any of the other sites. I think it just comes down to user education and savvy.
As for responsible communication of data, Twitter and other new tools create yet another reason why established companies need to not only have blog policies in place, but social media policies in place. People need to know the risks that go with any of the blogosphere actions, methinks.
The technology itself is not a risk. The loss forms that can result via use of the technology is where risk (exposure to loss) comes into play. For example, in the context of unauthorized / malicious data leakage, a company would need to:
1. Determine which internal employees / contractors could be threat agents (or part of threat community).
2. Understand & evaluate its existing security controls.
3. Estimate how often these threat agents attempt to disclose data
4. Estimate how often the threat agents are successful (are able to overcome the security controls).
5. Estimate the amount of damage – in terms of dollars – the company has incurred for a typical loss event.
Within the information security profession, we tend to use the term risk – whether unintentionally or intentionally – as a placeholder for components that actually make-up risk – all to often to reflect the vulnerability aspect of a given technology or practice without fully understanding the risk.
I highly recommend the FAIR methodology (http://www.riskmanagementinsight.com/) for better understanding the elements that make up risk but for also trying to quantify risk.
Is there some reason why this article keeps republishing through RSS? I’ve received about 20 copies of it today.
Is there some reason why this article keeps republishing through RSS? I’ve received about 40 copies of it since it was published.
I am not doing anything to keep republishing it. If there’s anything going on, it’s not something i’m doing on purpose. I haven’t changed anything on the blog or even published any new posts recently.
Martin
Martin,
Nice post… I wrote something similar back in November looking at it from more of a “personal security” viewpoint at:
http://www.disruptiveconversations.com/2007/11/twitter-is-terr.html
But you are right that the challenge for companies is certainly there. Information leakage occurs in all media. But the informality and looseness of tools like Twitter tend to make people less cautious about what they may or may not say. And, as you mention, the possibility of pattern recognition in the aggregation of feeds is certainly there.
Mind you, I still use Twitter (http://twitter.com/danyork ) as well as most all of the other tools (haven’t gotten into BrightKite yet, though, although I have an account).
Dan
@Martin, great write, I believe Twitter is a great communication tool but with anything too much can be a problems including divulging too much about one’s self or company.
[...] asked once before “Is Twitter a security risk?“. This isn’t a problem with twitter, this is a problem with people who are [...]
If you aren’t operating at Twitter speed, how can you immediately blunt the impact of these significant threats. But how can you operate at Twitter speed when you have a whole organization to set up and manage? Wow, it keeps getting tougher.
Hey Martin,
Interesting post. One thing I would like to add for discussion is the way that twitter has set a standard for using URL shortening tools.
I think most users used to be clued in enough to not follow a link that looked like garbled text, they would immediately judge it as coming from a source that didn’t look too trustworthy, however now they are effectively blind clicking a lot of links with no real idea of where they are being sent to. Not the safest way to browse the web but one that is quickly becoming the norm.
This post is such a great timestamp for when people started to worry about which security risks for social media.
Now we can add the risk of public scandal as Twitter becomes the popular method of communicating for politicians and famous people. You can always count on the politicians getting involved to make things amusing.
Meanwhile all the previous risks are still there, and being magnified. The greatest security features of Twitter are still just the ones that have existed from the start, the anti-fraud measures that prevent bots from runaway following. And of course this is the “feature” that I hate the most because I hit 2000 following like 2 years ago. Pls to be following me so I can improve my ratio?? j/k
So it’s been almost 4 years… which URL shortener do you think has the best malware blacklist so far?