Jun 03 2008

Is Twitter a security risk?

Published by at 6:00 am under General,Simple Security

I use Twitter, it’s a fun tool to keep half an eye out on some of my friends and other interesting people are doing right now. I think it’s a pretty decent communication tool. But like many tools it’s easy to over communicate. Some of the people I follow have started using Twitter mashup Brightkite and are using it to send pictures with location information to Twitter. I trust that folks like Mediaphyter are savvy enough to carefully regulate their information, but I have to wonder if the average marketing or purchasing person is?

I’ll argue that Twitter is just one more form of data leakage that we have to be aware of as security professionals. Twitter isn’t more of a problem than email, VoIP or any other communication medium. It is easy to broadcast a message to a large audience, but only in 140 characters at a time. We just don’t have any security tools for dealing with Twitter yet. Of course, given it’s history of downtime, that may not be a big concern.

Given the proliferation of social networking technologies such as Twitter, FriendFeed and Facebook, it’s becoming increasingly easy give out information that may reveal more about the internal workings of companies than we’d like. No filtering technology we have is going to cover all of the ways for information to flow into these tools, from web pages to cell phones to desktop apps. All of the social networking tools are going out of their way to make access easier, which makes our job harder.

Training may be the only solution to this problem, but the human element has always been the hardest to secure. Not that we shouldn’t try.

17 responses so far

17 Responses to “Is Twitter a security risk?”

  1. Zachon 03 Jun 2008 at 6:12 am

    Martin,

    I, too, often wonder about the plethora of information getting shotgunned out to social network sites. I think it gets even more intriguing when you consider the aggregation services (FriendFeed, Tumblr, SocialThing). Those are one-stop shops for all sorts of activity on a given user. Moreover, people may “protect” their tweets on Twitter, for example, but those same entries get sucked into the aggregators, as the user has provided appropriate credentials for the aggregation site to retrieve posts.

    That having been said, I’m still into these services (though I try to remain diligent about managing my info).

    -Zach

  2. Martinon 03 Jun 2008 at 6:20 am

    Zach,

    Between the aggregators already available and a few custom scripts, I’m willing to bet you could get a pretty comprehensive picture of a company easily. You might even get some real juicy tidbits from time to time. I wouldn’t be surprised if someone hasn’t evolved a tool to do some corporate tracking and alerting, based on social network traffic.

    Martin

  3. Sam VRon 03 Jun 2008 at 12:35 pm

    I think it’s just a case of being a responsible user. I wouldn’t post anything that would be considered confidential or even a gray area on Twitter or any social network for that matter. As you say – definitely a question of education. They can all be great tools for business, though.

  4. Joel Esleron 03 Jun 2008 at 3:50 pm

    Martin,

    I posted a bit of response.
    http://blog.joelesler.net/2008/06/is-x-security-risk.html

  5. Jennifer Leggioon 03 Jun 2008 at 6:33 pm

    I agree with Joel’s blog to some degree — any information bearing vehicle could be a data risk if you don’t have a responsible user at the helm.

    The bigger security issue I see with Twitter, which is something that Ryan Naraine brought up a couple weeks ago, is the combination of bots and spammers + URL redirection services that don’t let people see what they are clicking. The concerns for people clicking on potentially malicious sites is high.

    I had a quick phone conversation with Biz from Twitter today about this as well as some of the other issues the company has been facing. But I think the bots/spam/potential malicious URL is something that could impact FriendFeed or Plurk or SocialThing or any of the other sites. I think it just comes down to user education and savvy.

    As for responsible communication of data, Twitter and other new tools create yet another reason why established companies need to not only have blog policies in place, but social media policies in place. People need to know the risks that go with any of the blogosphere actions, methinks.

  6. Chris Hayeson 04 Jun 2008 at 4:04 am

    The technology itself is not a risk. The loss forms that can result via use of the technology is where risk (exposure to loss) comes into play. For example, in the context of unauthorized / malicious data leakage, a company would need to:

    1. Determine which internal employees / contractors could be threat agents (or part of threat community).
    2. Understand & evaluate its existing security controls.
    3. Estimate how often these threat agents attempt to disclose data
    4. Estimate how often the threat agents are successful (are able to overcome the security controls).
    5. Estimate the amount of damage – in terms of dollars – the company has incurred for a typical loss event.

    Within the information security profession, we tend to use the term risk – whether unintentionally or intentionally – as a placeholder for components that actually make-up risk – all to often to reflect the vulnerability aspect of a given technology or practice without fully understanding the risk.

    I highly recommend the FAIR methodology (http://www.riskmanagementinsight.com/) for better understanding the elements that make up risk but for also trying to quantify risk.

  7. Joel Esleron 04 Jun 2008 at 6:48 pm

    Is there some reason why this article keeps republishing through RSS? I’ve received about 20 copies of it today.

  8. twitchyon 06 Jun 2008 at 3:34 am

    Is there some reason why this article keeps republishing through RSS? I’ve received about 40 copies of it since it was published.

  9. Martinon 06 Jun 2008 at 4:23 am

    I am not doing anything to keep republishing it. If there’s anything going on, it’s not something i’m doing on purpose. I haven’t changed anything on the blog or even published any new posts recently.

    Martin

  10. Dan Yorkon 10 Jun 2008 at 4:00 am

    Martin,

    Nice post… I wrote something similar back in November looking at it from more of a “personal security” viewpoint at:

    http://www.disruptiveconversations.com/2007/11/twitter-is-terr.html

    But you are right that the challenge for companies is certainly there. Information leakage occurs in all media. But the informality and looseness of tools like Twitter tend to make people less cautious about what they may or may not say. And, as you mention, the possibility of pattern recognition in the aggregation of feeds is certainly there.

    Mind you, I still use Twitter (http://twitter.com/danyork ) as well as most all of the other tools (haven’t gotten into BrightKite yet, though, although I have an account).

    Dan

  11. Stephen Reeseon 01 Jul 2008 at 6:35 pm

    @Martin, great write, I believe Twitter is a great communication tool but with anything too much can be a problems including divulging too much about one’s self or company.

  12. [...] asked once before “Is Twitter a security risk?“.  This isn’t a problem with twitter, this is a problem with people who are [...]

  13. Information securityon 18 Mar 2009 at 7:13 pm

    If you aren’t operating at Twitter speed, how can you immediately blunt the impact of these significant threats. But how can you operate at Twitter speed when you have a whole organization to set up and manage? Wow, it keeps getting tougher.

  14. Tobyon 16 Apr 2010 at 2:01 pm

    Hey Martin,

    Interesting post. One thing I would like to add for discussion is the way that twitter has set a standard for using URL shortening tools.

    I think most users used to be clued in enough to not follow a link that looked like garbled text, they would immediately judge it as coming from a source that didn’t look too trustworthy, however now they are effectively blind clicking a lot of links with no real idea of where they are being sent to. Not the safest way to browse the web but one that is quickly becoming the norm.

  15. Marisaon 19 Jun 2011 at 5:40 pm

    This post is such a great timestamp for when people started to worry about which security risks for social media.

    Now we can add the risk of public scandal as Twitter becomes the popular method of communicating for politicians and famous people. You can always count on the politicians getting involved to make things amusing.

    Meanwhile all the previous risks are still there, and being magnified. The greatest security features of Twitter are still just the ones that have existed from the start, the anti-fraud measures that prevent bots from runaway following. And of course this is the “feature” that I hate the most because I hit 2000 following like 2 years ago. Pls to be following me so I can improve my ratio?? j/k

    So it’s been almost 4 years… which URL shortener do you think has the best malware blacklist so far?

  16. Westechon 06 Mar 2012 at 10:51 pm

    I agree that companies do not see this blind sided security issue and the security risk of the human element. But from a company’s marketing perspective (excuse off topic), consumers react better to this ‘openess’ that a company uses on social media networks.

  17. David Mooreon 20 Jun 2012 at 4:41 am

    I am thinking that everything that has a digital bullhorn is “a risk”…. My organization blocks all social media, but that is not to say that some info gets out. Who can’t take a picture on their cell phone and post via 3/4g communications? I think the big issue is internal education… “do this, do not do this”. Listen, if a crook is going to be a crook, then he/she will be a crook. Simple and maybe a redundant statement, but until we can actually hard-wire someones brain to a security appliance, this is a better best left for sci-fi.

Trackback URI | Comments RSS

Leave a Reply