Sidewinder on getting the Twitter Jitters
With micro-blogging suddenly flavour of the month, Davey Winder wonders whether you should be getting the Twitter Jitters...
Twitter is a micro-blogging sensation – there’s no doubt about that. Everyone from US President Barack Obama and UK Prime Minister Gordon Brown, to actor Stephen Fry and singer Britney Spears, to local MPs, staff in NHS trusts and kids on the street are using it.
It's great for breaking news, collaborating with colleagues, connecting with friends, and… bringing another route to insecurity into the workplace.
Paul Jones, NHS Connecting for Health’s chief technology officer, has gone on record to say that he is thinking about how new technologies - like Twitter - can help the NHS. Jones talks of management and clinical staff alike using Twitter for "short messages to keep in touch."
Southampton University Hospitals NHS Trust is one of many NHS that have already jumped aboard the Twitter train. Its Twitter feed (http://twitter.com/suht) is used for disseminating local hospital news, such as "Health Minister to visit on Monday" and "Early Bird Parenting group due to meet at Princess Anne Hospital tonight has been cancelled due to bad weather." The Oxford Radcliffe Hospitals NHS Trust is another to be using Twitter (http://twitter.com/OxfordRadcliffe) for similar news publishing.
Twitter Jitters
One of the big problems with Twitter, though, is the nature of the service itself. Users post “tweets” - short messages of no more than 140 characters - to each other. Which is great fun, and can be truly useful, but is also open to abuse.
“Twitter is great for breaking news, collaborating with colleagues, connecting with friends, and… bringing another route to insecurity into the workplace.”
One of the most worrying potential abuses is the use of social engineering tricks such as 'click on this link' within tweets. Because of that 140 character limit, users employ URL shortening services to create a mini-link (so, for example, “www.verylongaddress.com/morelongwords.htm” appears as “www.bit.ly/abz1G”. This totally obfuscates the target address, meaning the user has to trust the poster not to be malicious.
Celebrity scares
Unfortunately, there have already been some widely reported incidences of malware attacks targeting Twitter, with malicious links being inserted into seemingly harmless (but actually compromised) profiles.
Users have been less than prudent with their passwords, the bad guys get access to their accounts and links to dodgy sites get inserted into tweets. Of course, anyone reading the profile of a 'normal' Twitter user is none the wiser. They follow the link and are exposed to the usual 'download this software update to continue' style of malware attack.
The worrying thing is that these attacks were widely reported back in summer 2008, long before the current frenzy of interest in Twittering celebrities that has helped the system to grow by some 900 per cent during the past year.
Indeed, celebrities themselves have fallen victim to Twitter phishing scams. Even uber-Twitterer Stephen Fry recently admitted that he, a self-confessed gadget addict and well-informed lover of technology, had clicked on a scam URL sent via a Twitter Direct Message.
When policy chases technology
Twitter threats reach further than malicious links. Consider the small problem of information leakage thanks to the chatty, informal and conversational nature of the act of tweeting. This can allow people to lower their guard, leading to the inadvertent sharing of information that might be considered 'sensitive' within the workplace, for example.
NHS Connecting for Health policy with regard to accessing social networking tools like Twitter on NHS trust time appears to be that there is no policy. It’s a matter for individual trusts to determine what is an acceptable use of resources. There have been no major data privacy gaffes as yet, but I fear it is only a matter of time - unless the situation is addressed properly and soon.
The bottom line
Let me make this clear – I’m not a scaremonger, and I don’t want Twitter confined to a dustbin (just as I don’t want Facebook and other social networking websites eliminated). Indeed, I use and love Twitter (follow me at: http://twitter.com/happygeek).
My problem is just that it has transported far too many people back 10 years; to a time when everyone clicked on every link in every email because nobody knew any better. We all know better now; yet people are still placing blind trust in their social networks and assuming that if someone sends them a tweet it must be OK.
“Apply common sense to your Twittering, validate the identity of those you tweet with, and if you cannot get that validation then do not network with them at all.”
So, I am not saying “Do not use Twitter”. I am suggesting you use it sensibly and within the boundaries of acceptable use policies. Apply common sense to your Twittering, validate the identity of those you tweet with, and if you cannot get that validation then do not network with them at all.
Perhaps the best bit of advice I can give, however, is to stop treating Twitter like a private conversation and consider it to be more of a corporate conference situation: that way you’ll think twice before doing anything really stupid.
About the author: Author, journalist and consultant Davey Winder has been writing about security issues for 16 years. In June, he won the Security Journalist of the Year 2008 award: the second time he has been given this honour in three years.