The Rat is a relatively recent convert to Twitter, by his own admission. Mostly, it was because “What are you doing?” question that the service asks its users to answer over and over and over again each day consistently provoked the same response from him: “None of your @#$%%^! business!”
But since his recent life change, and the discovery that there are things other people on Twitter and Facebook are up to that he actually cares about, he’s started digging in a bit deeper to social networking services–albeit with some healthy skepticism. And that skepticism was proven justified last Thursday, when “don’t click me” rolled into his Twitter friends’ timeline.
There’s been a recent uptick in the exploiting of social media by individuals or groups seeking to cause mischief, steal sensitive personal data, or otherwise compromise the security of social network users’ computer systems. The reasons for the surge are simple–as bank robber Willie Sutton was alleged to have said when asked why he robbed banks, “That’s where the money is.”
Social networks are rich environments for information sharing and collaboration that are based largely on the trust built between users. And they are rich in personal information, both explicit (your name, email address, where you live, where you work, etc.) and implicit (your password might be the password you use to log into other web accounts, or your corporate email, or even your bank account). Because they’re based on mutual trust, users are more prone to click on something that comes from a friend than, say, a spam message in their email inbox. And once someone within a network of trust is compromised, it’s relatively easy to exploit their network to compromise other users.
Last week’s “clickjack” attack on Twitter was by most measures benign–if you count it overloading the Twitter message service and causing web users to get the “fail whale” as benign. It used a self-perpetuating Twitter message with a link (that told users NOT to click it) to post itself into the recipient’s own status messages. While it wasn’t spreading malware like some other recent attacks on social networks (Digg, Facebook and Myspace)–the problem even drove the legislature here in Maryland to briefly ban posting to Facebook and MySpace because of virus concerns.
There’s a simple solution to most of these threats — treat any link you get in Twitter, Facebook, or Myspace updates with the same level of suspicion that you apply to emails from Nigerian princes. As Nikita Khrushchev said, “Trust, but verify.”