Twitter can be addictive. For some, it’s the perfect mix of an RSS reader, a chat room and a never-ending cocktail party. But for cybercriminals, it’s just another technology to be exploited.
To protect your irreplaceable content, relationships and financial information, remember the following while you’re tweeting, re-tweeting and hashtagging away:
1. Be a little skeptical of everything, especially Direct Messages
In about two minutes, you could create a Twitter account that impersonates almost anyone, living or dead. Twitter has “Verified Accounts” for celebrities, but no one is really verifying if an account was really opened by your co-worker Stu. That said: hackers probably aren’t going out of their way to impersonate your co-worker Stu. But they might take over Stu’s account to trick you into clicking on a bad link.
So carefully scan any profile page you’re thinking of following. Check to see if there’s a respectable image. Make sure all tweets aren’t entirely repetitive self-serving spam. See if there’s a reasonable “follower-to-following” ratio. Then, if they look interesting, follow away.
But always be on guard.
You can never really know if any Twitter account has been taken over by someone with criminal intent. Hackers use hijacked accounts to spread spam and scams. Links may also lead to malware sites where the end goal is stealing online banking credentials or other personal information.
Worms, botnets, phishing scams and malware have already found their way into Twitter. Crooks work night and day, so you know eventually a variation on every nasty trick that found its way into your email inbox or a web-page will show up in a tweet. However, the people at Twitter are working hard to make the site a safer place.
The site now filters malicious links and has launched its own URL shortening service that will both track and protect users. And a recent study found that Twitter links are as safe as or safer than Google search results.
You still should be especially wary of any link sent to you in a Direct Message. Just because you follow a person does not mean that everything that comes from her or him is safe or true. If you must click on a link in a Direct Message, please check it out first using F-Secure’s free Browsing Protection.
Nothing on the Internet is 100% secure. But with a little common sense and few security precautions, Twitter can be as safe as any social network on the Web—even if Twitter doesn’t think it’s actually social network.
2. Only enter your Twitter login and password at Twitter.com
One of the things that made Twitter so popular has been its openness to outside developers. Until the summer of 2010, you could even log into your Twitter account via a third-party site. This was a risky security practice that led to users becoming comfortable entering their credentials everywhere, and possibly having their accounts phished.
While Twitter is still open to thousands of fun applications, it no longer allows third-party logins. This means that only place on Web that can only login to Twitter is Twitter.com. To connect an app to your account you must use a process called Oauth that connects you to the application directly. Now only Twitter is the only developer responsible for protecting your account information.
But of course, you have to do your part, too.
3. Use a strong password
Once a hacker has your password, your account and social identity is completely vulnerable. So guard those little jewels jealously.
Most importantly, you should use different passwords for every account you have. Your passwords should be complex and not based on any public information like your kids’ or pets’ names. Keeping track of multiple passwords from multiple sites can be overwhelming. But here’s a system that makes creating and remembering strong passwords easy.
You should also prevent your browser from remembering your passwords, and practice good password hygiene by changing your passwords on your every few months.
Most importantly, once you stop using any email or social networking account, be like John Mayer and Miley Cyrus. Delete it.
4. Fight bad software with good software
A necessary precaution before using Twitter, or any social network, is an Internet security suite along with updated system software. To make certain that all of your applications — including Adobe Acrobat Reader, Flash, iTunes, Quicktime and RealPlayer– are fully patched and protected, use the free F-Secure Health Check. It’s easy.
Twitter is like any boomtown; all types are floating through. So remember the same security lessons you learned while using email. Be selective about what you sign up for or follow or forward.
You may want to consider using a third-party Twitter client like TweetDeck or Hootsuite. These clients will protect you from being affected by XSS attacks like the one that hit Twitter.com in September. That exploit resulted in a lot of gibberish, but didn’t become malicious. But we may not be so lucky next time.
When opening links, never trust site that tries to install any software you haven’t authorized or pretends to scan for malware. If you are seeing persistent pop-ups, or you notice that a new program has installed itself on your PC without your permission, immediately run F-Secure’s free Online Scanner.
5. Keep your account clean
Most Twitter users don’t realize that once you allow an application access to you Twitter account, that access is open until you shut it off. This can lead to potential security holes, especially if you’ve authorized applications you shouldn’t trust. The owners of the applications connected to your accounts may even be able to read your private Direct Messages.
This is why you need to occasionally audit your accounts. To do this, go to ‘Settings’ then ’Connections’. Then go through and ‘Revoke Access’ to every application you aren’t using. (If it turns out that you are actually using it, don’t worry. You can always reestablish access.)
Avoid connecting to bad applications by doing a Twitter search of the name of any app and checking its reputation before you give it access to your account.
Here are some other ways to clean up your account and bring back that “new-Twitter smell”.
6. Assume it’s a scam
Your bank probably isn’t going to contact you through Twitter—but someone pretending to be your bank or PayPal or a credit card company may. Verify any financial question directly with your institution. Don’t trust anyone that’s asking for financial help or giving you the secret of getting more followers fast.
Scams usually seem pretty obvious in retrospect, but the reason they exist is that they work! Smart people slip up all the time. Don’t be one of those people.
7. Protect Your Privacy
Twitter, unlike Facebook, is almost entirely a public space. A small percentage of Twitter users “protect” their tweets. But most users make their tweets public to the world.
Twitter’s search only goes back a few days. But Topsy has a record of all Tweets since May of 2008. And Google and Bing are now in the tweet tracking business. So assume that anything you Tweet will last forever, possibly even if you delete it immediately.
A good question to ask yourself before you tweet anything is: Would I say this out loud in a room full of strangers?
Never share sensitive or confidential information—including your email address. Specifically, don’t announce vacations or details about your schedule. Only add location to your Tweets if you are comfortable with the world being able to find you. If you want to tweet about a place you’re visiting, the best time to do this is as you are leaving. Otherwise, you may be informing a thief of exactly when you’ll be away from your home.
Tweets about layoffs, drunken behavior and how someone looks in a certain dress may be fun at the moment, but how would you feel about them being public when you’re applying for your dream job?
Be careful when using Twitter or any social network while you’re mad, or inebriated. Before you tweet anything in anger, take a deep breath. Remember that while Twitter may feel at times like it’s your own private cocktail party, it isn’t.
After F-Secure principal security consultant Tom Van de Wiele stepped into the #CyberSauna for the second episode of…
January 19, 2018
The email subject line says “Scanned from Lexmark” and the attached file is “image2017-11-23-9292134.7z". Seems…
November 29, 2017