12 tips of Christmas - A safer Twitter for 2010

Filed Under: Privacy, Social networks, Twitter

Twitter bird with Santa hat

As we roll into the holiday season and many of us are taking more time away from work to spend with our families, we inevitably geek out. We have more time to read blogs, play video games, and reach out to our friends. Many of us use social networks to keep in touch and plan outings and parties. I thought I would share some tips with you on the safest way to use Twitter to keep in touch without falling victim to the many crooks targeting social networks.

  • 12 apps OAuthing - For Twitter statistics, analysis, or alternative web interfaces, stick with OAuth-based applications. OAuth is a secure method of allowing application developers to access your Twitter information. Applications using OAuth will redirect you to Twitter to confirm the application's request for access to your account. Websites that directly ask for Twitter credentials are often well-disguised phishing attempts.
  • 11 snoopers snooping - Treat the tweet-o-sphere as if you were standing in a pub. Don't disclose personal details that could be used to impersonate, track, or allow unnecessary contact. If you were in a pub and a stranger asked "Where do you live?" you wouldn't likely respond "2000 Main St., Apartment B." Instead, you might say "the East side."
  • 10 tweeps a-stalking - If you are comfortable being tracked by friends, family, stalkers, and governments, then by all means continue to post your GPS coordinates. Many mobile Twitter applications can post your position within a few feet using the GPS in your phone and these are on by default. I recommend that everyone disable this feature. Always explore the options menu in Twitter applications you are using.
  • Twitter Geotagging option

  • 9 careful retweetings - Don't blindly retweet links. Always thoroughly check out a link before sending it on. Many spam attacks are socially engineered tweets that depend on blind retweeting to gather more users into the scam.
  • 8 scammers bilking - Be wary of Direct Messages from those you don't know. Many users fall victim to phishing attacks every day and their accounts are often used to lure you to scam-laden URLs. These accounts will send you DMs with shortened links that could be malicious.
  • 7 links a-lengthening - When shortening URLs, use a service that lets other users easily preview where they are going. Many companies offering these services do provide ways for users to automatically expand URLs, including Bit.ly (Or add a plus sign on the end of the URL), TinyURL, and is.gd.
  • 6 so-called deletings - Delete doesn't mean it's gone. You can now delete tweets, but unlike emails, they cannot be rescinded. Deleted tweets may no longer show up in your timeline, but the message will have been delivered to mobile phones over SMS and to third-party Twitter clients that will not forget your indiscretions.
  • 5 not-so-private tweets - As with Facebook, privacy on Twitter is not so private. Protecting your tweets provides a degree of security, but you still rely on your friends to avoid falling victim to a scam. Hackers depend on the trust we have for our friends and family and will use their accounts to gather your most personal details.
  • 4 friend impersonations - Be wary of Direct Messages from your friends if they seem out of context. As with random DMs, you may wish to check the shortened link at longurls.org. When my friends send me DMs like "Increase your followers by 4000%!", I know that it's time to pick up the phone and let them know they have been compromised.
  • 3 @spam alarms - Follow @spam for recommendations and alerts related to Twitter scams. Don't click links in emails appearing to be from Twitter either, always use a client, or the twitter.com website directly to confirm followers, reply to DM's, etc.
  • 2 password changes - If you feel your password may have been compromised change your password immediately. What is less obvious is that you must also revoke access to the Twitter API for any applications you are using and re-register them. If the criminals who have stolen your credentials still have API access they can continue to impersonate you.
  • Twitter Connections configuration

  • And avoiding those fake celebrities - Verify the identities of people you follow where possible. If you are following a company (like Sophos!) or a celebrity, you can often find their real twitter ID on their website. There are more than 50 variants of Britney Spears, many of which are scams.

, , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.