“There is a real issue here. We have got to sort this thing out” comes a rallying cry from the Cabinet Office as the Leader of the House of Commons, Harriet Harman, has her Twitter account hacked and a tweet posted widely on her behalf. Amongst the bemused, and undoubtedly by now amused, was shadow counterpart Alan Duncan. This comes only two weeks after a similar allegation made by another MP, David Wright, although I believe we’re still awaiting results from the content analysis in this case!
These stories serve to illustrate a number of purposes. First, one suspects that computers used by Cabinet members have pretty tight security – there are probably all manner of authentication tunnels and dongles between the keyboard and GCHQ. Yet, despite this, it still seems that a cabinet minister sees it as being perfectly acceptable to inform the country of their triumphs through a social networking site. Yes, it’s ‘right on’, ‘cool’ and proves you’re in touch – it’s also very democratic. Too democratic – everyone can send tweets, and everyone can send tweets posing as someone else. It also begs the question that if it’s so easy to be that democratic, why do we still elect representatives to our parliament, why can’t we all have our voice?!
But the main point I would like to highlight from these incidents is not political, but the fact that the majority of security breaches in any environment, political, commercial and social, are caused by our own selves. ‘Hacking’ is much rarer than you would be led to believe by the media; the majority of security breaches are caused when we offer our security details to unknown people on request! Don’t believe me? Take a read of Kevin Mitnick and William L. Simon’s eminently readable book The Art of Deception.
I have received phone calls from my bank in the past where they have asked me for my security details – mother’s maiden name, date of birth etc. Now on the odd occasion that this has happened, I’ve stopped and before blurting it all out, I apologise and say that I have no idea that they are really calling from my bank. If I banked with Lloyds and heard Bach’s cantata Sleepers Awake playing gently in the background and it was 2002 then I would probably have believed them straight off, but I don’t, it wasn’t and it isn’t – so I have halted the conversation and said that I will call back. The last time this happened the chap at the other end took quite an afront, he clearly had an important message, but he wasn’t prepared to tell me until he had authenticated me, and I wasn’t prepared to tell him what he wanted to know until I had authenticated him! Impasse! I called the bank back on a number published on my bank statements, went through security, and eventually someone else was able to pick up the issue – they suspected fraudulent use of my credit card; fortunately for both parties, they were mistaken. I am, however, grateful for the occasional false positive because it shows that my bank has systems in place to spot a problem potentially days before I do!
Back to the point… I would be prepared to bet money that in Harriet Harman’s and other similar cases, their social networking accounts weren’t ‘hacked’, but that they fell victim to a simple phishing scam. Someone asked Harriet harman for her personal login details, and she willingly tyoed them in, forgetting to check that it was indeed Twitter who was asking. The truth is a bit embarrassing; somehow it seems acceptable that some really smart MIT dropout with an IQ of a gazillion but the social skills of a turnip hacked into a government computer and stole the login details of a cabinet minister. Slightly less easy to swallow is that a cabinet minister probably logged into the wrong web site (albeit from a secured government computer).
Something has to be done about this! I see two options. First the government could upgrade its systems so that its estate of, I don’t know, quarter of a million internet capable devices, is channelled better to prevent this sort of thing happening. The second option is to train our 500,000 civil servants to be more cautious and to be able to spot these sorts of attacks. There’s no subterfuge, just looking at the URL of the web page you’re logging into, and a basic understanding of domain name schemas will tell you all you need to know.
Both of these options cost money and will take time – and at a time when we’re not quite sure whether we should be spending as much as possible, or reigning back spending, clearly there’s not going to be a decision taken quickly!
Maybe while the jury is out, there’s one more thing that could be done. Why doesn’t the government put out a notice to every civil servant to migrate from whatever web browser they use to Firefox? Once that in itself would have taken an age to communicate, luckily now every civil servant subscribes to the 10 Downing Street Twitter feed, so it’ll only take a moment of the Prime Ministers time to issue a 140 character edict and effect a massive change. Also lucky for Gordon Brown, Twitter and Firefox are free, so no direct costs there!
Why do I offer this as a stop gap? Well, take a look at these two web sites and join me, in 850 pixels, after the break…
Hmmm, the first is familiar – we all know Twitter don’t we?! But the second, ooh, scary! That’s the sort of screen I’d expect to see if my computer had just been hacked!
But wait, look again, really closely, look at the URL!
Both pictures show the same website! What a great optical illusion – identical, but different! One screenshot comes from Internet Explorer (although it looks just as Twee in all other browsers I’ve checked on), the other shot comes from Firefox. Firefox has spotted a phishing attempt – the website in question is not from Twitter at all, but a fake site that looks suspiciously identical! It’s a shame that when Internet Explorer 8 launched with this grandiose claim:
Internet Explorer 8 offers the best security protections among leading browsers: a study released today by NSS Labs indicates that Internet Explorer 8 blocks two to four times as many malicious sites as other browsers on the market today.
…that Microsoft forgot to instigate a mechanism to block phishing scams!
If you’ve never understood what a web phishing scam is, then you should by now. Someone creates a page identical to one that you are familiar with, and you simply type in your username and password unsuspectingly. They now have your account login details! If they’re smart and the site you’re logging into poorly written, they’ll even be able to set up a session for you and pass you straight in to the real site – you will appear to have logged in to your real web account even though you entered through a completely different site…you won’t even be suspicious!
How did I come across this particular Twitter scam site? It was linked from a direct Tweet I received this morning, obfuscated by a tr.im’ed URL…only it wasn’t from Harriet Harman’s office!