What Twitter's homepage looked like before it went down on Thursday night.
(Credit: CC u07ch/Flickr)Twitter stumbled again overnight on Thursday. But this time, it wasn't the work of the "fail whale," the cuddly cartoon personification of the site's excessive technical baggage. Rather, the site was replaced with a foreboding message from "Iranian Cyber Army" before crashing entirely, indicating that it had been the victim of a malicious attack that targeted its internal servers.
Co-founder Biz Stone posted a brief clarification on the issue late on Thursday night. "Twitter's DNS records were temporarily compromised tonight but have now been fixed," he explained. "As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we've investigated more fully."
At the risk of sounding like an evening-news anchor calling attention to exactly how dangerous your treadmill is or how many diseases you can get from the ball pit at Chuck E. Cheese, I think it's time to explore the question: Is it safe to use Twitter?
For one, Twitter's track record with security has been shaky at best. A security flaw this spring exposed the data of a number of employees and allowed a hacker to pilfer some internal documents. Several high-profile accounts, like those of Britney Spears, Ashton Kutcher, and CNN anchor Rick Sanchez, have been targeted individually. Twitter has been the victim of phishing attacks. Other hackers have proved that Twitter accounts can be set up specifically to corral botnets of infected PCs. And in perhaps the biggest incident of all, a politically motivated denial-of-service attack in August that targeted multiple social-media sites managed to cripple Twitter entirely.
Think of it this way: if Facebook, a far bigger and more mainstream site that's had concerns about user privacy splashed all over the news recently, saw its homepage replaced with a nefarious political message, there would probably be a fresh round of calls for CEO Mark Zuckerberg's resignation. Twitter's heavy users are, for better or for worse, accustomed to sporadic downtime and glitches. They're also less likely to ever visit the Twitter.com homepage, considering the service has so many points of entry--text message, as well as third-party apps for mobile, Web, and desktop. Users have become accustomed to logging into third-party applications with their Twitter credentials.
That, perhaps, makes the overnight hack a bigger concern. Even though it's unlikely that user accounts were compromised in this DNS redirect, it's yet another sign that Twitter's security operations have time and again proven weak enough that the service doesn't exactly seem watertight.
A political message, or just plain obnoxious?
On the other hand, we still don't know much about this attack and it may have been less sophisticated than some may fear. One, nobody's exactly sure yet who the hackers were. "Of course, just because a message saying 'This site has been hacked by Iranian Cyber Army' has been posted on a Web page does not necessarily mean that hackers from Iran are responsible for the defacement," Sophos security consultant Graham Cluley wrote on his blog Friday.
Additionally, Cluley said, the aim seems to have been to either get a political message through or to simply be obnoxious. "Fortunately there is no indication at this point that the page was carrying malicious code, and this attack appears to have had political motivations rather than being designed to steal confidential information from users," he wrote.
"It really looks like it was people were redirected to a 'hactivism' site," weighed in fellow Sophos analyst Beth Jones via e-mail. "There was no malicious code on the site claiming to be the 'Iranian Cyber Army' either. It looks like they just hacked the registrar to redirect traffic. So it's quite probable that none of Twitter's own servers were touched."
Another reassurance is the fact that Twitter simply doesn't have the kind of sensitive data that a Facebook or Google does. While it does have millions of mobile phone numbers stored to power its text-message app, not to mention archived private "direct messages" between users, Twitter does not index a whole lot more that isn't otherwise public. Facebook, for example, has many members' credit card numbers on hand (if they've ever used its "gift shop" feature), not to mention extensive personal data in profiles like addresses, birthdays, and family connections. Members who are still concerned about the security of their Twitter accounts can take the obvious step of changing their Twitter passwords to something that they don't use on their e-mail, Facebook accounts, or elsewhere--just in case.
Beth Jones says she has confidence in Twitter. "I wouldn't say their security is second-rate by any means," Jones said via e-mail. "As it stands, they weren't actually compromised, but I can see from a user point of view the questions and concerns. At Sophos we see a new site compromised every 3.6 seconds. That's easily close to 24,000 sites a day, and of those, the vast majority are legitimate sites that get hacked."
That doesn't mean that Twitter shouldn't start making it more clear that it takes security seriously. If the company, which is now beta-testing a "Contributors" feature that may pave the way to paid corporate accounts, begins storing financial information, we can only hope that their security operations are turned up a few notches. Or, ideally, an order of magnitude.
This post was expanded at 6:23 a.m. PT with comment from Sophos' Beth Jones.
Hackers launched a distributed denial-of-service (DDOS) attack that sporadically downed popular blog network Gawker Media over the weekend and on Monday, the company confirmed in a blog post early Tuesday morning.
When CNET News spoke to Gawker Media representatives on Monday, they were not yet sure what was causing the outages but had not ruled out malicious behavior.
The attacks appear to have been launched at Consumerist, a blog that Gawker sold to Consumer Reports last year but which is still hosted on the same servers. The motivation behind them is not yet clear.
The New York-based Gawker Media has sold or merged a number of its blog titles over the past few years, but it remains the parent company of several extremely high-profile blogs--often with an edgy gossip angle--like Gizmodo, Jezebel, and the eponymous Gawker.com.
DDOS attacks occur when hackers swamp a site with excess pings from multiple sources to bring it down; they can knock out entire hosting companies.
The saga continues: Electronic Arts, which handles digital versions of the board game Scrabble for North American parent company Hasbro, has claimed that malicious hackers were responsible for the disappearance of its Facebook application on Tuesday.
The game had crashed on the same day that the creators of Scrabulous, a popular imitation game, blocked access to North American visitors after a legal complaint from Hasbro. With the real Scrabble inaccessible, irritated fans assumed that there was a server problem--the game is in beta, after all--and filled the application's discussion wall with angry comments.
But the real problem, EA has said, is that a hack downed Scrabble. When, according to the Los Angeles Times, the game was still inaccessible at 4 p.m. PT, the company released a statement.
"EA's Scrabble Facebook game experienced a malicious attack this morning, resulting in the disabling of Scrabble on Facebook," the statement read. "We're working with our partners to resolve this issue and have Scrabble back online and ready to play as soon as possible."
It sounds like the old "blame the hackers" excuse, but if you just look at the Scrabble application wall, it's pretty clear that there are a few people who are angry enough at Hasbro and EA to want to sabotage the game.
Whatever the case, the hack was a good one: on Wednesday morning, the game was still inaccessible.
The top headlines at a given time on Wednesday morning at OurSignal. Yeah, a bit short on relevant news.
(Credit: OurSignal)On Wednesday morning, I read about a new site called OurSignal, which mashes up the top headlines from Digg, Reddit, Delicious, and HackerNews, promising to show a more diverse array of what the Web's recommending. Kind of like OriginalSignal for social news.
Unfortunately, when I loaded up OurSignal, staring me in the face was "Goatse In Spore," a reference to an extremely crude graphical Web meme (don't Google it, please). Not exactly the kind of top headline I was looking for.
The concept is kind of cool: "warm" colors mean a story is gaining momentum, and "cool" colors mean it's fading. Bigger boxes mean more votes on a story across the Web. And it refreshes every 15 minutes, which isn't that impressive in the real-time culture of Summize, but is still quick enough to provide a fresh take on the news.
That's the problem: news. Social-news sites, for better or for worse, have become known for being places to find the most popular Top 10 lists and funny videos in addition to the news, and OurSignal is no exception. So if you're looking to find the goofiest Digg and Reddit headlines in one place, this is a nice resource; but if you're actually looking for the news, you might be out of luck. Putting a handful of social-news sites together unfortunately doesn't do much to help the content.
I'll stick to Google News for now, thanks.
- prev
- 1
- next
