Cybersecurity

SPOTLIGHT ON SECURITY

Twitter Bags Encryption Program

While Twitter rose to notoriety by being the place where people spilled the minutiae of their lives, there are times when its users don’t want everyone in the online world to see what they’re thinking. For those occasions, there’s direct messaging.

When direct messages are sent by one tweeter to another, there’s a certain expectation of privacy there — even though little is done to protect those messages should they be snatched by a snoop.

Twitter was planning to change that. It launched a program last November to find a way to encrypt direct messages sent within its microblogging realm. Last week, though, news surfaced that the company had pulled the plug on the project.

Twitter has been mum on the subject — it did not respond to our request for comment on this story — but others have not been so reticent.

“This signals that Twitter is clearly not interested in being a secure private messaging service and is focusing on public communications,” JJ Thompson, managing director and CEO of Rook Security, told TechNewsWorld.

“It is absolutely a set back for Twitter users who are relying on secure private communications,” he added.

Waste of Effort

While Twitter is concerned with the privacy of its users and protecting them from run-of-the-mill phishing attacks and such, it’s unlikely anything it was going to do would protect its users’ direct messages from the likes of the NSA, noted Tal Klein, vice president of marketing for Adallom.

Moreover, that kind of encryption would very likely crank up the customer complaints.

“NSA-proof encryption is really expensive and likely introduced unacceptable latency to the Twitter user experience,” Klein told TechNewsWorld.

“I’m guessing that’s why the project got shelved,” he added, “because if I asked you today if you’d accept a slower Twitter in exchange for more privacy, you’d say, ‘No.'”

While users may expect direct messages to be private, few are naive enough to consider them secure.

“There is no assurance of privacy or security in transmission or delivery of direct messages,” said Simon Crosby, CTO and cofounder of Bromium.

“Adding serious security controls to DMs would be a massive amount of work, and it’s not clear that users view Twitter as a platform they would trust for secure communications anyway, so it would probably be a wasted effort,” he told TechNewsWorld.

Privacy Commitment Undiminished

Suspension of the direct messaging encryption program may disappoint some users, but it doesn’t mean Twitter’s commitment to privacy and security is diminishing, maintained Michael Sutton, vice president of security research at Zscaler.

“While adding direct message encryption would be a positive step forward for the privacy of Twitter users, that feature alone is not a silver bullet, and temporarily curtailing the effort is not a blanket statement on Twitter’s commitment to security,” Sutton told TechNewsWorld.

“Twitter is actually one of the more progressive social networking sites, having moved to allow users to force encrypted communication for all traffic back in 2011. It has also shown a commitment to security by obtaining top talent and technology, as they demonstrated with their 2012 acquisition of Dasient,” he explained.

“It has also shown a strong commitment to user privacy [and has] been at the forefront of efforts to allow greater transparency related to government requests for information disclosures, and [it] regularly fights court orders to hand over data,” Sutton observed.

Ukraine Is No Estonia

Pentagon brass have hinted about the U.S. arsenal of weapons that could be used in a cyberwar, but the only world power that’s actually used such arms in a real international conflict has been Russia. It mounted some crippling Distributed Denial of Service attacks against Estonia in 2007, and there’s evidence it’s trying to infect networks in the Ukraine with the Uroburos rootkit.

“It is not surprising to see state-sponsored malware like Uroburos appearing on networks in Ukraine in the midst of the Crimean crisis,” said Tom Cross, director of security research at Lancope. “Malware activity is an integral part of international conflict today.”

Although malware typically assumes the role of spy — snatching intelligence located on computers and shipping it to its masters — it can be used to throw a spanner in a nation’s infrastructure, as the U.S. demonstrated with the Stuxnet attack on Iran’s nuclear development program.

“I’m not aware of any reports of Uroburos being used to disable critical infrastructure, but if a violent conflict breaks out in Ukraine it would not be surprising to see cyberattacks used in that capacity,” Cross noted.

The malware tactic appears to have supplanted DDoS as a cyberwar strategy used by the Russians.

“Although Lancope does see some Internet DDoS attack activity occurring in Ukraine right now, it is nothing out of the ordinary,” Cross said. “We are not seeing the massive levels of DDoS attack activity that we saw in Estonia in 2007. However, if the conflict escalates nothing is out of the question.”

Breach Diary

  • March 18. The IRS discloses that one of its employees took home a thumb drive containing unencrypted data on some 20,000 of the agency’s workers. The data — including Social Security numbers, names and addresses of employees and contract workers — could potentially be compromised because the drive was plugged into the employee’s unsecured home network.
  • March 18. Turkish hacker Ibrahim Balic crashes Google Play while testing a vulnerability on the outlet’s publishing system, Google Developer Console.
  • March 19. Hilary Remijas of Illinois files lawsuit on behlf of 350,000 customers affected by data breach at Nieman Marcus in 2013.
  • March 19. EA Games website compromised and starts hosting phishing site targeted at Apple ID account holders.
  • March 20. Alex Kibkalo, a former Microsoft employee, arrested by federal authorities for stealing trade secrets from his former employer.
  • March 20. IBM announces Smarter Counter Fraud initiative to help organizations use big data analytics to mitigate losses from computer fraud.
  • March 21. Cisco reports risk of Internet users encountering malware increased 10 percent from January to February this year. Java malware encounters also increased during the period from four percent in January to nine percent in February.
  • March 21. Bitcoin exchange Gox reveals it discovered 200,000 ($115.8 million) in “forgotten” bitcoins on March 7, a week after it filed for bankruptcy saying it lost almost all its holdings of the 850,000 bitcoins, worth about $500 million at today’s prices.
  • March 21. Syrian Electronic Army, a hacker group, publishes stolen documents to Internet showing Microsoft accepted payments from FBI to allow the agency to view data about the software maker’s users.

Upcoming Security Events

  • March 25. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • March 25. Critical Security Controls for Effective Cyber Defense. 2-2:30 p.m. ET. Webinar. Free with registration.
  • March 25-26. Secureworld Expo. Hynes Convention Center. Registration: Conference, $295; with training, $695; exhibits and free sessions, $25.
  • March 26. CMaaS + Cyber Security 3.0. 8 a.m.-12:30 p.m. The Tower Club, Tysons Corner, Va. Free for GoMark Council members and government employees; non-members, $200.
  • March 27. Understanding and Prioritizing Today’s Threats. 1 p.m. ET. Webinar sponsored by Dark Reading. Free with registration.
  • March 29-30. BSides Mumbai.Mumbai World Trade Centre, Cuffe Parade, Mumbai. 5,000 Indian rupees.
  • March 25-28. Black Hat Asia. Marina Bay Sands, Singapore. Registration: by Jan. 24, $999; by March 21, $1,200; by March 28, $1,400.
  • April 1-2. SecureCloud 2014. Amsterdam RAI Convention Centre, Amsterdam, Netherlands. Registration (includes VAT): Through Feb. 14, 665.50 euros, government; 847 euros, business; After Feb. 14, 786.50 euros, government; 1,089 euros, business.
  • April 1-3. 13th European Security Conference & Exhibition. World Forum, the Hague, the Netherlands. Registration: ASIS members, 970 euros; non-members, 1,170 euros.
  • April 4-5. BSidesPR 2014. San Juan, Puerto Rico. Free.
  • April 5. BSidesROC 2014. German House, 315 Gregaory St., Rochester, N.Y. Free with registration.
  • April 5-6. BSides Orlando 2014. Wyndham Orlando Resort, Orlando, Fla. Ticket: $20.
  • April 5-14. SANS 2014. Walt Disney World Dolphin Resort, Orlando, Fla. Job-based long courses: $3,145-$5,095. Skill-based short courses: $575-$3,950.
  • April 7-9. InfoSec Conference & Expo 2014. Disney’s Contemporary Resort, Orlando, Fla. World Pass, $3,795; world Pass with Hands-On Track, $3,995.
  • April 8. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • April 8-9. IT Security Entrepreneurs’ Forum. Computer History Museum, 1401 North Shoreline Boulevard, Mountain View, Calif. April 8 workshops and April 9 forum and reception, $595. Forum and reception only, $495. Government employees, free. Students, $195.April 11-12. Women in Cybersecurity Conference. Nashville, Tenn.
  • April 8-9. Secureworld Expo. DoubleTree by Hilton Hotel Philadelphia, Valley Forge, Pa. Registration: Conference, $295; with training, $695; exhibits and free sessions, $25.
  • April 11-12. Women in CyberSecurity Conference. Nashville Airport Marriott, 600 Marriott Drive, Nashville, Tenn. Registration: student, $40; academic faculty, $100; corporate, $250.
  • April 17-18. Suits and Spooks San Francisco. Fort Mason in the Firehouse, San Francisco. Registration: Through March 10, $380. After March 10, $575.
  • April 26. BSides Chicago 2014. The Abbey Pub, 3420 W. Grace, Chicago. Free.
  • April 27-28. BSides Dubai 2014. Free.
  • April 29. BSides London 2014. Kensington & Chelsea Town Hall, Horton Street, London. Free.
  • April 29. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • May 9-10. Bsides Boston 2014. New England Research & Development Center, Kendall Square, Cambridge, Mass. Fee: $20.
  • May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
  • June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
  • Aug. 2-7. Black Hat USA. Mandalay Bay, Las Vegas. Registration: through June 2, $1,795; through July 26, $2,195; after July 26, $2,595.
  • Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.
  • Oct. 29-31. RSA Conference Europe. Amsterdam RAI, Amsterdam. Registration: through Oct. 27, 1,095 euros plus VAT; after Oct. 27, 1,295 euros plus VAT.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels