Yesterday, the Twitter-sphere was engorged with spam tweets produced by a significant security hole in cross-scripting capability that threw the service into total disarray. People were warned repeatedly to stay off the service’s main page, to only use third-party Twitter apps, and to generally sit tight until the storm blew over. The attack spread like wildfire in a California summer, affecting tens of thousands of users in just minutes. Several hours later, Twitter managed to patch the vulnerability, and no lasting damage was done. A close analysis of the events shows a surprising, yet sensible result. ComputerWorld reports that according to Sean Sullivan, of the Finnish Security company F-Secure, there is a distinct parallel between the rate of attack and the alacrity of the website to patch it. Generally, he says, the faster and more widespread the effects, the faster it gets fixed "Social networks have built-in antibodies...their users. Compare the Twitter attack to a malicious attack of yesteryear that took weeks or even months to develop. This peaked and ebbed in two and a half hours."
The nature of social networking sites like Twitter is what gives these exploits the ability to proliferate so quickly, but is also why malicious hackers don’t really use those avenues of attack. The users of a social network are always aware when something seems amiss, and when something like this hits the servers, the feedback is huge and almost instantaneous. On the other hand, building a botnet of hundreds of thousands of client PCs to take down a large corporate website takes a lot of time, is generally unseen by the users of the controlled PCs, and every attempt is made by the perpetrator to make the infection as stealthy as possible.
Sullivan separates the work of hobbyist spammers and professional hackers to explain the difference. Spammers, if they are even after money in the first place, will be drawn to these kinds of attacks because, while they may be short lived, a good scam is all about one good window of opportunity among thousands of dead ends. The target isn’t clear, the intent may not even be malicious, and it can bring you fame and honor in that subculture. Hackers, on the other hand, have a much more specific target, with detailed goals and attack plans. Stealing profitable personal information requires precision, and most of all, stealth. A social network attack is extremely visible, something the professional cyber-criminal wants to stay far away from.
Sullivan’s solution for stemming the inevitable new tide of Twitter spammers is a simple one: bounties. In a situation where the attack is extremely visible and widespread, there will many users willing to heed the call of the mercenary and ride to the rescue. It would also convert hobbyist spammers to the good guys’ team. "These people with hobbyist mentalities want to be promoted, and recognition from Twitter might be one way to go."
Image Credit: Matt Hamm (Flickr)