WHY WE CHOSE NOT TO POST OUR INTERVIEW WITH ALLEGED TWITTER WORM CREATOR
The blogosphere is atweet with news of a DarkWeb attack on Twitter users. We believe we were the first to contact the man who claims to be the creator of the worm. We thought better of using his voice on our podcast, though, when we realized he’s only 17 years old. That makes him too young to consent legally to a globally-distributed interview. He may also be too immature to be a reliable source. The jury’s out on that.
At this point, we’ve decided to sit on the tape, even though the young man’s identity and his claims of responsibility for the Twitter hack have been widely revealed.
The co-host of Data Security Podcast spent quite a few years in a broadcast news room, and it’s her insistence that has prevented us from posting the audio, based on the age of the subject, his assertion that he was drunk when he conducted his exploit, and a healthy dose of journalistic skepticism.
(She reminded me that just last week, The Taliban claimed responsibility for a mass shooting in upstate New York, which turned out not to be the case, according to police. She questioned whether this “kid” is responsible for the Twitter attack just because he says he is, and beyond that, is he a “kid” at all, or is he older than 17? If he is a kid, why are his parents allowing him to stand in the media spotlight when he could be in big legal trouble? By the way, where are his parents? All good questions.)
Indeed, the young man has changed his story since he spoke with me. Last night said he did it to drive traffic to his website. He now claims his attack was calculated to expose a Twitter vulnerability. And as I write this, he’s released a second attack, according to cnet news.
But there’s more to say about this Twitter attack. As everyone knows, the attack took the form of spam invitations to visit Stalkdaily.com, a site the young hacker claims to have created. Stalkdaily.com is a site with features similar to Twitter’s, but allows users to add multimedia to their posts.
In my conversation with the self-proclaimed attacker, I got a description of his methodology, which also been surmised by other analysts. What’s NOT getting much ink is that this man exploited a common vulnerability that exists on a huge number of websites (cross-site scripting attacks – XSS). Only because Twitter is the flavor of the month is there so much attention paid to this XSS attack.
There is evidence that there are thousands of these attacks going on every day, but since the web sites aren’t called Twitter, the attack is not on the radar screen for mainstream media. I fear that all the attention will be on Twitter, and on a young man seeking his 15 minutes of fame, rather than on the same serious security issues that are present on many, many other web sites.
Note to Tweeters: You should add layers of security to your Twitter usage, if you have not already done so. HOWTO: Protect Yourself On Twitter (Lessons Learned From The StalkDaily Twitter Hack)
If you like this posting, please consider LISTENING TO AND SUBSCRIBING TO THE DATA SECURITY PODCAST