Twitter scare could kick-start social Internet security problems

04 Jun 09

Last weekend’s attack was a complex one, with users invited to click on what appeared to be a YouTube ‘Best Video’. However, an embedded program then called upon an IP connection to a second site, which resulted in the downloading of a malware-infected PDF file that later installed a ‘rough’ anti-virus.

According to business Internet security expert Finjan, this attack signposts the fact that companies need to think seriously before allowing staff access to these advanced types of social networking application.

Problems posed by short URLs

One of the associated factors in relation to last weekend’s foray by the criminal element centres on short URL services. On Twitter, of course, space is at a premium: the user has just 140 characters to make their point, and will not want to be wasting 50% of that allowance on a super-sized link to the latest YouTube clip.

The increasingly popular ‘quick fix’ for this is the free URL shortener. i4s Editor Anthony Hildebrand and I both make use of these on our Twitter sites (check the links on the right hand panel of this page if you want to follow what we’re saying!). On one of these URL shortener sites (such as TinyURL, Is.gd or Bit.ly), you can ‘plug in’ the long Internet address and it will assign you a much shorter one that’s easier to post in e-mails, on Twitter or Facebook.

Sounds great, doesn’t it? However, that convenience may come with a price attached. The tools add another layer to the process of navigating the Internet, potentially leaving a trail of broken links if a service suddenly closes down. The shortened URLs can also make it harder for the user to tell what they’re really clicking on. In turn, this renders these ‘Lilliputian links’ attractive to streetwise spammers and scammers.

A question of reliability

In fact, when you start to look at the security surrounding all of this, problems do spring to mind. Reliability is questionable. In order to reach the final destination, it’s not only necessary for the destination’s server to be reachable, but the short URL service also has to be up-and-running. Reliability problems with TinyURL – a free service begun in 2002 by Kevin Gilbertson – were what made the Twitter service provider (including lead engineer Alex Payne) make the recent switch to Bit.ly

Bit.ly is seeing growth that Betaworks chief executive John Borthwick has termed “pretty amazing”. About 100 million bit.ly URLs are clicked on every week. Twitter Stakeholder Betaworks has now spun-off bit.ly as its own company, bolstered by $2 million worth of support from investors (among them O’Reilly AlphaTech Ventures).

Link compression is just the beginning, though. More and more of these mechanisms allow users to see all sorts of details, such as where a link is showing up around the Web and where the people clicking on it are located.

While several of the link shorteners began life as side projects, some of their creators now firmly believe they can make money off little links.

For its part, Bit.ly is looking into three different ways of generating revenue. First, it might create an advertising-supported site that tracks the most popular online trends (which it can spot by analysing what people are using its link-shortening service for), or it might sell that data to search engines and media companies that want to know what’s ‘hot’. Alternatively, it could offer a paid service to companies and major individual users.

Trust plays its part

Trust can also be a problem with shortened URLs. The user wants to only click on a safe link. Now, not only does that user have to trust the person who sends him or her a link, but also an intermediate player: the URL shortening service itself.

URL shortening services need to keep a keen eye on the kinds of sites their users are linking with in order to eliminate the prospect of unsavoury, illegal or malicious content.

Several URL reducers are adamant that they do protect against spam. Some services – SafeURL, for example – also allow the end user to preview a shrunken link's destination page. However, this is not usually an automatic procedure.

Readers of the SMT Online and info4security Twitter pages should bear in mind that all of the shortened URLs we post will take them to their intended destination!

Get the latest stories first with info4security's newsletters: Click to signup

Post and bookmark this story at the following sites:

What is this?

del.icio.us	Digg	Reddit	Google	Newsvine