May 4, 2009
In a recent Wired News article, journalist Ryan Singel pleads, "Please Mr. President, Put the Twitter Down". His point? President Obama has far more meaningful things to do (like running a country) than twittering away. I agree with Singel's sentiment, and add a few other reasons that presidential tweeting is a bad idea.
The BarackObama twitter account has been hacked numerous times, thanks to insecurities on the Twitter admin side of things. In the last intrusion, the hacker posted screenshots of the type of info available to these seemingly-easy-to-compromise admins. One of those screenshots was of President Obama's Twitter admin account. Looking at those screenshots, it appears that every time the president tweets, his IP address gets logged. An IP address can often be tied to a geographical area, something I don't think Secret Service would be too keen on.
When accessed via the admin interface, the Barack Obama Twitter account (and presumably all others) includes a 'become' option, which lends one the impression that it's easy to spoof BarackObama tweets if you're an unscrupulous (or a hacked) admin. Other personal identifying info is also exposed via the admin interface, including private email addresses, block lists, and support notes. In the screenshot of President Obama's Twitter account, one can easily see that account has had numerous unauthorized password changes and other intrustions. In each case, presumably, the attackers had the ability to 'become' BarackObama and post tweets in his name.
Via the Twitter admin account, attackers can access the lists of fellow Twits you are following or have blocked. Thanks to the recent Twitter hack, we know for example that celebrity Ashton Kutcher has blocked self-proclaimed gossip queen Perez Hilton. Besides digging up meaningless celebrity dirt, having insider knowledge of who's being followed and who's being blocked can lend legitimacy to a social engineering scam. Such information can be used to trick a recipient into divulging further information or even into installing keyloggers and other data theft trojans.
At the time of this article, anyone can go to admin.twitter.com and access the login interface to manage Twitter accounts (hey Twitter, ever heard of VPN?). This openly accessible login makes it even easier for attackers to try and get in. The credentials are the typical combo of username and password. It's dreadfully easy to find Twitter admin usernames, they are the same as their own Twitter accounts. Many of these were also exposed via the aforementioned screenshots. All that's left is to guess the password. And apparently, security at Twitter is so lax that admins have their passwords sent to their (also very insecure) webmail accounts or use easy to break passwords like 'Happiness'.
Twitter is a mildly entertaining chat feed that lets folks follow people or items of interest. It's useful from the standpoint of aggregating a lot of viewpoints under one umbrella. But it is inherently insecure. Anyone who uses Twitter should be mindful of the many risks. But for the president of the United States, or any other individual in a sensitive position, those risks far outweigh any imagined rewards from Twittering. So to echo Ryan Singel, PLEASE Mr. President, don't tweet.
