Category Archives: Security

Arsenal-verified-Twitter-Account

How Not to Follow a Fake Profile on Twitter

Security, Social, , , , , , , , ,
How Not to Follow Fake Profiles on Twitter
How Not to Follow Fake Profiles on Twitter

Twitter has to be one of the amazing innovations in recent times giving us realtime status of things happening around us. We all love to Follow and be Followed by people we know, like and relate to.

Apart from friends, relatives and colleagues who doesn’t want to follow favorite actors? sports-persons? politicians? etc and be updated on whats going on with them as well?

However, are you sure the Lewis Hamilton or Priyanka Chopra or Shashi Tharoor you are following are real and not fake? Are you following them just because your friend is following?

Here are some tips that will help you in determining if the Twitterati that you want to follow on Twitter is real or fake.

1. Is it a Verified Account

Twitter is currently beta testing ‘Verified Accounts’, wherein they confirm the identity of the person, who is tweeting using that account. As of now, it is limited to some well known personalities who have had issues with impersonation or identity confusions. A typical verified account on Twitter would look like below (Notice the blue-white check mark):

Arsenal-verified-Twitter-Account

 Very useful if the folk is a celebrity. Read more about Twitter Verified accounts: http://twitter.com/help/verified

2. What is the Web page of the Account holder?

Look at the Web URL posted under the twitter profile to see if it has any web page listed. A smart search on the web can reveal if it is indeed the official page or not. Again, a useful tip in case of a well known personality aka Celebrity. Some folks also point to their Facebook profiles. Again, search the web to find out if it is indeed authentic or not. Beware of any landing pages that look suspicious.

3. Look at the Tweet times.

This is interesting. All tweets have timestamp on them. Based on the time and location of the user, you can sometimes make out the fake one. Not many people would tweet in the middle of the night or early morning like 4 AM etc, atleast not on a regular basis. I had an interesting time while determining a genuineness of one such profile:

While watching the Arsenal vs Stoke match, I was a bit turned off by the horrific injury caused to Aaron Ramsey by a reckless tackle. The next morning I was looking for the info on the extent of injury and recovery time. The Gunners (Arsenal are also called as Gunners, just in case you are wondering from where did Gunners pop up) community at a social networking site had a scrap from a fan/member that Aaron Ramsey had tweeted it would take 7 months. That really ticked me off. I looked at the supposed profile of Aaron Ramsey on twitter and I had my doubts then. It was later confirmed by the timeline of tweets.

The time difference between India and UK is 5.3 hours. Twitter timeline said it was tweeted about 2 hours back. Local time (IST) when I checked was 11 AM. Which human being with a broken leg, undergoing critical treatment would think of tweeting? I think its insane. And the verified twitter account of Aaron Ramsey is here

4. Look at the Display picture

The display picture also provides a valuable information. Is it the real close up photo? or is it the twitter’s bird? For a celebrity to put a fancy or a snazzy picture of theirs from their movie posture etc is remote. Or a profile with no photo should raise the flags.

5. Look at the list of Followers and Following.

Sometimes the list of people in the Following and Followers list can provide valuable information. If its just one or two that he is following and if they too have a so similar profile, you know it is fake. Also look at who is following them…if it is a series of profiles with no photo or strange photo can be a good indicator.

NOTE: Please note that the above information is not all inclusive or foolproof. These are some basic guidelines to help you prevent follow ANY fake profiles caused due to identity theft. Please exercise caution, take due care while following ANY profile.

Appreciate your feedback. Kindly use the comments form to let me know of what you think.

And How Not to Follow Fake Profiles on Twitter No, this is not a fake account 🙂

Social Engineering Countermeasures

Security, , ,

 

Phishing Countermeasures

Tring Tring !!

Sir, I am calling on behalf of Moneywise bank.

You have been selected as the most popular customer in our group at Facebook.com
As you can see the prize is US$10000 and we would soon be transferring this amount to your account. In this regards, we would need to validate your credentials….Please provide your name as printed on the card, Date of Expiry, Card number.

Our ‘Mr Social Networker’ is on the cloud seven as he happily reads out the details.

Couple of weeks later he is dumbfounded to find all the hard earned money vanish from his account.

No, this is not a scene from any movie flick, but a dark side of the technology exploitation. Welcome to the world of Social Engineering (SE). Social Engineering is a form of hacking/cracking/fooling/spoofing people. It is also a technique that can bypass any Firewall/Antivirus/IDS etc solely because it has a dependency on exploiting the human nature. The motive is MONEY!

It can happen over phone, in person, through emails in the form of phishing, and there have been instances where freebies like CDs, USB sticks and etc loaded with malwares were given to users to be exploited later!

Unlike other forms like hacking or cracking, SE makes use of enormous amount of information that is available on internet. Bad people generally prowl around social networking sites, forums, chat rooms etc to identify probable targets and then begin their operations through sending phishing emails, putting up fake websites and inviting users, calling them, leaving tweets etc.

One of the most famous cases of SE attack involved illegal logging onto the top secret computers of US AirForce. A hacker called up the US AF facilities as Tech support pro from Sun Microsystems and they had discovered some vulnerabilities in the Solaris OS which needed to be fixed on priority, while the credentials were given to the so called engineer, within days the top secrets were out on the net!!

Take a look at the following email. I received it just today and it looks exactly as a genuine email from the bank on updating my account credentials:

Phishing countermeasures

The catch, however is the Re-activation URL pointing to some site with .bt domain and not the actual Bank’s website:

Then the URL itself is being blocked by Firefox as a reported site for Web Forgery!

So much on the internet even for not having an account with ICICI!!! Emails like above are called Phishing emails and they are one the techniques used for Social Engineering attacks.

Countermeasures:

No need to get paranoid about Social Engineering…some of the measures to counter Social Engineering is already known to you. It’s just that you are not aware of it. Take for example, would you take a chocolate or any freebie from a stranger? No right?
Similarly don’t even dare to click on links, emails etc that promise you a free Toblerone chocolate in lieu of your personal info. Spare a thought before you react to anything like a questionnaire, phone call (missed calls/wrong numbers) from unknown people, etc.

Social Networking sites like Orkut , Facebook, Myspace, Tweeter and etc are here to stay. Along with the benefits of being in touch with our friends, it also brings some privacy and security issues, however you can make your stay enjoyable by practicing vigilance, and taking due care.

Some things to consider:

• On social networking sites like Orkut, Facebook, Twitter and etc you have the options of protecting/locking your personal info (like photos, updates, birthday, tweets etc) so that it is visible to only your friends or the people you have allowed and is blocked to other users. Enable it.
• Limit the personal information there. Phone numbers, email ids, addresses etc are not worth sharing.
• Ignore unsolicited emails, calls (don’t bother to call back the missed calls).
• Read your Companies IT Security policies..Although you might find them boring, they contain valuable best practices in place across various companies and it can save your job.
• Never ever give out your personal details like Date of Birth, Name of parents, and more importantly any Banking information no matter what is offered in return. (In a survey conducted on this subject, people had given our their userid’s for some free chocolates!, )
• Some of the browsers like Firefox and Internet Explorer come with Anti-phishing filters that detect and alert you if the site you are trying to access is malicious and forged. I think they are enabled by default, if not please ensure you enable them.
• As usual, make sure your system is protected with an Antivirus (with up-to-date virus definitions), firewall and up-to-date with OS patches.

Let me know if you need any inputs.

Image Courtesy: K.U.Leuven

 

Further reading:

The Art of Deception by Kevin Mitnick
http://www.securityfocus.com/infocus/1533
http://www.microsoft.com/protect/computer/basics/social.mspx