Saturday, August 11, 2012

Security Scare

I have found that in San Francisco I am starting to live a double (maybe soon to be triple life): My VSC life and my computer engineering life. While I was at my VSC orientation this last week I was extremely involved (and now almost finished) with a book by the name of  KingPin. It is a book on the life of Max Vision (Butler) aka Iceman and the cyber criminal underground. Its really a good book and has really opened my eyes to how vulnerable the cyber world is. Knowledge is power, but no one ever said with knowledge come only good. It has re-sparked an interest in security and understanding infrastructure for me.

Along with reading KingPin, I had a huge security breach in my twitter account. The trickest part about it though was the fact that all parties involved didn't even know there was a security break... including the accidental hacker.

I received a weird tweet from one of my friends on Tuesday and looked at the tweet they replied to and realized I did not send it. My phone had been charging  out in the open at the retreat center and so I figured one of my new friends saw me unlock my phone and then they used that to their advantage to tweet on my behalf. So I kept my phone with me until I figured out who the culprit was. My friend later tweeted back to me and low and behold the hacker replied back to my friend "who are you?". I had my phone with me, someone was accessing my account from somewhere else.

At this point I started to get a bit more nervous, but figured that it was still one of my friends screwing with me.. somewhere. So I watched all of my social networking sites and email to see if there was a intrusion on them (if there had been, that would mean my passwords were compromised), nothing. So only twitter was hacked by one of my friends.... but how? All of the boxes that I signed into are either with me or in my closet at my parents house password protected..... My work. 
This last summer  I worked with my brother-in-law at his company and after I left I know he took my computer so he could have all the code I had written over the summer, no biggy. But then I realized I was signed into twitter on that computer and he could have noticed and decided to play a nice prank on me (he's soo nice...). I texted him and he told me that he wasn't on my work computer... at this point I was starting to panic a bit, my password must have been cracked.

It had to be a personal attack though because most bots, hackers, and malware will only crack your password and put general crap on your feed but never interact with followers. So at this point I changed my password on my twitter. That would cut this hacker from my account, once his cache refreshed. I waited a few hours to ensure that he would be kicked off and asked my friend to tweet me again to see if they got a reply and sure enough they did, "Who the hell are you, how did you get my number!". Weird.

All of the text messages were confusing, asking who my friend was and this last one the hacker referred to the reply as a "number". But why? I thought about it for a bit and everything became clear and I became extremely angry I did not catch it before and my mind exploded with thoughts about the third party privacy world we live in today.

I checked my twitter account and sure enough my settings confirmed my realization. My old phone was linked to the twitter account. I didn't port my number from US Cellular when I moved to AT&T because I use a google number. Everyone sees my google number so there was no point in porting over my USC number (it costed a pretty penny to do so). Well sites like facebook, twitter, emails, and other social sites allow you to link up your phone to get live updates via text message. For reasons I don't know these sites will not forward updates to a google number and so I had to put in my actual USC number.

When I dropped my number at USC the ONLY explanation they gave me for keeping my number is "you will have to tell all your contacts you have a new number and it will be a very tedious process, paying a little extra upfront cost for connivance is worth it". That was it. Nothing about "every network you have your number linked to will have to be deleted and readded if you want to keep your security". I don't know about about the general population, but if they would have said that, I probably would have kept my number. Third Party failure to keep their customers secure.

On the other end though, social networking third parties. To update and "link" your phone with their site all you do is type your number in, they send you text and you reply with a confirmation number the site tells you. This is a fairly secure 3 way handshake. But what happens when a new user takes the number? There is initial log in of the phone, but nothing after that. No verification each time someone replies to the site or anything. Third Party failure to fully secure and inform linked devices.

Yes, I am partly at fault for this as well. But me being a computer nerd, I could make these connections, but what if  I was a normal user? And what if my  "hacker" really wanted to screw with my account? I would have NO control over it. The only control I would have would be to delete my account. Fortunately for me, the guy was a nice trucker that just got a new phone. He was a nice and understanding guy by the way.

Moral of the story: Be aware of who you trust with your private information. And when involving third party companies with third party companies, security can potentially be breached.

I hope others find this interesting and learn from my mistake. Don't link your number to a device, link a manageable account.

1 comment: