What a wonderful world that open and closed platforms have created on the World Wide Web. I can have an untold number of features and applications inserted into my Web browser without having to lift much more than a finger to access them. I can take my favorite Web platforms and expand their usefulness by linking them to other Web-based services. I can even download a variant of my Web browser of choice that bridges the best of two worlds under one new roof: new innovations mixed with standard familiarity.
So, what happens when these architectures fight back?
It's a stupid thing to say on its face, because I don't believe that it's up to a particular program or application to breach your defenses and fight its way into your cyber-life. Most, if not all instances of malware, spoofing, and hijacking (to name a few) can be directly traced to user stupidity in some fashion. Either a person leaves the ol' back door unlocked, fails to frisk the guests as they enter the home, or actively invites a heap of trouble to come on over for a party.
Simplified examples, perhaps, but the underlying fact remains a constant: You are the gatekeeper for your PC. Unfortunately, as we begin to adopt an "everyone's allowed" mindset for Web integration, we're only making it easier for the bad guys to do what they do best. Unfriendly, if not downright hostile bits of malware can be pushed back with but a few simple changes in behavior--are you as security-focused as you should be in today's cross-platform world?
There's an online network for everything nowadays. And with these online networks come a flurry of registration requests and data exchanges that you feel compelled to answer. I can't count the number of Twitter invites I receive on a daily basis--just for reference, I'm not @veronica or something, but I definitely get enough email to make for a bout of mindless follower-accepting during my lunch break. That's just one platform.
It almost seems silly to type this, as it should come as Web 101 for all but the most inexperienced of users, but I'll say it anyway: Do you always know what you're clicking on? There's a reason why most programs come with a little status bar or helpful pop-up whenever you mouse over a hyperlink. One of the easiest ways to detect a potential link spoof--like, say, one that's been placed in a seemingly innocuousTwitter invite--is to hover your mouse over the link.
If the hyperlink doesn't match up with the actual site in question (like http://208.348.142.555/takin/ur/password.html versus http://www.twitter.com), then you probably shouldn't click on that link. And if you can't detect that I'm being sarcastic, and you really shouldn't click on the link, then it's too late--you've probably already clicked on the link.
Of course, if you're lazy, you could try using a helpful utility to try and make this judgment for you. Firefox's LinkExtend extension aims to do just that--protect you from sites that are trying to steal data they shouldn't. You can also check out TrendProtect for a similar safeguard. Still, nothing is as foolproof as the ol' brain-box. Don't just click accept or ignore on everything that comes in your inbox. Look before you leap, as it were.
On Page Two: The API Skeleton Key to Your Front Door and Third-Party Malware on Your Favorite Web Sites!
For all the successful, engaging Web communities and platforms out there, it seems that there are nearly ten times the third-party applications that tie into said original platforms via some authentication method or API. And that's awesome, right? With but the click of a mouse button, you can expand the functionality of a service you find useful with even more bells, whistles, and AJAX-themed applications. Provided you can still log into the service, that is, considering you've just given up your name and password to a complete stranger.
Huh? How do we make the jump from Facebook to #fail so quickly? It's all in the authentication--or lack thereof. Consider a site called TwitViewer. According to a number of Tweeted messages late this July, signing up for the third-party Twitviewer service would allow you to generate a photo-based graphic of the last 200 people to click on your Twitter feed. Sounds inocuous, if not downright fun, eh?
Wrong. The site's sole purpose was to yoink the name and password of your account, which you'd type into the site under the mistaken belief that you were signing up for a service. Twitviewer would then use your account to spam your followers with the "sign up for us!" message, and the entire process would start again with a new batch of suckers.
Every platform is different in the way it allows third-party applications to access its services. Once again, however, it's up to you and your juicy brain to separate the good from the bad. In the case of Twitviewer, there were a few warning flags to watch out for.
First up is the obvious issue that it's currently impossible for a third party to be able to provide you with a picture-themed list of the last 200 people that have checked out your Twitter page. That would require some kind of callback or script built into the core of the page itself, which isn't something that can be done via the Twitter API. Ask thyself--have you ever heard of any other third-party service that can perform this function?
But supposed you wanted to give Twitviewer the benefit of the doubt. That's fine. The larger, glaring red flag is the actual authentication method that's used to "give" Twitviewer access to your account. Twitter authenticates third-party API requests using OAuth, a protocol that keeps your actual login and password out of the equation by instead assigning specialized keys, or permissions, to these external services.
It's the best of both worlds: Your user name and password stays safe with Twitter, yet other sites can make use of all the different Twitter features surrounding your account. That in mind, a third-party site shouldn't give you a prompt to type in your name and password. It should feed you a link to the main Twitter domain itself, where you'll log in (or use your already logged-in account) to approve or deny the authentication request.
It's a sad world when one has to be reminded to not give out a user name and password to anyone who asks, but the Twitviewer issue fooled many a user and tech journalist--even those decently well-versed in common security practices.
Why is this a big deal? Just look at the recent Gawker issue, where users across Gawker's many Web sites were served up with malware via a hosted advertisement that flew under the parent company's ad-ops radar. Or, for that matter, check out the New York Times--same deal.
But even these extensions can only deliver so much peace of mind for Firefox users. If you're a fan of a particular site, say, Maximum PC, and you decide to add it to your white list, then you'll get hit with any malicious content hosted on the site--and it's no real fault of your own. Aside from keeping your system software fully patched and accepting any unwanted or strange-looking file download, there's not much else you can do on the protection side of things.
What's important from this entire exchange, however, is your changing mindset. And that's really what this entire article is about. Web platforms and associated sites push content at you from all different directions and sources. It's up to you to do what it takes to make sure that this transaction takes place because you want it to happen--you're giving permission for an action to occur. You're not just sitting back and accepting someone else's malicious invite.
This control can come in many forms: scanning Web links for legitimacy; ensuring that third-parties are only allowed to access your data using safe, prescribed methods; or locking the door to everyone before you let people in, as opposed to throwing a party for all and trying to boot out unwanted guests after-the-fact. These are all important techniques to keep in your pocket as you traverse the Web's many platforms. And as our data slowly becomes interconnected between these sites, it's even more critical to keep one weak link from opening up your entire Web world for disaster.
After all, malware can ruin anyone's day.
David Murphy (@ Acererak) is a technology journalist and former Maximum PC editor. He writes weekly columns about the wide world of open-source as well as weekly roundups of awesome, freebie software. Befriend him on Twitter, especially if you have an awesome app or game you're dying to recommend!