How is it that the most-followed Twitter account, @cnnbrk, wasn’t even run by CNN until a recent acquisition? Seriously — how many of you out there thought CNN ran it? I know I did. Some folks have claimed to have known the truth behind @cnnbrk for a while, but I consider myself up on social media news and this comes as a saddening shock to me.

Why saddening? Because the trust factor that endears us to social media has been shattered.

Twitter needs a mechanism to authenticate a true identity now. Not in six months, not in a year, but post-haste. Otherwise, how can we truly know that accounts performing customer service over Twitter, such as Zappos or Comcast, are legitimate? When we DM account information to a representative of a company, can we really be sure they are a representative? Are we giving our information to Comcast, or are we giving it to a phisher? It’s well-documented that the Comcast representatives on Twitter are indeed authorized agents of the company, but how can someone new to Twitter know this for sure just by looking at the Twitter site? This CNN thing really hurts any company that wants to perform customer service online, because it underscores the fact that tomorrow, I or anybody else could start an account like “@AcmeCares” and phish Wile E. Coyote for his credit card information over DM after reaching out to his reports on Twitter that his shipment of dynamite didn’t catch the Roadrunner.

We are very fortunate that @cnnbrk was not abused, and that’s likely why James Cox, the person who started the account, is not on the other end of a landmark trademark infringement lawsuit. (Because this is, in every sense of the world, a textbook case of trademark infringement. Also, I’m willing to bet that CNN’s failure to act on this sooner could be interpreted as failure to defend their trademark in a reasonable time, which could have serious legal repercussions down the road.) But this whole ordeal underscores the critically urgent need for an authentication system to be implemented. Otherwise, I will now have serious concerns over any company wishing to engage over Twitter, because there is no way to be sure that they are who they say they are — and that’s sad, because as Comcast has proven, Twitter is phenomenal for customer outreach.

Disgruntled College of Charleston fan, home after witnessing a loss to Elon of all teams, wants to sit down, sip on some Gatorade, and work on his Facebook “25 Random Things” meme post because seven of his friends have now tagged him and he just wants to END IT (and terrorize additional people with said meme).

So, he sits down and begins writing his post, when he wants to refer to a post on his blog for some of the answers. He finds a strange white space in his layout that makes zero sense whatsoever. He goes and checks the source code…and OMG. Keywords. Lots and lots of keywords. Viagra, tablets, medicine — you name it, it was there. Site: Compromised.

Oh, and that guy? That was me.

I sprung into action and found that my site had been a reasonably popular target; I saw plenty of evidence of attempts on my site, including strange hits on the WordPress XML-RPC library and an attempt to get at my admin password that at least correlated with a possible time that the site was hit. I traced the IP and put a warning out on Twitter. Also, I implemented the .htaccess fixes on jazzychad’s site, reloaded WordPress, and removed legacy themes in case they were an attack vector (I had a plugin enabled that could do theme-switching on the fly). Continued investigation revealed a malicious user in my database which contained some extremely clever code to effectively hide it in the administration panel. I would never have noticed except for the fact that the administrator count now was reading “2.” I went into phpMyAdmin and did the appropriate database cleanup there.

However, something wasn’t right: Searching the logs did not indicate a successful logon to my admin panel. Bizarre. Could someone have been scrubbing the logs, too? I left nothing to chance and changed every password I could think of. I went through and carefully implemented some strategies for hardening WP as well. Thinking I’ve done all I could do, I moved along and felt reasonably safe.

A week later, I was hit again.

The damage the second time around wasn’t as bad, but it was befuddling, angering, and confusing. The theme, once again, was throwing up spam links. I reuploaded the theme and started taking another look at what was happening. Then, I remembered the one directory I didn’t check: wp-content. Sure enough, there were two files: wp-manager.php and cache.php that were problematic. I verified they were problems with the WordPress Exploit Scanner plug-in, which I now consider a must for any self-hosted WordPress installation. wp-manager.php was a file that appeared to be the vector to making the theme changes. cache.php was an R57shell, a common backdoor employed in site defacements. I pored over the logs that were available to me, and became convinced that there was a deeper issue than WordPress. Thus, I moved jaredwsmith.com to Media Temple (the shakeup I spoke of last week).

There’s nothing that hurts the geek-fu more than being compromised. However, there’s few things more soothing than knowing you aren’t the only one. And I’ve not been. Not by a longshot. The kicker? All these sites were on Dreamhost. The coincidence seems really weird, but I’m less convinced that these problems were all entirely WordPress’s fault.

I still don’t quite know how the site was compromised. Without access to the raw system logs, I will probably never know. However, this is a disturbing development and I hope with enough data a discovery can be made and this epidemic can be stopped. Regardless of where you host, keep an eye on your files, back up regularly, and be mindful to use strong passwords that are rotated on a frequent basis. Also, follow the official guide to hardening WordPress — there are some excellent techniques there. Site defacement is a very real problem; not only can it be embarrassing to look at, there’s also the real problem of people using site defacements to serve up malware (thankfully, this was NOT the case). There’s also the possibility of Google blacklisting because of spam keywords; depending on what you use your WordPress blog for, this could be a serious problem that could take months to recover from.

Being hit is bad enough, but it could have been a lot worse. Here’s hoping that moving to (mt) and a fresh WordPress 2.7.1 installation will lead to more secure times around these parts. Another silver lining for the Internet: I never finished my 25 Things Facebook post. :)

Does this make some sense? Absolutely — there’s very little malware currently available for Mac OS X. However, security through obscurity is only a temporary condition, and that any mass exodus to Macintosh, however unlikely that may be, will ultimately bring with it a torrent of malware. Granted, the Mac OS X architecture does make it much more difficult to bundle malware applications. Not having its browser totally integrated into the OS is a good start. However, a little social engineering goes a long way. That’s how most malware is installed these days, and there isn’t — and there may never be — any effective software solution for overcoming that. Education is the key.

Personally, I think Windows Vista will improve this situation quite well for Windows users — it’s so secure, you can’t even delete a shortcut without confirming it three times. :P In all seriousness, decoupling IE from the operating system — something Microsoft once said was “impossible” (ha!) — will make a big difference on Vista. I’ve also noticed that Windows XP Service Pack 2 has had a lot to do with alleviating this problem. There’s still that lousy social engineering aspect, though, and it all comes back to user education, because no operating system is 100% secure. I’ll leave how to tackle user education to another post or 40…LOL. Time to go to bed.

J

See Paul Thurrott’s review of the product for an in-depth look at the product.  So far, so very, very good.  I really like what they’ve done.