Taking the Mikeyy

Well, Mikeyy may not be the only security problem Twitter has right now, but the Hoodied Bore does seem to be doing an excellent job of exhausting everyone’s patience, including that of The Register’s John Leyden, who described him as "increasingly annoying".

It appears that Mr. Mooney did take responsibility for at least the first of the latest wave of XSS worms: it’s not quite clear whether he really wants to move on from his recently acquired job at exqSoft and work for Twitter (as messages sent by the worm suggest), or what exqSoft think about these developments. What is clear is that Mooney is a couple of quarters short of a full moon, if he thinks that he has much of a future in security. However, I should probably withdraw my suggestion that he should get on his bikeyy: his behaviour suggests that he’s not yet graduated from a trikeyy.

Meanwhile, there have been a number of reports of messages being spread by Twaniac.com and TheSmartECard.com, apparently the prelude to a phishing scam.

Twitter itself does have a helpdesk article that tries to address some of these issues more or less generically. And, despite the frequent criticism of in the past few weeks of Twitter’s presumed incompetence, from the security industry as well as the media (and, of course, Mikeyy), I think it’s a reasonable attempt to cover the immediate problems in terms few Twitter users will be unable to understand, offering advice on recognizing that your account has been compromised, what to do about, and some simple precautions to lessen the risk of compromise.

Now if they’d only do something about those cross-site scripting weaknesses…

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

(Thanks to Dave Kennedy for pointing out the Twitter article!)