This weekend’s demonstration by Chinese hackers that Twitter was easy to phish is a stark reminder of the classic application development cycle: build-it, grow-it, fix-it. Here are ten cyber security measures that should at least be thought about in the build-it phase, and implemented in the grow-it phase. New web app developments should get these in place before they become popular.

1. Email verifications. Do not allow someone to sign up without verifying a unique email address associated with the ID. Twitter requires a unique ID but does not email that account a verification message. Cragislist is struggling with spammers and scammers right now and has implemented a unique phone number check to try and fight them.
2. Captchas for signup. You just have to do this or someone will write a script to grab all of the usernames that might someday be valuable.
3. Lock out the user after X failed login attempts. I suggest start with six. In the early days Yahoo! did not have this and there were tools like Jack the Ripper that could discover a password in ten minutes by running a dictionary attack against the account. Since way too many people use silly passwords like
or or it is often possible to guess a password in a few dozen tries. Twitter is very susceptible to this right now.
4. Password strength. Do not allow username as password. Require at least six characters + numbers. Don’t allow
to be chosen!
5. Create an abuse hotline and reaction mechanism to alerts sent to it. Email is fine for this. Twitter uses @spam for this function. Don’t try @abuse unless you appreciate Monty Python humor.
6. Rate limits. People are going to game your system. Even after you have thought of “everything” you still need to put in limits. Limit number of messages sent, number of user logins from same IP address, proscribe everything.
7. Firewalls and IPS. Aside from the weaknesses in your application hackers will attempt to attack you directly. Put your load balanced servers behind firewalls. Look for Denial of Service attacks and block them with IPS tools.
8. DNS. The entire business models of Flickr, Twitter, Myspace, Facebook, Digg, Reddit - all Web 2.0 companies, relies completely on users being able to get to the primary domain of their service. If DNS fails the sites fail. Use multiple hardened DNS servers on multiple backbones. Filter DNS requests, block floods. Protect your DNS servers!
9. Worm defense. People are going to post malicious URLs and executables to your site. You will have to invest in defenses to scrub those out. Just as Gmail, and Yahoo! Mail scrub spam and check for viruses you will have to use some sort of list of bad URLs or technology to determine if sites contain malware. You have to protect your users.
10. Communicate. Finally, prepare for disaster. When it strikes you are going to have a PR fiasco on your hands. Communicate with your users, the press, and blogs. Have a support blog that is *not* on your primary domain. Prepare an informative “fail” page. Put an emergency response team and policy in place so everyone knows what their responsibilities are, who to wake up, and what procedure to follow.
That’s it. Note that I am not suggesting that every start-up do these things before they have even demonstrated that people are going to come to their site. I am just pointing out that you are going to have to take these ten steps sometime in your rise to Twitterdom or FaceBook success. Secure your apps earlier rather than later. It is less expensive.

This entry was posted on Monday, January 5th, 2009 at 1:10 pm and is filed under CyberCrime, Social media security, cyberwar, hacking. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.