Social networks like Facebook and MySpace continue to face security and privacy related issues as functional capabilities expand amd social interactions within the community become more complex.. Here are a couple of examples.

First up, Facebook. It recently acknowledge that a new functional capability called Beacon continues to track user activity long after users have logged off the site and even when users have elected to not display their activities to Facebook friends. Beacon is part of the Facebook Ads platform that tracks user acitivities on Facebook partner sites like Blockbuster and reports those activities to the "friends" of the Facebook account. Account holders may choose to not have those activities reported but it appears that even in that case, the activities are tracked and stored in some Facebook database. As you can imagine, privacy advocates are up in arms. You can read more about this case, if you're interested.

You can assume that these privacy issues will not go away and will continue to plaque Facebook and other social networks. Sometimes, problems are less about guarding privacy but rather the abuse of trust within the social network. Here's a chilling story about how a MySpace teen took her own life because of a cruel prank perpetrated by adult neighbors.

Perhaps the issue is that both the guarding of privacy and the protection of social network subscribers may be at odds with each other. To some extent, that's how it works in real life...we yield some privacy to trusted authorities - banks, hospitals, law enforcement, the state...to gain protective services of some kind or another.

However, striking this balance works in the cyberworld may not be so easy.

Posted by andreyee in Odds and Ends • Privacy/Information Theft • web 2.0 | Permalink | Comments (0) | TrackBacks (0)

The news about Salesforce.com's phishing incident broke almost 2 weeks ago on Slashdot...although there were rumors swirling about for a number of days prior to the report. A Salesforce employee fell victim to a phishing attack that captured his company credentials. The attackers used those credentials to harvest customer contact data and began to send phishing attacks to customers, in the form of fake Salesforce invoices. As you might expect some number of customers fell for the scam and yielded their Salesforce account info.

There are a few interesting implications of this phishing attack, none of which pertain specifically to what Salesforce should or could have done.

Implication #1 - this kind of targeted phishing or "spear phishing" is difficult to monitor and eliminate. When a specific target is singled out, the attack tends to proceed undetected for a while before it becomes evident. No specific remedies or signatures are available to address them.

Implication #2 - until now, most highly phishing attacks have been targeted at financial institutions and consumers. Relatively recent examples include the Bank of America "change of email" scam and ADP.
Not surprisingly, SaaS providers may now be next on the list. Although, the value of the information to scammers may not be apparent, it is likely that phishing attacks against SaaS applications that hold identity and proprietary info will be on the rise.

Implication #3 - phishing is only the starting point for the attack. In the Salesforce incident, it was uncovered that some of the customers who were effectively phished, also had keyloggers and other malware downloaded onto their machines. From the Salesforce letter sent to customers -

"...As a result of this, a small number of our customers began receiving bogus emails that looked like salesforce.com invoices, but were not--they were also phishes. Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher... However, a few days ago a new wave of phishing attempts that included attached malware--software that secretly installs viruses or key loggers--appeared and seemed to be targeted at a broader group of customers."

Not a lot of good news there. The point is that in this new Web 2.0, Saas enabled world, there is a Long Tail to this phishing problem...targeted, sophisticated attacks cannot be tackled by simply preaching "security awareness". Nor it is enough to use signature based phishing detection techniques. We need a different approach.

Posted by andreyee in Industry Trends • Privacy/Information Theft • web 2.0 | Permalink | Comments (0) | TrackBacks (0)

On the hype scale, social networking is red hot! Facebook, MySpace, Linkedin are all examples of the force multiplying, networking effect of Web 2.0. Yet as Peter Schoof reported last week, there is healthy debate on whether these sites should be permitted in the corporate environment.

Social networking sites pose yet another security issue for security managers today, courtesy of the Web 2.0 model. While some of these social networking sites like Linkedin have distinct business applicability and value, other sites clearly emphasize the purely “social” part of the equation.

Should security or IT managers even be concerned about whether employees are accessing these sites? Here are couple of things to consider -

1. Social networking sites are increasingly targets for new exploits, especially cross-site scripting attacks. Like many Web 2.0 sites, social networking apps are ripe for client side attacks. For instance, in November,2006, a MySpace targeted CSS exploit replaced the navigation menu, enabling an attacker to redirect the user to a spoofed web page.

2. Social networking sites can be a platform to launch attacks. Because social networking sites drive traffic, it can be an effective launch point for various attacks targeting other platforms or components. Over a year ago, an online banner advertisement running on MySpace used a Windows security flaw to infect more than a million users with spyware related to Windows Meta Files.

3. Social networking sites can lead to compromise of privacy or proprietary information. What you do on a site is information that social networking apps control and could expose. Case in point - last year, Facebook added a feature called News Feeds that exposed privacy and behavioral information about account users...without their explicit consent. The outrage from its users were expected and the problem was addressed but it's a clear lesson to all users.

4. Social networking sites may be costing businesses millions of $$$ in employee productivity. According to recent studies, due to the result of social networking's overwheming popularity, many of these sites are becoming a source of loss productivity as employees spend time visiting these sites during work hours. As reported in this article, a study commissioned by a UK law firm noted that Facebook is costing British firms 130 million pounds ($264M) in lost productivity every single day.

Should companies be blocking social networking sites as a matter of practice? Perhaps not. But there's certainly ample reason to be concerned from a security perspective.

Posted by andreyee in web 2.0 | Permalink | Comments (0) | TrackBacks (0)

The emergence of Web 2.0 is one of the greatest challenges for corporate security managers today. One primary reason it poses such difficulty for the traditional security model is the unregulated way Web 2.0 applications are deployed and used in the corporate environment. It’s what some have termed the “consumerization of IT” – the trend of end-users employing web 2.0 tools/applications at home and then bringing those same tools into the corporate environment.

Examples? Instant messaging, Skype are just two peer-to-peer (P2P) technologies that have found traction in the consumer world but are increasingly used in the corporate environment. More apps/tools are being used everyday without the awareness, much less consent of security managers. The reality is that most security organizations have little to no ability to limit or monitor its use and sometimes the implications to security can be staggering. For instance, P2P file sharing tools like LimeWire and BearShare have been implicated in a number of highly publicized security breaches where proprietary and privacy data has been compromised.

Needless to say, ignoring this web 2.0 problem won’t make it go away. If anything, the notion of unregulated, unmonitored deployment of web 2.0 apps will only increase and so will the security issues surrounding its use.

Next post, how corporations deal with social networking sites...

Posted by andreyee in web 2.0 | Permalink | Comments (0) | TrackBacks (0)