Archive for category Web Security
Is your password the weakest link in the social chain?
Posted by Jae Kim in Facebook, LinkedIn, security, Social Networking, Twitter, Web Security on February 22, 2013
Today’s post comes from Jae Kim, Director of Social Media Products at Actiance.
In the past week, Burger King and Jeep had their Twitter accounts hacked. It looked pretty silly to lose control over their official Twitter handles. Seeing some prankster’s tweets on their timeline gave us something to talk about. But in the end, it’s something that could have happened to anyone.
We all know the right thing to do to avoid getting our accounts hacked. Randomize your passwords, change your passwords a few times a year, and don’t use the same password for multiple sites. These are all well-known best practices.
But who proactively changes a password without being prompted by a site? Even when we are forced to change our passwords, we often have trouble coming up with something difficult to guess because we have too many passwords to remember already.
It’s like talking about benefits of healthy eating and regular exercise. We all know that these are good for you. But with easy access to junk food and busy lifestyles, most of us don’t think about what we eat every day or about squeezing in 30 minutes of aerobic exercise.
The same is true with security for our social network accounts. Until it becomes too late, we tend to ignore what we are not doing right. Extending the physical exercise metaphor, we think it’s something that each of us can fix if we decide to follow the best practice.
In reality, however, social network account security is quite a bit more difficult to implement. That’s because everyone is linked with each other in trusted relationships.
Unlike your online banking account password, your social network account password doesn’t only protect access to your data. It also authenticates that you are, in fact, who you claim to be (your social identity) for all the friends and connections that you have.
If my Facebook account is hacked, an attacker can get to my data, but more importantly he can impersonate me and send messages to my friends as me asking them to click things that they shouldn’t. Because all our social network friends and followers are based on this implicit trust, they are much more likely to click on my message than a spammer’s message.
This means our social network security is only as secure as the least secure account among our friends. If one trusted social network account is hacked, then we are much more likely to fall victim to targeted phishing attacks, for example. (This is exactly what happened to me earlier when my friend’s Twitter account got hacked.)
So it may have been fun to talk about Burger King and Jeep’s hacked Twitter accounts, but we have to realize that this threat is lot closer to us than we think. We are too connected to each other to ignore social media security.
Do your friends a favor. Update your social network account passwords.
Captain Kirk’s Got the Lync Federation Blues
Posted by nleong in Enterprise IM, Public IM, Unified Communications, Web Security on August 9, 2012
Today’s post comes from Norv Leong, Director of Product Marketing at Actiance.
Star Trek’s popularity has spanned several generations. The captains’ names have changed (Kirk, Picard, Archer) through the years, but the fans’ devotion and passion have continued to chug along. The show was premised on federations and how many beings of different colors, shapes, and beliefs could still get along (save for the Klingons).
The same concept holds for federation when it comes to real-time communications. Gone are the days of closed networks where you can only talk or IM with folks in your own network (remember AOL back in the day?). Now, Yahoo! Messenger users can IM with Windows Live Messenger (WLM) users, and unified communications platforms like Microsoft Lync can federate with public IM networks, such as the aforementioned Yahoo.
The result when federation goes awry
This is great news for inter-planetary “keeping in touch,” but it also raises issues about security. Safely connecting to these public IM networks is of paramount concern for folks in charge of IT security. The old adage, “you never know who’s lurking out there,” couldn’t be more true. Tasked with ensuring that the security of their enterprise communications and collaboration platforms are airtight, great pains have to be taken to make sure that opening up to public IM networks doesn’t flood the corporate network with malware, worms, viruses, and the like.
This is where granular federation controls come into play. Being able to control which external parties can communicate with a given organization’s employees, groups, or networks is huge. Furthermore, it could very well be that a large enterprise has a regulatory duty to separate its business functions or divisions. Actiance Vantage enables organizations to control communications such that employees are blocked from contacting anyone (including external users) who might be on a blacklist.
This reduces the chances of malware infection, data leakage, and the potential to interact with another person outside of an ethical or regulatory boundary. It also means that you won’t be at the mercy of another organization’s security policy. Freedom to federate is great, but as Captain Kirk and his crew could attest to, you gotta be careful who you interact with because not everyone comes in peace.
“Get us out of here, Sulu! Warp factor 8!”
Social Media Scammers – New Frontiers of Aggravation
Posted by cmannon in Application Filtering, Malware, Privacy, Social Networking, Web Security on March 28, 2012
Any veteran of social media has at one time or another put face-to-palm when they see another one of their contacts trying to distribute yet another scam through their profile. There is no escaping it. Whether it’s a third-party application that promises free coupons or a tweet promising a free iPad, illegitimate offers wanting your PII (Personally Identifiable Information) are everywhere. If this were 10 years ago, you would hear me complaining about e-mail or IM spam. Sure these spam attempts still happen, but that is broad attacks at best. E-mail or IM spam doesn’t even know your gender most of the time, let alone what demographic you may fall under. That’s what makes Social Media spam such a lucrative trade. Never before have people been so compelled to give away so much information about themselves. The content that we end up posting on social network sites is so descriptive of our personal lives that even corporations are asking for your content during the interview process.
It’s not difficult to tell if someone close to you has been hit by a spam attack. If their profile has been hijacked, then you can expect to see the same messages to several friends – always with a shortened URL link. Your best defense is to be weary of links that you receive, even if they are from trusted sources. You should also take a moment to explore what privacy settings you already have in place. The goal should be to make sure that your information is not accessible without your explicit knowledge.
You should look at all social network privacy settings, not just Facebook.
Spammers are able to find you and send targeted attacks, if you share all of your information with the open web. Any kind of application that you use to access a social network is acting as the middleman for your data. This usually means that you are allowing them access to your data in exchange for their ‘free’ service. What they do with that information after they provide their service is up to them.
The application above collects basic information. This means any information that you have made public.
Before you click that link, be more skeptical. Does this person really want to give me free money? Unfortunately, we don’t live in that kind of world. The more likely answer is that they are looking to sell your information to advertisers for other scam attempts. I could be wrong of course. A smartly-dressed woman could always show up in a diamond -crusted Bentley with $500 and a promise of a new monetary system that will work out in my favor.
If it's a new cash system, why is she holding the old cash?
Let’s use a recent scam example seen on Facebook. A common attack method on Facebook is to create a third-party application that immediately redirects the user away from Facebook. This could be as harmless as trying to build SEO tracking to a site or propagating something malicious to your PC. In this case, it’s just a scam to get more traffic to a site selling shoes. It starts as most of these scam attacks start: a buddy clicked something they should not have and now a third-party application on Facebook is posting messages as them. To make sure that their friends view the content, they tag them in a picture.
41 lucky people got a free picture of gold shoes!
Now they’ve got you on the hook. If you happen to click that link, you are navigated first to a Facebook Application page that only redirects to a site not belonging to Facebook.
The Facebook page immediately redirects the user to another site not controlled by Facebook.
Applications like this one are a dime a dozen. Facebook has been under heat in the past for allowing this kind of activity. This is an unavoidable side effect whenever you provide an open web platform for users to create their own applications. Facebook deletes the malicious ones, but they haven’t done an outstanding job of policing these in the past. In this case, the user is immediately taken to a blogger page that looks like this:
SCAM DUNK
There are a few tools that you can use in your browser to make sure your exchanges on social media are kept as private as possible. I recommend Ghostery for detecting any invisible trackers that exist on most web pages. These are usually advertisers trying to capitalize on your digital presence. Unless you intend to read a 30-page EULA describing what they are allowed to do with your data afterwards, just block it. Another useful tool is called LongURL. This allows you to see the link you are about to click. It will also help you avoid getting hit by that one friend that is always rickrolling people.
Log into my bank through Facebook?!?!?
Posted by SarahActiance in Privacy, Social Networking, Web Security on December 27, 2011
Such is the proposition of Movenbank, a startup which launched at Sibos with a tagline of “No Paper, No Plastic, No Hidden Fees.” It aims to be the first cardless and branchless bank in the world. Everything will be centered on mobile and social media. The tagline is catchy enough, but what’s really raising eyebrows is Movenbank’s requirement for individuals to register and log in with their Facebook accounts. Now, I happened to speak at Sibos this year (Innotribe session on compliance), and the general consensus among my peers was that the problem with social media really wasn’t compliance, but rather, the enablement of it.
Here, with Movenbank, you get a perfect example of how the enablement of social media opens up new opportunities that perhaps might not have been possible five years ago. Privacy and security issues aside, if Movenbank succeeds with its grand plan, we’ll have witnessed a game-changing blend of old-school (banks) and new school (mobile and social). The fact that it involves real money makes it that much more compelling.
It’s possible with today’s technology to enable social media safely. Since we’re on the topic of banking, already we’ve begun to see firms deploy technology to enable their advisors and representatives to use social for marketing to customers and prospects. As the financial services industry is one of the most regulated when it comes to social media, technology plays a crucial role in assisting firms to remain compliant with current supervision and recordkeeping rules.
Back to Movenbank. Privacy advocates are quick to pounce on the seeming contradiction in using Facebook to log into a bank account that could potentially have someone’s entire life savings. But, as we’ve seen with Raymond James, with the right tools in place, what may have seemed impossible five years ago is now doable.
So, let’s not be too hasty in writing off Movenbank. With the right controls and technology in place, they may yet see their dream come to fruition.
”A Nightmare on Belbey Street”
Posted by belbey in Electronically Stored Information (ESI), Privacy, Web Security on December 23, 2011
I suddenly woke up in the middle of the night, convinced that my checking accounts had been hacked. Retirement accounts gone. Identity stolen. Turned on the light, stumbled around my hotel room to find my ATM card, turned it over, and called my bank’s Customer Service number. “Oh no, Ms. Belbey, everything is fine, you just had a nightmare.”
Why was I dreaming of data security breaches?
Actiance recently sponsored (I presented and staffed) an exhibit at the 2011 FS-ISAC Fall Summit, conducted by Financial Services – Information Sharing and Analysis Center. Over the course of three days, I was able to attend a number of sessions that did a deep dive on the risks that firms face protecting their data. The crowd was mostly male and many leveraged their long-time experience in the military to defend their organizations against cyber attacks. In fact, there were so few women at this event that Ernst and Young sponsored a special Women’s Reception — for all 12 of us!
So what do you need to know? First of all, none of this is new. For years, cybercriminals have attempted to gain access to systems or data by personally tricking someone into giving up, say, a password. It’s called social engineering.
There are many techniques. Phone calls, office visits, and “phishing,” where thousands of emails are blasted away in the hope that a few unlucky souls will give up their personal data, have all worked.
In response, data security departments have used technology to thwart these attacks and have done a good job of teaching us not to give out our passcodes or to open suspicious emails or attachments. But, as a result, the cybercriminals have gotten even craftier. They’ve improved their grammar, the look-and-feel of their emails, and even developed landing pages that look very authentic. But still, education and technology prevented many attacks.
In response, the cybercriminals developed new techniques such as “spear-phishing” to lend authenticity to requests for personal data. Not typically initiated by “random hackers,” these sophisticated, highly targeted attacks are perpetrated by criminals who seek financial gain, trade secrets, and military information. These well-researched requests appear to come from trusted sources, such as a colleague, service provider, or even a law firm, and include enough real information to look authentic. And, they often are directed at middle management or anyone gullible enough to let them into the enterprise.
And where can these thieves obtain personal data that they can use to trick us into giving up more data? You guessed it – social media. We post all types of information about ourselves online: our firm name, our titles and connections on LinkedIn, our high school and year of graduation, birthday, special projects and photos of our co-workers on Facebook, and our comings and goings on Twitter, Foursquare, and Sonar. The list goes on.
Our transparency makes us targets. We also tend to view requests for information on social media as coming from a trusted source, our tribe. So we oblige. And let in the bad guys.
When I told a new friend that I met at FS-ISAC , who heads up security at a major telecommunications firm, about my night terrors, he smiled and said, “Well, hanging around with a bunch of cyber security guys for three days is bound to make you paranoid. But, that’s our job. To protect you, so we all don’t have nightmares.”
As you deploy social media, are you engaging your IT Cyber Security teams in the conversations? What are you doing to protect your enterprise?
Cyber security strategy in the spotlight at DHS
Posted by actiancefederal in Malware, Social Networking, Web Security on December 20, 2011
Recently, the Department of Homeland Security (DHS) released its blueprint on cybersecurity. The document essentially provides a framework for managing the myriad cyber threats that are lurking out there, while still fostering an environment of innovation, prosperity, and economic growth. It’s an ambitious plan, but it’s certainly necessary.
The range of security threats runs the gamut these days. You’ve got so many different options for hackers to ply their trade that it can be quite a challenge to police all physical and virtual borders. The explosion in social media and collaboration tools has opened up a bevy of new channels for hackers to distribute viruses and other types of malware. Thus, the sophistication of criminals nowadays makes cybersecurity one of the most important issues for DHS in the 21st century.
The DHS framework has two key pillars: (1) the infrastructure protecting critical information, and (2) strengthening the cyber ecosystem in general. To achieve these twin objectives, DHS must execute on several fronts: hardening critical networks, prosecuting cybercriminals, raising public awareness, and hiring/training cybersecurity-savvy workers. As you can see, it’s a multi-faceted strategy that requires cooperation and input from several sources and individuals (including we the people).
Thankfully, the pace of technological innovation in the security space is just as brisk. Anti-malware and URL filtering technologies continue to push the envelope in terms of detection capabilities. Monitoring software now offers granular controls over social media sites. And archiving capabilities now include a slew of communications modalities, including email, instant messaging, social media, collaboration platforms, etc., making it easier to build a case should prosecution become an option.
Security dangers may lurk everywhere, but with the right systems, policies, and training in place, the DHS blueprint may well become a reality sooner rather than later.
Six degrees of Zuckerberg? (aka Norv gets punked)
Posted by nleong in Social Networking, Web Security on December 3, 2011
For those of you as old as me (and I’m pretty damn crusty), Six Degrees of Kevin Bacon meant something. It was the informal game you’d play while chitchatting in a bar or tailgating at a football game. Now, in an age where terms like “liking,” “friending,” “trending,” and “checking in” are all part of the urban lexicon, that game might have to be updated a bit. In a recent study by Facebook and the University of Milan, the average number of degrees separating any two people on the planet was exactly 4.74, not the six degrees popularized by the Bacon game.
What does this all mean? Well, in addition to being an exercise by data-loving researchers, it begs the philosophical question of “Is the world really that much closer?” The ease at which we become “friends” on Facebook might have something to do with it. The Internet (and social media in particular) shatters the concept of borders (notwithstanding the censors in countries like China), making the flow of information and “friendships” smoother than at any time in the past.
Of course, this has a dark side as well. Hackers bent on unleashing viruses and other types of malware now have a bigger playground in which to play. Exploiting “friendships” now can mean loss of sensitive data, compromised bank accounts, and severe embarrassment for those defrauded.
Yours truly, as a side note, was such a victim just this morning. My Skype account got hacked and some nefarious soul was able to use up $75 worth of Skype credits for phone calls to Slovenia. Really, Slovenia??? Just goes to show the Internet is a global phenomenon and sites like Skype are an inviting target because of its global reach.
Hackers are well aware of social’s popularity and the inherent trust these sites breed. Networks like Facebook, LinkedIn, and Twitter all require a pre-approved connection, friendship, or following before one can receive content from a particular person. However, that same level of trust is a double-edged sword. Even when I was dealing with Skype Customer Support this morning, it kept crossing my mind, “Was I REALLY dealing with Skype Customer Support or some punk in the Ukraine fleecing people from his dorm bed.”
At the end of the day, we all need to be careful and cognizant that security risks will always be present when you’re dealing with the Web and all its new communication platforms. It needn’t be just social media. You’ve got instant messaging, peer-to-peer (think Skype again), blogs, Wikis – just to name a few – where security threats lurk.
So, the world may indeed be closer (1.26 degrees to be exact) but that doesn’t necessarily mean it’s a more trustworthy place.
Lessons Learned from the Arab Spring
Posted by nleong in Social Networking, Web Security on November 16, 2011
While the Arab Spring was unfolding, the US Department of Homeland Security (DHS) was taking note. For those in need of a refresher on Middle Eastern politics, it’s been nearly a year since mass protests starting sweeping through the Middle East and North Africa. Dictators fell, civil unrest ruled the day, and social media played a hand.
Huh, come again? What does Facebook and Twitter have to do with Middle Eastern despots? Well, given the reach of social and its ability to spread the word quickly and cheaply, it shouldn’t come as a surprise that the protesters turned to social to galvanize the masses and “bring the ruckus.” And ya know what. . . it worked. Dictators fell in Egypt and Tunisia, Gaddafi’s dead, and Syria and Bahrain are moving towards more openness.
So, why the concern from DHS? Simple. What happened in the Middle East could happen in the States as well. Anyone remember Timothy McVeigh from the Oklahoma City bombings? Or the Unabomber? That’s precisely the type of activity DHS is worried about. The Arab Spring showcased the power of social media and it opened some eyes at DHS. Social networks can be a treasure trove of intelligence information, and now DHS is keen to leverage social to keep tabs on potentially dangerous elements and threats in society.
Welcome to the social age. Spy movies will never be the same. The next time you see Bond and Bourne, they might be checking their Twitter feeds to see where the bad guys are. Problem with this is “how do I know this information is accurate or reliable?” This conundrum pre-dates social media and has always been a concern for all the government agencies and departments dealing with intelligence.
As DHS is still trying to figure how best to monitor social networking activities without running afoul of privacy laws, now might be a good time for them to start looking towards technology as an ally in the fight against threats, be it cyber or old school. With a deeper understanding of today’s technological capabilities, DHS will be better able to formulate appropriate social media monitoring guidelines and perhaps avoid Oklahoma City and Unabomber-type tragedies in the future.
Failing that, give Jason Bourne a call.
SEC: 10Ks are about to get a lil heftier
Posted by nleong in Compliance, Public IM, Social Networking, Web 2.0, Web Security on November 8, 2011
Recently, the SEC issued some guidance that potentially places an additional disclosure burden on public companies. Given technology’s influence in the world of finance and business operations in general, the SEC deemed it an opportune time to issue its thoughts on the role of cybersecurity. It hasn’t been codified yet as a rule, regulation, or statement, but it is indicative of SEC sentiment towards the topic.
With the proliferation of communications channels in use today (think email, instant messaging, Skype, social media, to name a few), this also increases the number of potential avenues for cybersecurity breaches to occur. The ability to easily post content, such as links, videos, podcasts, audio clips, etc., makes these new communications vehicles inviting targets for hackers and other folks with malicious objectives.
So, it makes sense indeed for the SEC to worry about the impact of security breaches on a company’s operations and ultimately its bottom line, which in turn, means it should be disclosed in a 10K. It could very well be that a significant part of a company’s business depends on protection against cyber attacks. For instance, a data center provider must ensure it has the highest levels of security in its buildings and IT infrastructure to ensure that its customers’ data and/or equipment is secure. A breach in the provider’s network will directly affect the performance and fortunes of its customers who rely on near 100% availability, if not 100%, to conduct their own businesses.
And the SEC took it one step further by saying that companies must be specific in their disclosures and not use such generalized language that it can apply to any company. 10Ks are already notorious for reading like soporific legal documents, filled with boilerplate language, but the challenges faced by e-commerce sites might differ from those encountered by social media sites. That’s just one example.
The complexity of cyberattacks and the sophistication of their perpetrators necessitate detailed information in disclosure reports. That’s not to say that a company should compromise its own cybersecurity, but it should at least provide enough information in the 10K to inform a prospective investor the unique security risks that company faces.
In light of the financial scandals and instabilities over the last ten years, investor protection should not be taken lightly. Thus, it’s commendable that the SEC is taking another step in ensuring investors are afforded all relevant data points to make informed decisions. Bravo.
School’s not quite out, but the results are in.
Posted by actiancefederal in Employee Behavior, Enterprise 2.0, Malware, New Internet, Social Networking, Trends, Unified Communications, Web 2.0, Web Security on September 21, 2011
You know that there’s been a seismic shift in the US Government’s communications strategy when guidelines are published by the government for agencies about how they can adopt social networks to deliver a better customer experience.
We can all applaud the good – when the magnitude 5.8 earthquake shook the East Coast in August, the Department of Homeland security was quick to tweet advice on getting in touch with loved ones via social networks, eschewing phone lines which were getting clogged.
But before we get carried away, we need to put this success in perspective.
Just last week, news was released that Air Force One’s flight plans were inadvertently leaked when a Japanese air traffic controller decided to post them on his blog to show off to his friends.
Who needs Wikileaks when you have to contend with the foibles of your own staff?
The threat of malware infection continues to loom large, as our own Jae found out to his chagrin.
There is no time to be complacent. This is why we’ve knuckled down and begun the process of testing our platform for federal government usage. We’ve kicked of with subjecting Vantage and Unified Security Gateway (USG) to the rigorous tests conducted by Science Applications International Corporation (SAIC) Labs.
It is with a mixture of post-exam relief, pleasure and pride that we can reveal that (drumroll please…) we have met the initial requirements for Common Criteria IA SL2 and The Federal Information Processing Standard (FIPS) 140-2.
The process is by no means over, but we’re certainly well on the way, but it’s another confirmation that Federal Agencies can rest assured that our solutions are robust, enterprise-ready and will do what they say on the ‘can’.
Regardless of media – it could be Jabber, Microsoft Lync or Facebook – we can monitor, track and archive content to protect against unsanctioned disclosures and security threats.
What is YOUR federal agency doing with regard to new communications modalities?
