Tag Archives: security

Is your password the weakest link in the social chain?

By Jae Kim,   February 22, 2013

Today’s post comes from Jae Kim, Director of Social Media Products at Actiance.

In the past week, Burger King and Jeep had their Twitter accounts hacked.  It looked pretty silly to lose control over their official Twitter handles.  Seeing some prankster’s tweets on their timeline gave us something to talk about.  But in the end, it’s something that could have happened to anyone.

We all know the right thing to do to avoid getting our accounts hacked. Randomize your passwords, change your passwords a few times a year, and don’t use the same password for multiple sites.  These are all well-known best practices.

But who proactively changes a password without being prompted by a site?  Even when we are forced to change our passwords, we often have trouble coming up with something difficult to guess because we have too many passwords to remember already.

It’s like talking about benefits of healthy eating and regular exercise.  We all know that these are good for you.  But with easy access to junk food and busy lifestyles, most of us don’t think about what we eat every day or about squeezing in 30 minutes of aerobic exercise.

The same is true with security for our social network accounts.  Until it becomes too late, we tend to ignore what we are not doing right.  Extending the physical exercise metaphor, we think it’s something that each of us can fix if we decide to follow the best practice.

In reality, however, social network account security is quite a bit more difficult to implement.  That’s because everyone is linked with each other in trusted relationships.

Unlike your online banking account password, your social network account password doesn’t only protect access to your data.  It also authenticates that you are, in fact, who you claim to be (your social identity) for all the friends and connections that you have.

If my Facebook account is hacked, an attacker can get to my data, but more importantly he can impersonate me and send messages to my friends as me asking them to click things that they shouldn’t.  Because all our social network friends and followers are based on this implicit trust, they are much more likely to click on my message than a spammer’s message.

This means our social network security is only as secure as the least secure account among our friends.  If one trusted social network account is hacked, then we are much more likely to fall victim to targeted phishing attacks, for example.  (This is exactly what happened to me earlier when my friend’s Twitter account got hacked.)

So it may have been fun to talk about Burger King and Jeep’s hacked Twitter accounts, but we have to realize that this threat is lot closer to us than we think.  We are too connected to each other to ignore social media security.

Do your friends a favor.  Update your social network account passwords.

Somebody’s Watching Me

By actiance,   April 29, 2012

The last couple of weeks have seen UK newspapers filled with stories over UK Government plans to expand its monitoring activities to include email and social media. The two extreme ends of the point of view being it’s either the only way to stop criminal activity or one step away from a draconian privacy invasion something a kin to 1984.

Neither extreme is accurate. Obviously the more seriously criminally minded will start to use other methods of communication that are more secure, if indeed they are not already. In a humorous look of the proposed legislation comedian and presenter of the BBC’s Friday Night comedy, Sandi Toksvig recently conjured up the image of two terrorists in balaclavas talking to each other on Skype saying “Yes, I promise you it really is me under here.” However, with the right controls, it can play a significant role in the fight against crime.

At the same time, most people don’t have time to read their own email, let alone anyone else’s. If Government was planning on checking content, which incidentally it says it is not, then it would have to be using keyword or lexicon search.

Type “bomb site:twitter.com” into Google and it is easy to see that just the profile names of tweeters alone would keep someone busy for a long time let alone the messages, so it’s clear that some intelligence would need to be applied to make searching content worthwhile. It also highlights the challenges of scale, something that defeated the Labour government in its attempt to introduce similar legislation in 2009.

Perhaps one of the key issues is that of trust. With stories of local councils using RIPA (Regulatory Investigatory Powers Act) to accuse citizens of flouting the school catchment rules, it’s no wonder many people are wary of giving any government power to see who they call or chat to over the internet. If the TV programme Spooks is to be believed, the security services already have the technology anyway and are using it to listen in to every mundane conversation, text stream and email conversation anyway so what’s the difference? This of course is a long way from reality. However, the monitoring of suspicious traffic is a logical and more importantly, justifiable part of the crime-fighters armoury and with the massive strides being made in keyword and lexicon search and identification technology, also relatively easy to implement.

It is not the ability to listen-in to me telling the world what I am having for dinner on Facebook that is the issue, but how much control is in place to ensure we know who can listen to what.

The bottom line is that the growth of social and electronic media use by the criminal fraternity is a serious threat to our national security and well-being. Last summer’s riots grew at the pace they did because of the use of technology such as Blackberry Messaging, SMS and Twitter and monitoring will allow for the police and security organisations to react quickly and effectively to protect our safety. Terrorist communications have been proven to often be in the form of cleverly coded electronic communications.

“Ah”, I hear you say, “but what about human rights?”. Well, I think we have a decision to make – either we take the view that logically, there will be far too much traffic to allow for any investigator to focus on anything other than posts, tweets and blogs that trigger alarm bells OR we do nothing and run the risk of the criminal element enjoying unparalleled freedom of communication. The real issue is one of checks and balances to ensure responsible application of regulations around monitoring.

For this reason the UK Government, and indeed the others that are bound to follow suit, must ensure that the legislation protects society, whilst also protecting the rights of the individual.

When we look at most industry regulation today, that means implementing the technology to enforce a policy, archive it and provide a full audit trail to ensure that actions are accountable and that only authorised personnel have access. This technology is available today and its use needs to be factored into any policy discussion by government

Although we will have to wait until the full plan is revealed to truly analyse the consequences, I think it is inevitable that this type of legislation will eventually come into force.  We live in a world where real-time communications is the norm, it is unrealistic to expect those we look to protect us to do so without the tools to combat others that use them for nefarious activities.

Social Media Scammers – New Frontiers of Aggravation

By actiance,   March 28, 2012

Any veteran of social media has at one time or another put face-to-palm when they see another one of their contacts trying to distribute yet another scam through their profile.  There is no escaping it.  Whether it’s a third-party application that promises free coupons or a tweet promising a free iPad, illegitimate offers wanting your PII (Personally Identifiable Information) are everywhere.  If this were 10 years ago, you would hear me complaining about e-mail or IM spam.  Sure these spam attempts still happen, but that is broad attacks at best.  E-mail or IM spam doesn’t even know your gender most of the time, let alone what demographic you may fall under.  That’s what makes Social Media spam such a lucrative trade.  Never before have people been so compelled to give away so much information about themselves.  The content that we end up posting on social network sites is so descriptive of our personal lives that even corporations are asking for your content during the interview process.

It’s not difficult to tell if someone close to you has been hit by a spam attack.  If their profile has been hijacked, then you can expect to see the same messages to several friends – always with a shortened URL link.  Your best defense is to be weary of links that you receive, even if they are from trusted sources.  You should also take a moment to explore what privacy settings you already have in place.  The goal should be to make sure that your information is not accessible without your explicit knowledge.

You should look at all social network privacy settings, not just Facebook.

Spammers are able to find you and send targeted attacks, if you share all of your information with the open web.  Any kind of application that you use to access a social network is acting as the middleman for your data.  This usually means that you are allowing them access to your data in exchange for their ‘free’ service.  What they do with that information after they provide their service is up to them.

The application above collects basic information. This means any information that you have made public.

Before you click that link, be more skeptical.  Does this person really want to give me free money?  Unfortunately, we don’t live in that kind of world.  The more likely answer is that they are looking to sell your information to advertisers for other scam attempts.  I could be wrong of course.  A smartly-dressed woman could always show up in a diamond -crusted Bentley with $500 and a promise of a new monetary system that will work out in my favor.

If it's a new cash system, why is she holding the old cash?

Let’s use a recent scam example seen on Facebook.  A common attack method on Facebook is to create a third-party application that immediately redirects the user away from Facebook.  This could be as harmless as trying to build SEO tracking to a site or propagating something malicious to your PC.  In this case, it’s just a scam to get more traffic to a site selling shoes.  It starts as most of these scam attacks start:  a buddy clicked something they should not have and now a third-party application on Facebook is posting messages as them.  To make sure that their friends view the content, they tag them in a picture.

41 lucky people got a free picture of gold shoes!

Now they’ve got you on the hook.  If you happen to click that link, you are navigated first to a Facebook Application page that only redirects to a site not belonging to Facebook.

The Facebook page immediately redirects the user to another site not controlled by Facebook.

Applications like this one are a dime a dozen.  Facebook has been under heat in the past for allowing this kind of activity.  This is an unavoidable side effect whenever you provide an open web platform for users to create their own applications.  Facebook deletes the malicious ones, but they haven’t done an outstanding job of policing these in the past.  In this case, the user is immediately taken to a blogger page that looks like this:


There are a few tools that you can use in your browser to make sure your exchanges on social media are kept as private as possible.  I recommend Ghostery for detecting any invisible trackers that exist on most web pages.  These are usually advertisers trying to capitalize on your digital presence.  Unless you intend to read a 30-page EULA describing what they are allowed to do with your data afterwards, just block it.  Another useful tool is called LongURL.  This allows you to see the link you are about to click.  It will also help you avoid getting hit by that one friend that is always rickrolling people.

Belbey Blogs: Let‘s Change the Conversation

By Joanna Belbey,   February 8, 2012

At a meeting last week with a prospective client, while we were diving into freshly baked cookies (yes, that’s right, warm cookies, I love meetings in the Midwest), a compliance professional turned to me and asked me a question about “PAC files”.  Really?

At that moment, I realized that it’s time to change the conversation.

For more than 2 years, we have been discussing how to use social media while complying with the financial services rules and regulations. After all, Financial Industry Regulatory Authority (FINRA) issued its first Regulatory Notice 10-06 in January of 2010, followed by the Financial Services Authority (FSA), Financial Promotions Using Social Media, and then came Cir/ISD/1/2011 from the Securities and Exchange Board of India (SEBI), then more guidance from FINRA with Regulatory Notice 11-39 followed by Investment Industry Regulatory Organization of Canada (IIROC) issuing  11-0349, and the Securities Exchange Commission (SEC) alerts early this year, that included Investor Adviser Use of Social Media.  In addition, the National Association of Insurance Commissioners is drafting The Use of Social Media in Insurance. We have even seen the Massachusetts Securities Division issue a letter to Registered Investment Advisers on the use of social media.

Fundamentally, we are reminded by all these regulators that social media is just another form of written communications, and needs to be treated as such. Existing rules around recordkeeping, suitability, advertising, and supervision are media-neutral and all apply. Content, not the device is determinative. And the regulators are only interested in business communications. With the release of each new set of guidance, there are lively conversations about how to interpret and apply some of the rules to specific features across the social networking sites, however, at this point, the message is clear, spirit of the guidance is to protect the investor.

As none of the native social networking sites have ability to support these compliance requirements, project managers, IT and Security have been having their own discussions. Third party vendors have been identified, requirements outlined, demo after demo watched, pilots launched, RFPs written and evaluated, matrixes comparing vendors developed and analyzed, budgets submitted, resources assigned and contacts negotiated. In some cases, upward of 30 people from within the enterprise have been involved in all these conversations. No wonder the compliance professional had heard about “PAC files”.

In the meantime, the lines of business, marketing departments, investor relations, human resources, research, customer service, and savvy financial advisors are chomping at the bit to start using social media to nurture existing relationships, attract new clients, build brand awareness, share information, do recruiting and conduct research. Maybe they have heard the statistics: more than 47% of Boomers use social media in some form (Forrester Research, June 2011) and the heaviest users of social media, Gen Y (ages 18-30) hold more than $2.4 trillion in personal income and by 2025 will control more than 46% of the personal wealth in the United State (Javelin Research). They want to speak to the language of their clients and prospects. Or maybe, they have heard the stories about how financial advisors are beginning to generate business. Like the advisor at a large broker-dealer who captured a new $2 million dollar account after noticing that a LinkedIn connection had retired. Or the advisor who attracted a $1 million prospect after only 96 tweets and with only 51 followers.

So now that you ensured that your firm will be in compliance with the rules and regulations and you have decided which technology solution to use, let’s change the conversation. Let’s talk about training, integrated marketing, content strategy and measurement. And how you will begin to support your Financial Advisers’ use of social media to build their business.

Cyber security strategy in the spotlight at DHS

By actiance,   December 20, 2011

Recently, the Department of Homeland Security (DHS) released its blueprint on cybersecurity.  The document essentially provides a framework for managing the myriad cyber threats that are lurking out there, while still fostering an environment of innovation, prosperity, and economic growth.  It’s an ambitious plan, but it’s certainly necessary.

The range of security threats runs the gamut these days.  You’ve got so many different options for hackers to ply their trade that it can be quite a challenge to police all physical and virtual borders.  The explosion in social media and collaboration tools has opened up a bevy of new channels for hackers to distribute viruses and other types of malware.  Thus, the sophistication of criminals nowadays makes cybersecurity one of the most important issues for DHS in the 21st century.

The DHS framework has two key pillars:  (1) the infrastructure protecting critical information, and (2) strengthening the cyber ecosystem in general.  To achieve these twin objectives, DHS must execute on several fronts:  hardening critical networks, prosecuting cybercriminals, raising public awareness, and hiring/training cybersecurity-savvy workers.  As you can see, it’s a multi-faceted strategy that requires cooperation and input from several sources and individuals (including we the people).

Thankfully, the pace of technological innovation in the security space is just as brisk.  Anti-malware and URL filtering technologies continue to push the envelope in terms of detection capabilities.  Monitoring software now offers granular controls over social media sites.  And archiving capabilities now include a slew of communications modalities, including email, instant messaging, social media, collaboration platforms, etc., making it easier to build a case should prosecution become an option.

Security dangers may lurk everywhere, but with the right systems, policies, and training in place, the DHS blueprint may well become a reality sooner rather than later.

Chief Data Protection Officer (CDPO): The new C-level exec?

By actiance,   December 14, 2011

The European Union (EU) may possibly be on the verge of creating a new C-level job title, according to a draft proposal from the European Commission.  Reflecting the growing concern over security and data protection, the EU has proposed making it mandatory to have a data protection officer for the public sector, for large enterprises, and for organizations where the “core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.”

This has definitely caught the attention of those in the financial services sector because the proposal also includes provisions for fining businesses up to five percent of their revenue for data breaches.  That’s not a percentage to sneeze at when multiplied against billions of euros/pounds/Swiss francs.  The potential for security breaches increases exponentially as more people turn to online resources to conduct business.  Increasingly, financial services firms are utilizing social media and instant messaging to communicate with clients and prospective clients.

However, the downside is that all these new communications channels and transaction platforms are inviting targets for hackers.  The Skypes and Twitters of the world all represent new channels for malware to enter the corporate network.  Just a couple of weeks ago, this author himself was a victim of identity theft.  So, the threat is real and billions of dollars are at stake.  Just look what happened to Citigroup earlier this year.

Already, we’ve begun to see titles like “VP of Digital Marketing” and “Social Media Manager” pop up.  So, it logically follows that we will see a “Chief Data Protection Officer” title emerge too.  Hackers are becoming ever more sophisticated and the tools at their disposal are the most powerful they’ve ever been.  The EU is therefore clearly keen to keep pace with the constant innovation flowing from the technology world.  That innovation is responsible for much of the threat, but equally, advances in security and compliance technologies are also a key part of the solution and will be a critical part of the CPDO’s armoury.

The game of cat and mouse will no doubt continue, but at least, there’ll be a CDPO focused on minimizing, if not totally eradicating, the consequences of security and data breaches.  Certainly, a framework around how security breaches will be handled and communicated to the public is a good starting point.

So maybe Brussels is finally doing the right thing!

Six degrees of Zuckerberg? (aka Norv gets punked)

By nleong,   December 3, 2011

For those of you as old as me (and I’m pretty damn crusty), Six Degrees of Kevin Bacon meant something.  It was the informal game you’d play while chitchatting in a bar or tailgating at a football game.  Now, in an age where terms like “liking,” “friending,” “trending,” and “checking in” are all part of the urban lexicon, that game might have to be updated a bit.  In a recent study by Facebook and the University of Milan, the average number of degrees separating any two people on the planet was exactly 4.74, not the six degrees popularized by the Bacon game.

What does this all mean?  Well, in addition to being an exercise by data-loving researchers, it begs the philosophical question of “Is the world really that much closer?”  The ease at which we become “friends” on Facebook might have something to do with it.  The Internet (and social media in particular) shatters the concept of borders (notwithstanding the censors in countries like China), making the flow of information and “friendships” smoother than at any time in the past.

Of course, this has a dark side as well.  Hackers bent on unleashing viruses and other types of malware now have a bigger playground in which to play.  Exploiting “friendships” now can mean loss of sensitive data, compromised bank accounts, and severe embarrassment for those defrauded.

Yours truly, as a side note, was such a victim just this morning.  My Skype account got hacked and some nefarious soul was able to use up $75 worth of Skype credits for phone calls to Slovenia.  Really, Slovenia???  Just goes to show the Internet is a global phenomenon and sites like Skype are an inviting target because of its global reach. 

Hackers are well aware of social’s popularity and the inherent trust these sites breed.  Networks like Facebook, LinkedIn, and Twitter all require a pre-approved connection, friendship, or following before one can receive content from a particular person.  However, that same level of trust is a double-edged sword.  Even when I was dealing with Skype Customer Support this morning, it kept crossing my mind, “Was I REALLY dealing with Skype Customer Support or some punk in the Ukraine fleecing people from his dorm bed.”   

At the end of the day, we all need to be careful and cognizant that security risks will always be present when you’re dealing with the Web and all its new communication platforms.  It needn’t be just social media.  You’ve got instant messaging, peer-to-peer (think Skype again), blogs, Wikis – just to name a few – where security threats lurk.

So, the world may indeed be closer (1.26 degrees to be exact) but that doesn’t necessarily mean it’s a more trustworthy place.

Lessons Learned from the Arab Spring

By nleong,   November 16, 2011

While the Arab Spring was unfolding, the US Department of Homeland Security (DHS) was taking note.  For those in need of a refresher on Middle Eastern politics, it’s been nearly a year since mass protests starting sweeping through the Middle East and North Africa.  Dictators fell, civil unrest ruled the day, and social media played a hand.

Huh, come again?  What does Facebook and Twitter have to do with Middle Eastern despots?  Well, given the reach of social and its ability to spread the word quickly and cheaply, it shouldn’t come as a surprise that the protesters turned to social to galvanize the masses and “bring the ruckus.”  And ya know what. . . it worked.  Dictators fell in Egypt and Tunisia, Gaddafi’s dead, and Syria and Bahrain are moving towards more openness.

So, why the concern from DHS?  Simple.  What happened in the Middle East could happen in the States as well.  Anyone remember Timothy McVeigh from the Oklahoma City bombings?  Or the Unabomber?  That’s precisely the type of activity DHS is worried about.  The Arab Spring showcased the power of social media and it opened some eyes at DHS.  Social networks can be a treasure trove of intelligence information, and now DHS is keen to leverage social to keep tabs on potentially dangerous elements and threats in society.

Welcome to the social age.  Spy movies will never be the same.  The next time you see Bond and Bourne, they might be checking their Twitter feeds to see where the bad guys are.  Problem with this is “how do I know this information is accurate or reliable?”  This conundrum pre-dates social media and has always been a concern for all the government agencies and departments dealing with intelligence.

As DHS is still trying to figure how best to monitor social networking activities without running afoul of privacy laws, now might be a good time for them to start looking towards technology as an ally in the fight against threats, be it cyber or old school.  With a deeper understanding of today’s technological capabilities, DHS will be better able to formulate appropriate social media monitoring guidelines and perhaps avoid Oklahoma City and Unabomber-type tragedies in the future.

Failing that, give Jason Bourne a call.

SEC: 10Ks are about to get a lil heftier

By nleong,   November 8, 2011

Recently, the SEC issued some guidance that potentially places an additional disclosure burden on public companies.  Given technology’s influence in the world of finance and business operations in general, the SEC deemed it an opportune time to issue its thoughts on the role of cybersecurity.  It hasn’t been codified yet as a rule, regulation, or statement, but it is indicative of SEC sentiment towards the topic.

With the proliferation of communications channels in use today (think email, instant messaging, Skype, social media, to name a few), this also increases the number of potential avenues for cybersecurity breaches to occur.  The ability to easily post content, such as links, videos, podcasts, audio clips, etc., makes these new communications vehicles inviting targets for hackers and other folks with malicious objectives.

So, it makes sense indeed for the SEC to worry about the impact of security breaches on a company’s operations and ultimately its bottom line, which in turn, means it should be disclosed in a 10K.  It could very well be that a significant part of a company’s business depends on protection against cyber attacks.  For instance, a data center provider must ensure it has the highest levels of security in its buildings and IT infrastructure to ensure that its customers’ data and/or equipment is secure.  A breach in the provider’s network will directly affect the performance and fortunes of its customers who rely on near 100% availability, if not 100%, to conduct their own businesses.

And the SEC took it one step further by saying that companies must be specific in their disclosures and not use such generalized language that it can apply to any company.  10Ks are already notorious for reading like soporific legal documents, filled with boilerplate language, but the challenges faced by e-commerce sites might differ from those encountered by social media sites.  That’s just one example.

The complexity of cyberattacks and the sophistication of their perpetrators necessitate detailed information in disclosure reports.  That’s not to say that a company should compromise its own cybersecurity, but it should at least provide enough information in the 10K to inform a prospective investor the unique security risks that company faces.

In light of the financial scandals and instabilities over the last ten years, investor protection should not be taken lightly.  Thus, it’s commendable that the SEC is taking another step in ensuring investors are afforded all relevant data points to make informed decisions.  Bravo.

School’s not quite out, but the results are in.

By actiance,   September 21, 2011

You know that there’s been a seismic shift in the US Government’s communications strategy when guidelines are published by the government for agencies about how they can adopt social networks to deliver a better customer experience.

We can all applaud the good – when the magnitude 5.8 earthquake shook the East Coast in August, the Department of Homeland security was quick to tweet advice on getting in touch with loved ones via social networks, eschewing phone lines which were getting clogged.

But before we get carried away, we need to put this success in perspective.

Just last week, news was released that Air Force One’s flight plans were inadvertently leaked when a Japanese air traffic controller decided to post them on his blog to show off to his friends.

Who needs Wikileaks when you have to contend with the foibles of your own staff?

The threat of malware infection continues to loom large, as our own Jae found out to his chagrin.

There is no time to be complacent.  This is why we’ve knuckled down and begun the process of testing our platform for federal government usage.  We’ve kicked of with subjecting Vantage and Unified Security Gateway (USG) to the rigorous tests conducted by Science Applications International Corporation (SAIC) Labs.

It is with a mixture of post-exam relief, pleasure and pride that we can reveal that (drumroll please…) we have met the initial requirements for Common Criteria IA SL2 and The Federal Information Processing Standard (FIPS) 140-2.

The process is by no means over, but we’re certainly well on the way, but it’s another confirmation that Federal Agencies can rest assured that our solutions are robust, enterprise-ready and will do what they say on the ‘can’.

Regardless of media – it could be Jabber, Microsoft Lync or Facebook – we can monitor, track and archive content to protect against unsanctioned disclosures and security threats.

What is YOUR federal agency doing with regard to new communications modalities?