Tag Archives: Web security

Somebody’s Watching Me

By actiance,   April 29, 2012

The last couple of weeks have seen UK newspapers filled with stories over UK Government plans to expand its monitoring activities to include email and social media. The two extreme ends of the point of view being it’s either the only way to stop criminal activity or one step away from a draconian privacy invasion something a kin to 1984.

Neither extreme is accurate. Obviously the more seriously criminally minded will start to use other methods of communication that are more secure, if indeed they are not already. In a humorous look of the proposed legislation comedian and presenter of the BBC’s Friday Night comedy, Sandi Toksvig recently conjured up the image of two terrorists in balaclavas talking to each other on Skype saying “Yes, I promise you it really is me under here.” However, with the right controls, it can play a significant role in the fight against crime.

At the same time, most people don’t have time to read their own email, let alone anyone else’s. If Government was planning on checking content, which incidentally it says it is not, then it would have to be using keyword or lexicon search.

Type “bomb site:twitter.com” into Google and it is easy to see that just the profile names of tweeters alone would keep someone busy for a long time let alone the messages, so it’s clear that some intelligence would need to be applied to make searching content worthwhile. It also highlights the challenges of scale, something that defeated the Labour government in its attempt to introduce similar legislation in 2009.

Perhaps one of the key issues is that of trust. With stories of local councils using RIPA (Regulatory Investigatory Powers Act) to accuse citizens of flouting the school catchment rules, it’s no wonder many people are wary of giving any government power to see who they call or chat to over the internet. If the TV programme Spooks is to be believed, the security services already have the technology anyway and are using it to listen in to every mundane conversation, text stream and email conversation anyway so what’s the difference? This of course is a long way from reality. However, the monitoring of suspicious traffic is a logical and more importantly, justifiable part of the crime-fighters armoury and with the massive strides being made in keyword and lexicon search and identification technology, also relatively easy to implement.

It is not the ability to listen-in to me telling the world what I am having for dinner on Facebook that is the issue, but how much control is in place to ensure we know who can listen to what.

The bottom line is that the growth of social and electronic media use by the criminal fraternity is a serious threat to our national security and well-being. Last summer’s riots grew at the pace they did because of the use of technology such as Blackberry Messaging, SMS and Twitter and monitoring will allow for the police and security organisations to react quickly and effectively to protect our safety. Terrorist communications have been proven to often be in the form of cleverly coded electronic communications.

“Ah”, I hear you say, “but what about human rights?”. Well, I think we have a decision to make – either we take the view that logically, there will be far too much traffic to allow for any investigator to focus on anything other than posts, tweets and blogs that trigger alarm bells OR we do nothing and run the risk of the criminal element enjoying unparalleled freedom of communication. The real issue is one of checks and balances to ensure responsible application of regulations around monitoring.

For this reason the UK Government, and indeed the others that are bound to follow suit, must ensure that the legislation protects society, whilst also protecting the rights of the individual.

When we look at most industry regulation today, that means implementing the technology to enforce a policy, archive it and provide a full audit trail to ensure that actions are accountable and that only authorised personnel have access. This technology is available today and its use needs to be factored into any policy discussion by government

Although we will have to wait until the full plan is revealed to truly analyse the consequences, I think it is inevitable that this type of legislation will eventually come into force.  We live in a world where real-time communications is the norm, it is unrealistic to expect those we look to protect us to do so without the tools to combat others that use them for nefarious activities.

Chief Data Protection Officer (CDPO): The new C-level exec?

By actiance,   December 14, 2011

The European Union (EU) may possibly be on the verge of creating a new C-level job title, according to a draft proposal from the European Commission.  Reflecting the growing concern over security and data protection, the EU has proposed making it mandatory to have a data protection officer for the public sector, for large enterprises, and for organizations where the “core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.”

This has definitely caught the attention of those in the financial services sector because the proposal also includes provisions for fining businesses up to five percent of their revenue for data breaches.  That’s not a percentage to sneeze at when multiplied against billions of euros/pounds/Swiss francs.  The potential for security breaches increases exponentially as more people turn to online resources to conduct business.  Increasingly, financial services firms are utilizing social media and instant messaging to communicate with clients and prospective clients.

However, the downside is that all these new communications channels and transaction platforms are inviting targets for hackers.  The Skypes and Twitters of the world all represent new channels for malware to enter the corporate network.  Just a couple of weeks ago, this author himself was a victim of identity theft.  So, the threat is real and billions of dollars are at stake.  Just look what happened to Citigroup earlier this year.

Already, we’ve begun to see titles like “VP of Digital Marketing” and “Social Media Manager” pop up.  So, it logically follows that we will see a “Chief Data Protection Officer” title emerge too.  Hackers are becoming ever more sophisticated and the tools at their disposal are the most powerful they’ve ever been.  The EU is therefore clearly keen to keep pace with the constant innovation flowing from the technology world.  That innovation is responsible for much of the threat, but equally, advances in security and compliance technologies are also a key part of the solution and will be a critical part of the CPDO’s armoury.

The game of cat and mouse will no doubt continue, but at least, there’ll be a CDPO focused on minimizing, if not totally eradicating, the consequences of security and data breaches.  Certainly, a framework around how security breaches will be handled and communicated to the public is a good starting point.

So maybe Brussels is finally doing the right thing!

Six degrees of Zuckerberg? (aka Norv gets punked)

By nleong,   December 3, 2011

For those of you as old as me (and I’m pretty damn crusty), Six Degrees of Kevin Bacon meant something.  It was the informal game you’d play while chitchatting in a bar or tailgating at a football game.  Now, in an age where terms like “liking,” “friending,” “trending,” and “checking in” are all part of the urban lexicon, that game might have to be updated a bit.  In a recent study by Facebook and the University of Milan, the average number of degrees separating any two people on the planet was exactly 4.74, not the six degrees popularized by the Bacon game.

What does this all mean?  Well, in addition to being an exercise by data-loving researchers, it begs the philosophical question of “Is the world really that much closer?”  The ease at which we become “friends” on Facebook might have something to do with it.  The Internet (and social media in particular) shatters the concept of borders (notwithstanding the censors in countries like China), making the flow of information and “friendships” smoother than at any time in the past.

Of course, this has a dark side as well.  Hackers bent on unleashing viruses and other types of malware now have a bigger playground in which to play.  Exploiting “friendships” now can mean loss of sensitive data, compromised bank accounts, and severe embarrassment for those defrauded.

Yours truly, as a side note, was such a victim just this morning.  My Skype account got hacked and some nefarious soul was able to use up $75 worth of Skype credits for phone calls to Slovenia.  Really, Slovenia???  Just goes to show the Internet is a global phenomenon and sites like Skype are an inviting target because of its global reach. 

Hackers are well aware of social’s popularity and the inherent trust these sites breed.  Networks like Facebook, LinkedIn, and Twitter all require a pre-approved connection, friendship, or following before one can receive content from a particular person.  However, that same level of trust is a double-edged sword.  Even when I was dealing with Skype Customer Support this morning, it kept crossing my mind, “Was I REALLY dealing with Skype Customer Support or some punk in the Ukraine fleecing people from his dorm bed.”   

At the end of the day, we all need to be careful and cognizant that security risks will always be present when you’re dealing with the Web and all its new communication platforms.  It needn’t be just social media.  You’ve got instant messaging, peer-to-peer (think Skype again), blogs, Wikis – just to name a few – where security threats lurk.

So, the world may indeed be closer (1.26 degrees to be exact) but that doesn’t necessarily mean it’s a more trustworthy place.

Lessons Learned from the Arab Spring

By nleong,   November 16, 2011

While the Arab Spring was unfolding, the US Department of Homeland Security (DHS) was taking note.  For those in need of a refresher on Middle Eastern politics, it’s been nearly a year since mass protests starting sweeping through the Middle East and North Africa.  Dictators fell, civil unrest ruled the day, and social media played a hand.

Huh, come again?  What does Facebook and Twitter have to do with Middle Eastern despots?  Well, given the reach of social and its ability to spread the word quickly and cheaply, it shouldn’t come as a surprise that the protesters turned to social to galvanize the masses and “bring the ruckus.”  And ya know what. . . it worked.  Dictators fell in Egypt and Tunisia, Gaddafi’s dead, and Syria and Bahrain are moving towards more openness.

So, why the concern from DHS?  Simple.  What happened in the Middle East could happen in the States as well.  Anyone remember Timothy McVeigh from the Oklahoma City bombings?  Or the Unabomber?  That’s precisely the type of activity DHS is worried about.  The Arab Spring showcased the power of social media and it opened some eyes at DHS.  Social networks can be a treasure trove of intelligence information, and now DHS is keen to leverage social to keep tabs on potentially dangerous elements and threats in society.

Welcome to the social age.  Spy movies will never be the same.  The next time you see Bond and Bourne, they might be checking their Twitter feeds to see where the bad guys are.  Problem with this is “how do I know this information is accurate or reliable?”  This conundrum pre-dates social media and has always been a concern for all the government agencies and departments dealing with intelligence.

As DHS is still trying to figure how best to monitor social networking activities without running afoul of privacy laws, now might be a good time for them to start looking towards technology as an ally in the fight against threats, be it cyber or old school.  With a deeper understanding of today’s technological capabilities, DHS will be better able to formulate appropriate social media monitoring guidelines and perhaps avoid Oklahoma City and Unabomber-type tragedies in the future.

Failing that, give Jason Bourne a call.

SEC: 10Ks are about to get a lil heftier

By nleong,   November 8, 2011

Recently, the SEC issued some guidance that potentially places an additional disclosure burden on public companies.  Given technology’s influence in the world of finance and business operations in general, the SEC deemed it an opportune time to issue its thoughts on the role of cybersecurity.  It hasn’t been codified yet as a rule, regulation, or statement, but it is indicative of SEC sentiment towards the topic.

With the proliferation of communications channels in use today (think email, instant messaging, Skype, social media, to name a few), this also increases the number of potential avenues for cybersecurity breaches to occur.  The ability to easily post content, such as links, videos, podcasts, audio clips, etc., makes these new communications vehicles inviting targets for hackers and other folks with malicious objectives.

So, it makes sense indeed for the SEC to worry about the impact of security breaches on a company’s operations and ultimately its bottom line, which in turn, means it should be disclosed in a 10K.  It could very well be that a significant part of a company’s business depends on protection against cyber attacks.  For instance, a data center provider must ensure it has the highest levels of security in its buildings and IT infrastructure to ensure that its customers’ data and/or equipment is secure.  A breach in the provider’s network will directly affect the performance and fortunes of its customers who rely on near 100% availability, if not 100%, to conduct their own businesses.

And the SEC took it one step further by saying that companies must be specific in their disclosures and not use such generalized language that it can apply to any company.  10Ks are already notorious for reading like soporific legal documents, filled with boilerplate language, but the challenges faced by e-commerce sites might differ from those encountered by social media sites.  That’s just one example.

The complexity of cyberattacks and the sophistication of their perpetrators necessitate detailed information in disclosure reports.  That’s not to say that a company should compromise its own cybersecurity, but it should at least provide enough information in the 10K to inform a prospective investor the unique security risks that company faces.

In light of the financial scandals and instabilities over the last ten years, investor protection should not be taken lightly.  Thus, it’s commendable that the SEC is taking another step in ensuring investors are afforded all relevant data points to make informed decisions.  Bravo.

School’s not quite out, but the results are in.

By actiance,   September 21, 2011

You know that there’s been a seismic shift in the US Government’s communications strategy when guidelines are published by the government for agencies about how they can adopt social networks to deliver a better customer experience.

We can all applaud the good – when the magnitude 5.8 earthquake shook the East Coast in August, the Department of Homeland security was quick to tweet advice on getting in touch with loved ones via social networks, eschewing phone lines which were getting clogged.

But before we get carried away, we need to put this success in perspective.

Just last week, news was released that Air Force One’s flight plans were inadvertently leaked when a Japanese air traffic controller decided to post them on his blog to show off to his friends.

Who needs Wikileaks when you have to contend with the foibles of your own staff?

The threat of malware infection continues to loom large, as our own Jae found out to his chagrin.

There is no time to be complacent.  This is why we’ve knuckled down and begun the process of testing our platform for federal government usage.  We’ve kicked of with subjecting Vantage and Unified Security Gateway (USG) to the rigorous tests conducted by Science Applications International Corporation (SAIC) Labs.

It is with a mixture of post-exam relief, pleasure and pride that we can reveal that (drumroll please…) we have met the initial requirements for Common Criteria IA SL2 and The Federal Information Processing Standard (FIPS) 140-2.

The process is by no means over, but we’re certainly well on the way, but it’s another confirmation that Federal Agencies can rest assured that our solutions are robust, enterprise-ready and will do what they say on the ‘can’.

Regardless of media – it could be Jabber, Microsoft Lync or Facebook – we can monitor, track and archive content to protect against unsanctioned disclosures and security threats.

What is YOUR federal agency doing with regard to new communications modalities?

The House is on fire. We don’t need no water, just some Skype.

By actiance,   September 15, 2011

Wow, for you naysayers out there that think the government is slow, archaic, and behind-the-times, you may have to reconsider your position.  The House of Representatives has OK’d the use of Skype and ooVoo within its hallowed halls.  Up to now, security concerns had impeded adoption of these popular Internet phone and video conferencing tools, respectively, but now that those concerns have been addressed, the House is ready to move forward on its plan to improve communications and transparency with its constituents.

In these tough economic times where government budgets are strapped, leveraging technology solutions that tout cost efficiencies are gaining traction.  Moreover, technological enhancements and plentiful bandwidth are driving the government to look at other real-time alternatives.  Applications like Skype and ooVoo allow for virtual town hall meetings, facilitate responding to constituent inquiries, and obviate the need for travel in many instances.  The net effect is a fluid, cost-effective communications channel between representatives and their constituents.

Now, the House had every right to take its time in blessing the use of Skype and ooVoo.  Security concerns are justified, given the abundance of horror stories involving security breaches in government and other industries as well.  The problem with social media and other Web 2.0 applications is that their ubiquity opens whole new vectors for malware and other types of evil to infiltrate the corporate or government network.  The proliferation of content on these types of sites is mind-boggling – photos, videos, wikis, blogs, tweets, and the list goes on and on.  But, each one of these types of content can be a springboard for malware.

Given the viral nature of social media and the breadth of the social graph, it doesn’t take much for a virus to spread.  A simple, innocent click on a link to your friend’s supposed Morocco vacation pictures may not yield camel pictures, but rather, expletives flowing out of your mouth when you see the Blue Screen of Death.

That’s why you see so many security software and hardware vendors in the marketplace.  They’re there for a reason.  Not the sexiest technology, but definitely critical to your sanity and to the long-run viability of your company, or in the case of this blog entry, the House of Representatives.  Having security systems and policies in place to control the glut of Web 2.0-type applications out there (Skype and ooVoo are just two of the thousands) is downright essential.

Without granular controls of social media, instant messaging, video conferencing, and the like, safely managing that fluid communications channel between government and the constituents becomes that much more difficult.  Throw into the mix potential national security implications and one can see why security breaches aren’t taken lightly in government circles.

So, bravo to the House for giving the green light to Skype and ooVoo.  Now, I can Skype my congresswoman to fix that pothole in front of my driveway.

Enough with the rose-tinted glasses…

By Sarah Carter,   September 14, 2011

I was lucky enough to be invited to speak on a panel hosted by @JulianaKenny of @tmcnet at the ITEXPO West conference and exhibition being hosted in Austin this week.  Actually, the exhibition is just kicking off now.  Juliana hosted a great panel, and I was seated alongside @gunnr (Greg Gunn), VP of Business Development for Hootsuite and @ronankeane, Ronan Keane of XO Communications.

Our Topic?  Securing Social Media for Compliance Collaboration.  The mission?  Talk to the specific security and compliance requirements of social media that organizations must consider.

Well, we certainly wandered all over the education, regulation, legislation, education, personal vs.professional, education,  ethics, controls, education – wait, you see where I’m going with this?  I have to say thank you to the audience, who pretty much led us all the way on this one – with insightful comments, killer questions, and input (ah, it certainly makes it easier when that happens).  There’ll be more on this later, but where you wonder, does the blog title come from?

Well, the title speaks to a retort that I made to fellow panelist Greg Gunn of Hootsuite – when we were discussing the tribal nature of social networks and a user’s natural instinct to trust the content that a user that he or she connected with (and therefore trusts) sends them.  Greg will no doubt correct me if I have this slightly wrong, but I recall a comment along the lines of “trusting users to use social appropriately and comment in the same fashion.”  It was in good humor that I offered him a cloth to wipe his rose-tinted glasses, and it was in good humor that he took it.

Don’t get me wrong.  I’m a social networking user.  I trust me, but I’m fallible.  I’m also sarcastic, which is what kicked off my comment and this blog title… and I’m naturally untrusting (it comes from a background in the UK IT security industry).  Back to my fallibility.  It’s the fact that I’m human that makes me fallible.

We trust every other part of our electronic life to technology.  There’s rarely spam on email, rarely viruses, since the “Melissa” and “I love you” viruses we’ve been protected against.  We’re protected from websites that we visit by our Web filtering technology.

So why is social any different?

Embracing Social Business

By Sarah Carter,   September 12, 2011

Not long ago we blogged about the proliferation of mobile devices being used by the next generation of consumers to access the new Internet and its impact on financial services. This was the topic of a recent webinar and accompanying white paper from Forrester Research, and it’s a growing concern for all businesses – how to create safe, effective marketing programs using the latest social media platforms that drive business in a measureable way.

I recently chatted with Erin Traudt, Research Director at IDC and their resident guru on all things social (Michael Fauscette , you’ll have to forgive me, I’m not lessening your guruness with that comment ;-) ) , about the marketing capabilities we recently introduced in Socialite Engage. Erin pointed us to two public Insight reports on the IDC web site that define a new kind of Social Business Framework:

“The democratization and socialization of media through the social web has turned anyone into a publisher, reporter and/or critic – subsequently redefining influence. The social customer, employee, supplier and partner each have a voice and the means to use that voice at scale. And people are listening.”

Source: IDC

IDC’s definition of social business is companies using emerging technologies (like Web 2.0 and social media) to make cultural and organizational changes to drive business. According to the IDC report, “Social Business Framework: Using People as a Platform to Enable Transformation,” there are four steps to implementing a social business:

  1. Identify the market factors driving the need for change to social business. Market factors can include such things as competition, brand awareness, customer behavior, and the economy,
  2. Recognize social objectives you want to accomplish and why they matter. Social objectives are linked to business goals and include such elements as customer engagement, employee empowerment, partner enablement, and supplier engagement.
  3. Establish social outputs to support those social objectives. These are the mechanisms you use to share, such as tweets and Facebook posts. Content creation democratizes the process so customers and partners can join the conversation, and you have to consider your community as part of social output, i.e. those individuals who are connected in some way, ideally around your brand.
  4. Determine the platforms and applications you need to achieve your desired social outputs. These are the software tools that you need to build, deploy, and manage social applications, such as Jive, Lotus Connections, and Facebook, and, of course, tools like Socialite Engage.

As part of your social business strategy, you need to adopt business tools that measure the impact of social output and social media platforms. According to the IDC Insight report Determining the Value of Social Business ROI: Myths Facts and Potentially High Returns, most organizations don’t  even know how to calculate ROI for traditional projects, let alone for social business. Identifying metrics to monitor social media engagement allows companies to optimize customer acquisition, decrease customer churn, and create upsell and cross sell opportunities. But to do that, you need to be able to gain control of your social media program and measure the effectiveness and ROI of social media programs.

According to the latest Social Business Survey from IDC, there are five primary reasons that end users use social media as part of social business:

  1. Acquire knowledge and ask questions;
  2. Share knowledge and contribute ideas;
  3. Communicate with customers;
  4. Create awareness about company product or service; and
  5. Communicate with internal colleagues.

As part of your social business strategy, you need to think of the impact your social business program has on your social media audience in terms of:

  • Reach: How extensive is your online footprint and are you being effective at building an online following?
  • Impact: What part of your online community is active, pay attention to your products and messages, and influencing others?
  • Yield: How much revenue or new business can you link to active members of your social media community?

These are all factors we took into consideration in when we designed Socialite Engage. We understand that for certain industries it’s essential to not only promote conversation with preapproved content, but to understand how that content performs in achieving social business goals, and which channels are yielding the desired results.

As a firm, as a business, to gauge the effectiveness of a social business initiative, you have to be able to track aggregated engagement across different social media platforms, determine who your key influencers are, and how those influencers are affecting your bottom line. And that’s what we’ve done with Socialite Engage.  We’ve designed the means to identify and track key connections into Socialite Engage, and ways to track their influence. We’ve also built in analytics to determine how those connections are affecting business, which channels and messages are having the greatest impact on sales, lead generation, or whatever initiative you have determined will drive your social business.

Embracing social business isn’t just about improving customer relations and increasing sales, it’s about changing the very DNA of your people and the organization. Developing a social business strategy means empowering your people, your customers, your partners, and your suppliers with new tools that can impact your brand and reputation, as well as your bottom line. As a result, you need new tools to monitor the conversations and measure their impact. That’s what our next generation of social business engagement tools is all about.

Follow my experiences in beta testing Socialite Engage – as I endeavor to change the social behavior and the results of social collaboration of Actiance team members, partners and customers.  You can watch it all here – at blog.actiance.com (or follow us on Twitter @SarahActiance and @Actiance)

Twitter Malware: It’s Coming After You

By Jae Kim,   August 23, 2011

I may need to wear a shirt like this in the office.

Most readers of this blog are savvy social media users. I would include myself in that category. Well, I would have until last Sunday.

Yes, I will come out and admit it for once. I got suckered into clicking on a Twitter malware link that was forwarded to me by one of my ‘trusted’ venture friends. Now that I got that off my chest (and demonstrated that I could be just as naive as thousands of users out in the Internet), I think I can talk about this incident somewhat objectively.

It turns out that this particular malware spreads by getting a Twitter user to click on the shortened t.co URL that’s sent via private message. When an unsuspecting recipient clicks on the link, it automatically sends the same tweet to all of the recipient’s followers as a private message. Very sneaky.

It was quite an embarrassing moment when I realized what just happened (I even had to update the new Twitter app to follow the link on my iPhone). Thanks to a couple of my co-workers and good Twitter citizen @DevonAlderton, I came to my senses only after a few hours had passed. Once a few seconds of disillusionment of my malware ‘detect-o-meter’ had passed, I regained my composure to delete all of my private tweets to all my followers (thank goodness I don’t have Kim Kardashian’s follower base) and took remedial action to shore up my defenses.

Continue reading