Dear Facebook,
I appreciate your service. I really do. I’m sure that many of your 400 million active users appreciate it as well. But now that you have a market value estimated at billions of dollars, it is time for you to start acting like a grown-up company.
That means you have to provide basic security for your customers. And it means responding when your customers try to contact you, as I did recently to talk about an important security issue. Do you think you will be able to hold on to 400 million users if you treat them that way, and if you put their computers at risk? I don’t.
“you are leaving your users open to a major security risk.… I know malware when I see it, and I don’t allow scripts to run on my computer”
Read the rest of this open letter on IT Business.ca from Ira Winkler – the president of the Internet Security Advisors Group.
Websense just launched the indurstry’s first real-time security app for Facebook !
It provides Facebook page owners real-time content and security analysis of comments, wall posts, third party applications, links and other content posted to their Facebook page. According to Dan Hubbard, CTO, Websense…
“Other Web security technologies that try to address uncategorized Web 2.0 content using only virus signatures, URL reputation or categorization are fundamentally flawed and limited,”
Whereas other security offerings are designed to clean a user’s computer after it has been infected, Websense worked with Facebook to create the first and only security application that helps protect Facebook users from encountering malicious links, inappropriate content, viruses or spam, and is the first application to do so for both corporate and individual Facebook page owners.
The Websense security application for Facebook is immediately available in limited beta. To download it for free, or to learn more about the Defensio 2.0 platform for Web 2.0 sites, visit Defensio. To view a video introduction to Defensio 2.0 and its new features, see the video on youtube.
It used to be coal if you weren’t nice … but Malware ??
Websense Security Labs™ ThreatSeeker™ Network has discovered that the Koobface Web site offers a video posted by ‘SantA’. The usual ruse of requiring a codec to watch the video is used to encourage the user to install and run a file that is, you guessed it, malware.
This malicioius file is currently detected by less than 40% of the available antivirus products according to VirusTotal
On the compromised Facebook page the user is presented with a link to a compromised site in Switzerland. The user is redirected to one of several Koobface Web sites through a malicious Flash movie file hosted on the compromised site. If the user runs the infected file, the worm will automatically login to their Facebook, Myspace, and several other social networking sites and send messages to all their friends.
See screenshot of the malicious wall posts here.
My advice… make sure you have the right technology that prevents you from connecting to this and other infected sites using various ‘lures’… and in this case … Santa !!
Web 2.0 — the emerging social media world populated by entities like Facebook, Twitter and MySpace — represents the greatest danger in a sea of threats for 2010 … Read the rest of the security trends for 2010 on eChannelline.
Ontario’s privacy commissioner Ann Cavoukian says that banning employees from visiting social media sites, such as Facebook and Twitter at work isn’t a good idea.
“I think it’s a mistake,”Cavoukian said. She completely understands why in today’s environment some businesses may favour an outright ban, but says such prohibitions are almost always counterproductive.
What the commissioner has neglected to mention, is the fact that although a ‘blanket ban’ is not the solution, neither is unsecured open policy.
To leverage the advantages that twitter, facebook and other social networking/user generated content sites bring to your business, you have to allow access and mitigate the security risks associated with them.
I am a whole hearted advocate of saying ’yes’ to these Web 2.0 sites - as long as you have both a usage policy to educate your ‘users’ AND a security solution in place that can categorize pages on these sites in real time - thus giving you the ability to maximize the advantages, without compromising your security posture.
Read the story as reported on itbusiness.ca
Here is an excerpt from a post on Gartner’s Blog Network by Andrea DiMaio. Although he claims not be a security expert, Andrea provides some good insight on Web 2.0 risks in light of the affect of the Twitter outage.
He touches on three key risks:
- Malicious software that may be downloaded through sites
- Unavailability of those sites when they are needed
- Data posted on sites that may unwillingly reveal information that may negatively affect government operations
Click here to read his suggestions on how to address these risks.
I recently attended a customer event where I presented a short overview of the Web 2.0 at Work study released by Websense.
Just to ensure everyone was on the same page with respect to what Web 2.0 was… I started by asking the audience for their definition of Web 2.0.
Although only a few were brave enough to respond, just as when I ask about DLP, each one had a different definition… ranging from the generic ‘social networks’ to technical references such as ’Ajax’. We finally agreed upon the common denominator of ‘user generated content’.
Even though I felt like that kid in Jerry Maguire having the ‘did you know?’ conversation, it was interesting to see the reactions of each attendee once presented with some of the facts and stats on the prevelance of Web 2.0 and the security misconceptions.
Needless to say, the dialogue following my breakfast presentation was dominated by…’ I didn’t realize that !” or ‘if I could do that, that would solve …’
Most if not all of the attendees knew that they needed an update in their security posture, but were unaware of how to address this shift from a technology perspective.
If are trying to figure out how to provide safe and secure access to sites like Facebook, Linkedin and others social media / web 2.0 sites, I recommend the following Best Practices document.
Web 2.0 is here to stay – we just need to adapt our security infrastructure and policies to better address it.
Facebook just released as statement with respect to the findings of the office of the Privacy Commisioner. Glad to see that the message of a coordinated effort being the key to true security in the Web 2.0 space is being re-iterated.
The Commissioner also recognised, as we (Facebook)do, that privacy and user control on the social web is a new area, which requires websites, users and data protection authorities to work together.
Here is the article in the Ottawa Citizen about the original findings of the Privacy Commissioners with respect to ‘serious privacy gaps in Facebook’ and her ‘ultimatum’.
Regardless of the social network(s) you are using… the 7 Deadly Sins of Social Networking written by Bill Brenner on CIO.com echoes my sentiments on posting information and/or pictures on Web 2.o sites such as Facebook, MySpace and others.
As Paul V. de Souza, chief security engineer at AT&T puts it:
…one of the major rules when engaging in social networking is to be aware that your words belong in the public domain,”
This highlights the ‘other’ side of Web 2.0 and the sometimes negative aspect of user generated content…
Websense Security Labs has seen an increase of over 300 per cent in the first five months of 2009 the number of sites it categorizes as containing “racism and hate” and “militancy and extremist” over the same period in 2008. The content was particularly prevelant on Web 2.0 sites such as Facebook.
The rise in this category of sites potentially forces businesses to reevaluate their policies on allowing Web 2.0 sites to be used at work.
A Websense survey of 1,300 IT managers in 10 countries showed that although 95 per cent of IT managers allow access to Web 2.0 in some way, only nine per cent have security to protect all threats. The statistic becomes troublesome considering the survey also found that 62 per cent of IT managers believe Web 2.0 is necessary for their business.
Part of the trouble with Web 2.0 is correctly identifying the kinds of sites that it encompasses. The same Websense survey showed that only 17 per cent of IT manger correctly identified all types of Web 2.0 sites from a list. Half of these IT managers identified wikis, video uploading and cloud computing to be Web 2.0.
