Group items tagged

This tip is part of Mitigating Web 2.0 threats, a lesson in SearchSecurity.com's Data Protection Security School. Visit the lesson page or our Security School Course Catalog for additional learning resources. Social networking, a term relatively new to the computing vernacular, has already become part of the cultural norm for a great proportion of Internet users. Even more recently, the use of online communities to establish and build connections among those with shared interests has become part of the corporate world as well. As professional social networks such as LinkedIn and Blue Chip Expert continue to grow, and professional groups gain in popularity on once-personal sites like Facebook and MySpace, enterprise security and risk management professionals must face the reality that these sites are emerging conduits for the unauthorized disclosure of confidential corperate information. Add the use of public social networking tools to the list of concerns, and the effectiveness of the traditional corporate security perimeter is further diminished. However, a robust set of policy, process and architecture aids in mitigating the risks of being social. Broadly, social networking is described as software that lets people interact, rendezvous, connect, play or collaborate by use of a computer network. This definition covers the popular social networking sites, including those mentioned above, as well as blogs, wikis, RSS, podcasts, tags, and more recently, search engines. While there are numerous benefits to social network solutions, including reducing costs and increasing collaboration, we'll focus on addressing the risks.

Social networking users are more vulnerable than ever and taking more risks with their online privacy. According to the 'Bringing Social Security to the Online Community' poll by AVG, while the social networking community has serious concerns about the overall security of public spaces, few are taking the most basic of steps to protect themselves against online crimes. Participants indicated concern over growing phishing, spam and malware attacks, and nearly half of those surveyed are very concerned about their personal identity being stolen in an online community. Despite widespread use of social networks at home and/or at work, 64 per cent of users infrequently or never change their passwords on a regular basis, while 57 per cent infrequently or never adjust their privacy settings. Further, 21 per cent accept contact offerings from members they do not recognise, more than half let acquaintances or roommates access social networks on their machines, 64 per cent click on links offered by community members or contacts and 26 per cent share files within social networks. As a result of this widespread proliferation of links, files and unsolicited contacts, nearly 20 per cent have experienced identity theft, 47 per cent have been victims of malware infections and 55 per cent have seen phishing attacks.

Ah, social networking. It's become the fabric of today's Internet generation. Don't have a Twitter account? Heavens, even Sen. John McCain has a Twitter account. Signed up with Facebook? Only losers don't have a Facebook account. MySpace? Not bad, but it's so five minutes ago. But as lovely as social networking may be, there are a few problems. One of the biggest appears to be that you can kiss your privacy good-bye. Now, I'm not talking about the predilection of some people to share intimate details about themselves on social networking sites. I'm actually referring to the other things that might help contribute to your financial ruin. Those most enthusiastic about social networking are cybercriminals. They drool at the prospect of seeing the personal information of the 175 million people on Facebook. And they know how to use that information. For example, cybercrooks take great interest in the names of pets or grandparents on Facebook pages. That's the kind of information that banks and credit-card companies use to verify who you are when you bank online. "There are so many people on social-networking sites that it is becoming profitable for bad guys to go there," David Perry, global director of education at software security firm Trend Micro, recently told Agence France-Presse (AFP). "Bad guys can see all the things you post. You may be revealing personal information that is extremely valuable." Now Facebook has made revealing personal information even easier. This past week, it announced that users can change their privacy settings so everyone can see their profile. The company was actually responding to a request from many users who wanted the ability to share their information with even more people. As I said, cybercrooks are drooling.

Social networking sites are often used by government ministers as an example of the profound way attitudes to privacy have changed. They argue that the young generation invade their own privacy to a far greater extent than the government ever would. The implication is that the older people who object to government intrusion are living in the past. The response to this is that people who use social networking sites voluntarily reveal things about themselves and have a degree of control of over how long information and photographs stay in the public domain, while the government collects and stores information without permission and allows the subject no access to the data held. There is no obvious comparison between the two activities. But this doesn't let the social networking sites off the hook. Most internet companies claim a kind of morality free status when it comes to such issues as privacy and copyright, and Web 2.0 sites are no different. A study published this week by Cambridge PhD students shows that nearly half of all social networking sites retain copies of photographs after being "deleted" by users. The study examined 16 popular websites that host user-uploaded photos, including social networking sites, blogging sites and dedicated-photo-sharing sites. Seven of the 16 sites surveyed were still maintaining copies of users' photos after they had been deleted by the user. The researchers - Jonathan Anderson, Andrew Lewis, Joseph Bonneau and lecturer Frank Stajano - found that by keeping a note of the URL where the photo is actually stored in a content delivery network, it was possible for them to access the photo even after it had been deleted.

Social media is on the rise, and so are the privacy and security risks. Is it time to dial back on the whole Web 2.0 'friend' thing? The social media honeymoon is officially over. While it may not yet be time to fly to Reno for a quickie divorce, you might want to start thinking about sleeping in separate bedrooms for a while. Example du jour: Over the weekend, a rogue application spread across Facebook, warning users about bogus errors in their profiles. Clicking on the "Error Check System" app causes it to send false warnings to your entire FB posse, per the unofficial AllFacebook blog. There doesn't seem to be any payload associated with that app besides driving traffic, but the potential for abuse is obvious. But a bigger problem on social nets is an old familiar one: spam. So far, spam only accounts for about 5 to 25 percent of all e-mail passed on social networks, versus 90 percent of regular e-mail, says Adam O'Donnell, director of emerging tech for Cloudmark, which filters spam for some large social nets (but won't identify which ones). As more people start tweeting about what their cats ate for lunch and share their Facebook profiles with near-total strangers, though, that number will only grow. The type of spam on social networks is different too, says O'Donnell. Think fewer fake Viagra come-ons, more social engineering scams. In other words, the junk you get on social networks is more likely to be aimed at stealing your credentials or your identity -- and thus much more dangerous than garden-variety spam.

Taking a step toward creating more formal standards, the Interactive Advertising Bureau Monday released a set of best practices for social media advertising covering key terms, creative elements, and user privacy, among other topics. The guidelines unveiled at the IAB's Social Media Marketplace conference in New York are intended to encourage the growth of social advertising by giving marketers, agencies and social networks preliminary rules to navigate a category that now spans hundreds of millions of users. "Industry standards are essential to making social media easy, safe and scalable for advertisers," said Seth Goldstein, CEO of Socialmedia.com and co-chair of the IAB's UGC Social Media Committee, in a statement. "The new IAB framework is a critical first step in this direction and we are excited to help enable the next generation of social advertising." While marketers have been eager to experiment with social media, a lack of standard ad formats and metrics and privacy concerns remain obstacles to more rapid advertising growth on social sites. Even so, Forrester Research projects that social media marketing will increase nearly 60% this year to $716 million.

To find out more about the survey, I asked Deloitte LLP chairman of the board Sharon Allen to provide some additional context. Given that my only risk-management concern early this week relates to thunderstorms off the coast of South Padre Island, I asked Sharon to step in as a guest blogger today. Here's what she sent me: When I was a high school student growing up in the small farming community of Kimberly, Idaho, little did I know that a song from that time could serve as an anthem for something happening in the workplace today. The Beatles' 1967 classic "Hello Goodbye" is a study in contrasts, as are the current attitudes about social media. Social media has arrived - and with it, employers and employees are singing very different songs about what constitutes appropriate social networking both on and off the job. Recently, I commissioned the third annual Deloitte LLP "Ethics & Workplace" survey. We polled 500 executives and 2,000 employees outside Deloitte. Our survey found that 60 percent of business executives believe they have a right to know how employees portray themselves and their organizations in online social networks. Perhaps because nearly three-fourths of the employees in our poll agreed that the use of social networks makes it easier to damage a company's reputation. However, more than half of employees polled say their social networking pages are not an employer's concern. That belief is especially true among younger workers, with nearly two-thirds of 18- to 34-year-old respondents stating that employers have no business monitoring their online activity.

New Jersey lawmakers are considering new legislation that would require Facebook, MySpace and others to police social networking sites for offensive posts or else face potential consumer fraud lawsuits. But some lawyers say that even if the measure is enacted, it's not likely to have much impact on social networking sites because the federal Communications Decency Act immunizes such sites from lawsuits based on material posted by users. The bill is part of state Attorney General Anne Milgram's Internet safety initiative. "The social networking site safety act is intended to deter cyber-bullying and the misuse of social networking Web sites," the Office of Attorney General said in a statement about the measure. "The bill empowers users of social networking sites to take steps to stop harassment or exploitation." Last year, Milgram garnered headlines by launching a fraud investigation of gossip site JuicyCampus.com -- where users frequently posted insults about college students -- but no legal action resulted. (That site folded last month for financial reasons.) Attempts to rein in cyberbullying might be politically popular, but this type of state effort to regulate global Web sites is also likely to prove useless, say cyber lawyers. "We need to recognize that legislating on the Internet can't be done on a state-by-state basis," said Parry Aftab, an expert on Web safety and cyber-abuse. "We can't have a different law in each state."

Free Social Media Screening Ever wondered if you actually have customers on social networks? Try Rapleaf's free social media screening. We'll take a look at your customer base and tell you some basic information about whether or not you have customers on social networks. The Rapleaf Social Media Screening will tell you the following: * Percentages of your consumers that are active on sites * Gender breakdown of your consumers * Friend counts of your consumers Rapleaf's social media screening is a great way to get your feet wet in social media. It's also an easy tool to help you understand whether or not to conduct deeper research on your consumers across the social web by acquiring a full Rapleaf Report To get started, fill out the form to the right and submit a few test consumer emails to our system.

You can't ignore the presence and usage of all the myriad forms of instant messaging, social networking and blogging. The millennial generation won't thrive in companies where Facebook is banned or texting is frowned upon. They think and work so differently from their baby boomer managers that generational clashes are inevitable. The Security Executive Council and CXO Media, producer of CSO Perspectives and CSO magazine, are partnering to probe attitudes toward collaborative technologies like IM and social networking. By participating you will receive a research report based on this survey. Definition of web 2.0 apps: The term "Web 2.0" describes the changing trends in the use of World Wide Web technology and web design that aim to enhance creativity, communications, secure information sharing, collaboration and functionality of the web. Web 2.0 concepts have led to the development and evolution of web culture communities and hosted services, such as social-networking sites, video sharing sites, wikis, blogs, and folksonomies. (Wikipedia)

Facebook has gone a long way to protect the privacy of users on its own site. But what happens when users share their Facebook profiles and friend lists with other sites? Are social networks responsible for defending data its members decide to take elsewhere? Those questions have taken on added urgency following the introduction of tools by leading social networks, including Facebook and News Corp.'s (NWS) MySpace, that let users interact with their friends on partner sites. Facebook Connect, for example, lets a user instantly share a movie rating on Netflix (NFLX) with all or some of his or her pals on Facebook. Privacy advocates warn that these services pose a whole new set of concerns about how user data are collected and shared among sites on the Web. Using these open-networking tools, thousands of companies can unearth a trove of new data about a visitor-age, gender, location, interests, and even what a person looks like. "I'm wondering if people really understand when they're using Facebook Connect that other sites get access to their whole user profile and social graph," says Pam Dixon, executive director of the World Privacy Forum. Announced last July, Facebook Connect has already signed up more than 8,000 partner sites, many of which plan to use data collected on Facebook members for their own purposes. Joost, a video-viewing site that integrated with Facebook Connect in December, checks the ages of viewers entered on their Facebook profiles to give its own content partners-CBS (CBS), for example-a better idea of which Joost users are watching CBS programming. Digg.com will let users display their Facebook profile photos alongside comments they make on the social news-sharing site.

Web sites that strip personally identifiable information about their users and then share that data may be compromising their users' privacy, according to researchers at the University of Texas at Austin. They took a close look at the way anonymous data can be analyzed and have come to some troubling conclusions. In a paper set to be delivered at an upcoming security conference, they showed how they were able to map out the connections on public social networks such as Twitter and Flickr. They were then able to identify people who were on both networks by looking at the many connections surrounding their network of friends. The technique isn't 100 percent effective, but it may make some users uncomfortable about whether they should allow their data to be shared in an anonymous format. Web site operators often share data about users with partners and advertisers after stripping it of any personally identifiable information such as names, addresses or birth dates. Arvind Narayanan and fellow researcher Vitaly Shmatikov found that by analyzing these "anonymized" data sets, they could identify Flickr users who were also on Twitter about two-thirds of the time, depending on how much information they have to work with. "A lot of the time people will share information online and they'll expect that they are anonymous," Narayanan said in an interview. But if their identity can be ascertained on one social network, its possible to find out who they are on some other network, or at least make a "strong guess," he said.

One of my predictions for last year was that privacy would be a growing concern among mainstream users. I didn't repeat that prediction this year, but perhaps I should have. The reason? Apparently, younger web users seem to care more about privacy controls. Or at least, they use them more. According to Facebook chief privacy officer Chris Kelly, more teenagers than adults use privacy controls on the social network, at a rate of 60% to about 25-30%. That's surprising given the conventional wisdom that younger Internet users tend not to care about the privacy of their data. A recent study from Computer Associates confirms that many teens are at least somewhat concerned with online privacy. That study showed that 79% of teens aged 13-17 who are members of a social networking site like MySpace or Facebook protect their profiles from the general Internet in some way (i.e., only allow friends or friends of friends to view their information). Profiles on Facebook, of course, are automatically protected from viewing by the Internet at large, but protecting them from the rest of your network requires additional steps. That teens are more likely to utilize Facebook's granular privacy controls points to one of two things that lead to the same conclusion: 1. Teens care more about online privacy than adults, or, 2. Teens are simply more aware of social networking privacy controls than adults.

A majority of business executives believe that they have a right to know what their employees are doing on social-networking sites, but most workers say it's none of their bosses' business, according to a new survey by Deloitte. The survey was conducted in April with about 2,000 U.S. adults. Of the 500 respondents with managerial job titles (vice president, CIO, partner, board member, etc.), 299, or 60%, agreed that businesses have a right to know how employees portray themselves or their companies on sites like Facebook and MySpace. But 53% of employee respondents said their profiles are none of their employers' business, and 61% said that they wouldn't change what they were doing online even if their boss was monitoring their activities. That disagreement, says Sharon Allen, chairman of Deloitte's board and the sponsor of the survey, is one that companies need to address, particularly as these sites have become part of younger workers' lives. "It does, in fact, tee up the challenging debate or discussion that needs to take place to try to resolve both of their concerns," she said. Few businesses are having that conversation, according to the survey, though many executives indicated that it was on their minds. When asked what their company's policy was regarding social-networking use, roughly a quarter (26%) of employees said they knew of specific guidelines as to what they could and couldn't post. Similar numbers said their office didn't have a policy or they didn't know if their company had a policy - 23% and 24%, respectively.

When the director of IT at a Boston-based, midsize pharmaceutical firm was first approached to participate in a data leakage audit, he was thrilled. He figured the audit would uncover a few weak spots in the company's data leak defenses and he would then be able to leverage the audit results into funding for additional security resources. "Data leakage is an area that doesn't get a lot of focus until something bad happens. Your biggest hope is that when you raise concerns about data vulnerability, someone will see the value in allowing you to move forward to protect it," the IT director says. But he got way more than he bargained for. The 15-day audit identified 11,000 potential leaks, and revealed gaping holes in the IT team's security practices. (Read a related story on the most common violations encountered.) The audit, conducted by Networks Unlimited in Hudson, Mass., examined outbound e-mail, FTP and Web communications. The targets were leaks of general financial information, corporate plans and strategies, employee and other personal identifiable information, intellectual property and proprietary processes. Networks Unlimited placed one tap between the corporate LAN and the firewall and a second tap between the external e-mail gateway and the firewall. Networks Unlimited used WebSense software on two servers to monitor unencrypted traffic. Then it analyzed the traffic with respect to company policy. Specifically, Networks Unlimited looked for violations of the pharmaceutical firm's internal confidentiality policy, corporate information security policy, Massachusetts Privacy Laws (which go into effect in 2010), Health Insurance Portability and Accountability Act (HIPAA), and Security and Exchange Commission and Sarbanes-Oxley regulations. Auditor Jason Spinosa, senior engineer at Networks Unlimited, says that while he selected the criteria for this audit, he usually recommends that companies take time to determine their policy settings based on their risk

"The Electronic Frontier Foundation said it sued the Justice Department and other U.S. agencies to get information about their policies for using social networks including Facebook and Twitter in investigations, data collection and surveillance. The civil rights group said in a complaint filed yesterday in federal court in San Francisco that the government has used social-networking sites in conducting investigations and hasn't clarified the scope of that use or whether there are any restrictions or oversight to prevent abuses. The EFF said in its complaint that it is seeking the information to "help inform Congress and the public about the effect of such uses and purposes on citizens' privacy rights and associated legal protections." It cited news articles that reported police searching Facebook photos for evidence of underage drinking and an FBI search of an individual's home after the person sent messages on Twitter during the G-20 Summit notifying protesters of police movements. Facebook, based in Palo Alto, California, is the world's largest social networking site with more than 300 million users who post photos, messages and other information on their own free Facebook pages. Twitter, based in San Francisco, is a free Web service with 58 million users that lets people send 140- character messages, called "tweets," to multiple followers. EFF, also based in San Francisco, filed Freedom of Information Act requests with federal agencies in October. None of the agencies had completed processing the requests by the applicable 20-day deadline, according to the complaint. The lawsuit seeks a court order for the government to process the requests and produce documents."

NEW YORK With increasing amounts of personal information liable to float around in cyberspace, consumers are deciding whether their data is safe in the hands of some public- and private-sector entities. A BBC World News America/Harris Poll finds a mixed verdict, with social-networking sites faring especially badly. In polling conducted last month, adults were asked to say how much trust they have in various sectors "to handle your personally identified information (such as credit-card information, contact information and so forth) in a properly confidential and secure manner." The poll's best scores went to "health providers, such as doctors and hospitals," with 20 percent of respondents expressing "a great deal of trust" and 55 percent "some trust" in these. Nineteen percent voiced "not much trust" and 7 percent "no trust at all" in this sector. At the bottom of the rankings were "social-networking sites (like Facebook or MySpace)," with 5 percent expressing a great deal of trust and 18 percent some trust in these. Thirty-one percent said they had not much trust and 46 percent no trust at all in these sites to safeguard personal information. (Whether people should direct their distrust to themselves for posting such information there in the first place is a question the survey didn't address.) Respondents were also wary of "search and portal sites (like Google or Yahoo!)" when it comes to keeping personal information secure: Ten percent voiced a great deal of trust, 39 percent some, 29 percent not much and 22 percent no trust at all. Even the federal government fared (slightly) better, with 13 percent expressing a great deal of trust, 41 percent some, 28 percent not much and 18 percent none. The scores were more positive for "banks and brokerage companies": 15 percent a great deal of trust, 43 percent some, 28 percent not much and 13 percent none. That was roughly on a par with the ratings for "my e-mail provider": 14 percent a great deal, 48 percent some, 27 p

Burger King's wildly popular Facebook application "Whopper Sacrifice," which rewards you with a free Whopper when you drop 10 friends, has been shut down. Social networking just got healthier. Last week, Burger King announced it was teaming up with social networking powerhouse Facebook for a special promotion: If you removed 10 people from your network of friends, the fast-food company would reward you with a coupon for a free Whopper. The story became an Internet sensation, but it's only now getting meatier. As it turns out, a notification feature on the "Whopper Sacrifice" application that lets your friends know they have been replaced by a shot at a free hamburger violates Facebook's privacy policy. "We encourage creativity from developers and companies using Facebook platform, but we also must ensure that applications follow users' expectations and privacy," the company said in a statement. "After extensive discussions with the developer, we've made some changes to the application's behavior to assure that users' expectations of privacy are maintained. The application remains active on Facebook."

Mary Kay Hoal tried everything she could to keep her daughter off of MySpace. She put password locks on the computer and blocked the site. Still, her daughter found ways to log on. Hoal's concerns stemmed from statistics that showed 29,000 registered sex offenders were on MySpace, one out of every five kids are sexually solicited online, and nine out of ten children are exposed to pornography online. When she looked for alternative safe sites for kids, she found none, so she decided to do something about it. Story continues below ↓advertisement | your ad here Click Here! The result is www.yoursphere.com, the only social networking site for kids and teens that's backed by the Federal Trade Commission through the site's Privacy Vaults approval. The site's Chief Technology officer worked at the California Department of Justice tracking anonymous online sex offenders, as well as the Megan's Law database. Moreover, it requires verified parental consent for a minor to join. Other features include: -- Requires verifiable parental consent to join -- Confirms the identity of the parent providing consent -- Confirms that the parent or guardian providing consent is not a registered sex offender -- Is exclusively for kids and teens through age 18. -- Exceeds COPPA (Children's Online Privacy Protection Act) and Federal Trade Commission (FTC) guidelines for protecting kids online through our approval by Privacy Vaults Inc. -- Whose policy is "no creepers allowed" -- lurkers are removed and banned. -- No fake profiles. (No one is anonymous on Yoursphere.com) "The bottom line is that we're the only place in the online world that that has taken extraordinary measures to help ensure the safety of its members and meets or exceeds standards set by the government," Hoal said. "Our opinion is that if it's a behavior that is illegal, immoral or unacceptable offline, then it's unacceptable online." About Mary Kay Hoal After researching the disturbing la

Though Facebook has sometimes been criticized for sacrificing the privacy of its users in order to monetize the service, Chris Kelly, Facebook's chief privacy officer, has presided over the social network's efforts to build out the most sophisticated privacy options in the industry. On a granular level, Facebook users can now control what bits of information they share with each individual friend, group or network. Facebook users have taken notice. According to an annual study by the Ponemon Institute, a privacy research firm, Facebook ranks within the top 20 (15th) most trusted companies for privacy as rated by U.S. consumers. Kelly's job sometimes appears tricky, however. He must ensure that users feel they have control over their information, while weighing that need against Facebook's business model, which relies heavily on a culture of openness and sharing. Here is the full interview CIO conducted with Kelly during our reporting for a special feature on social networks and privacy. Kelly talked about what constitutes Facebook's overall view towards privacy, and how that affects its ability to serve up ads.