From the monthly archives:

July 2010

Security concerns over Facebook

by Bill Cullifer on July 30, 2010

PC World is reporting on The Facebook Data Torrent Debacle: Q&A

According to punlish rports web security concerns over Facebook have been raised yet again after a security consultant collected the names and profile URLs for 171 million Facebook accounts from publicly available information. The consultant, Ron Bowes, then uploaded the data as a torrent file allowing anyone with a computer connection to download the data.

Simon Davies a representative of the U.K.-based privacy watchdog Privacy International accused Facebook of negligence over the data mining technique, according to the BBC. Facebook, however, told the British news service that Bowes actions haven’t exposed anything new since all the information Bowes collected was already public.

So what are the security risks? Should you be concerned? Let’s take a look.

What data was collected?

Ron Bowes, a security consultant and blogger at Skull Security, used a piece of computer script to scan Facebook profiles listed in Facebook’s public profile directory. Using the script Bowes collected the names and profile URLs for every publicly searchable Facebook profile. All together, Bowes said he was able to collect names and Web addresses for 171 million Facebook users. That’s a little more than a third Facebook’s 500 million users. (Click image above to zoom)

What did he do with the data?

Bowes compiled this list of text into a file and made it available online as a downloadable torrent.

How many people have downloaded the torrent?

The Pirate Bay lists 2923 seeds and 9473 leechers for the torrent file at the time of this writing. Seeds are people who have downloaded the entire file and are uploading to others. Leechers are actively downloading the file.

Is this a big deal?

That depends on who you ask. Facebook points out that some of the data Bowes collected was already available through search engines like Google and Bing. The entire data set is also available to any user signed into Facebook. So the data was already publicly available, and nobody’s private Facebook data has been compromised. Nevertheless, this is the first time that 171 million Facebook profile names have been collected into one set of files that can be easily analyzed and searched by anyone.

What could a malicious hacker use the data for?

As Bowes pointed out in a blog post, someone could use this data as a starting point to find other publicly available user data on Facebook. After all, you have to wonder how many of these 171 million Facebook users have publicly exposed e-mail addresses, phone numbers and other information on their profiles?

It has been proven time and again that the more a bad guy knows about you the greater your security risk is. Collecting personal data allowed a French hacker to steal confidential corporate documents at Twitter. Researchers were alarmed when Netflix wanted to release anonymous user data including age, gender and ZIP code for the Netflix Prize 2. Security researchers said the data dump by Netflix was irresponsible since it is possible to narrow down a person’s identity just by knowing their age and ZIP code. The contest was eventually canceled. One Carnegie-Mellon study also found a flaw in the social security numbering system that could allow a sophisticated hacker using data mining techniques to uncover up to 47 social security numbers a minute.

How do I know if my name was caught in the data dump?

From your Facebook profile dashboard click on ‘Account’ in the upper right hand side of your dashboard. Select ‘Privacy Settings,’ and then on the next page under ‘Basic Directory Information’ click on ‘View Settings.’ You should see a page similar to the image above. If the first listing called “Search for me on Facebook” is set to “Everyone.” Then chances are, your name and profile URL are in the torrent file. (Click image to zoom)

You should also check to see if external search engines like Google and Bing are indexing your profile. To do this go back to your main privacy settings page, and at the bottom click on the “Edit Settings” button next to “Public Search.” On the next page, if the “Enable public search” check box is ticked then search engines are indexing your profile. To stop this just uncheck the box and then click on “Back to Applications.”

My name is not in the public directory should I be concerned?

If you were not in the public directory Bowes says your name is not in the torrent file. However, you could be exposed to similar data mining techniques in the future. Bowes says that if any of your Facebook connections have made their friends lists public then your profile could easily be found through data mining your friends’ profiles.

What can I do to keep my information private?

The biggest concern isn’t so much about your name and profile URL being exposed. The greater concern, for you anyway, is the publicly available information contained on your profile page.

To protect yourself, you may want to reconsider your current privacy settings. To do that visit your Facebook profile’s Basic Directory Information page by following the steps listed above or just click here.

On the top right of the page you should see a button that says “Preview My Profile.” Clicking that button will show you all the information you make public on Facebook. Data you may want to consider hiding includes your hometown, birth date, age, phone number, current city and e-mail address.

So what do you say? Is Bowes’ data dump making your rethink your Facebook profile settings or are you not concerned?

{ 1 comment }

Social Media for the Enterprise: A Cautionary Tale

by Bill Cullifer on July 12, 2010

 
icon for podpress  Social Media for the Enterprise: A Cautionary Tale: Play Now | Play in Popup | Download

Social Media: A Cautionary Tale: Focus on Enterprise

Today’s podcast is a continuation of the media coverage of the Web 2.0 event that took place in San Francisco, CA. late last month.

Title of session: Social Media: A Cautionary Tale: Focus on Enterprise with Mike Gotta. Principal Analyst (Burton Group), Alice Wang, Director (Burton Group)
As social media solutions become more complex, IT organizations are becoming more involved to work with business strategists on ways to mitigate risks. Security, compliance, confidentiality, data loss prevention, brand reputation, and human resource concerns (i.e., ethics/conduct) are issues that organizations cannot ignore.

Related article recently published in the Sacramento Bee

Social media can help business, but it can bite back too
By Darrell Smith
Sunday, Jul. 11, 2010 – 12:00 am | Page 1D

Companies are swarming to social networking sites like Facebook and Twitter, hoping to boost their brands, connect with customers and even find new employees.

But they’re also struggling to rein in potential problems. Employers cringe at the thought of employees revealing proprietary information, hackers making mischief or a roomful of workers busy reconnecting with old high school friends on Facebook instead of doing their jobs.

The ubiquity of social networking – 77 percent of workers have a Facebook account, for example, and 61 percent of those access Facebook on the job, according to Boston-based Nucleus Research – complicates matters.

“Everyone’s on Facebook, even grandmothers,” said Amelya Stevenson, president of Granite Bay human resources consultancy e-VentExe. “Companies don’t want to limit their activity, but they have to arm themselves. It depends on the culture and if they trust their employees.”

Nucleus last July estimated that on-the-job use of Facebook alone costs companies 1.5 percent of total employee productivity.

Policies on employee use of social networks are all over the map, from total bans on internal access to no policy at all.

A 2009 survey by the Minneapolis-based Society of Corporate Compliance and Ethics found that just one in three businesses have a general policy for employee online activity including use of social networks.

The survey – titled “Facebook, Twitter, LinkedIn and Compliance: What are Companies Doing?” – also found that half have no policy for employee online activity outside work, and just 10 percent have a specific policy addressing social networking sites.

“So much of the Internet seems to come out of nowhere,” said society vice president Adam Turteltaub. “The pace of change is such that technology continues emerging and taking on a life of its own that we can’t control.”

Roy Snell, the society’s CEO, said employers should have a clear policy in place and supervisors to enforce it while encouraging their employees to use social media to network with their industry peers.

There’s no doubt that many companies and government agencies are finding ways to use social media as a highly effective information gateway.

Nearly 70 percent of small business marketers are employing social media, according to e-mail marketing firm AWeber Communications.

And social networks have become the go-to recruiting tool for employers who are hiring, said Burlingame-based Jobvite Inc. in its 2010 Social Recruiting Survey, with 83 percent using or planning to use the sites for recruiting.

Sacramento Mayor Kevin Johnson posts Twitter feeds on everything from his Greenwise Sacramento initiative to the NBA finals and has built a following in the thousands.

The Sacramento Police Department has its own Facebook page and posts updates on incidents across the city on its Twitter page.

Sacramento-based medical group Sutter Health posts Facebook updates, blogs on its MySutter sites and uploads video to YouTube, in an effort to better communicate with patients and utilize the expertise of its staff members.

Such activities have become a valuable tool linking physicians to patients and to other medical experts, said Sutter communications director Karen Garner, who helped develop the medical group’s social media policy.

Sutter does not block Internet access at many of its facilities, but much of its social media policy dovetails with its standard communication guidelines: Do not identify a patient’s identity or condition; do not share confidential employer information or trade secrets; keep personal Internet and e-mail use to a minimum.

Social media sites are “an integral tool” for city of Sacramento employees, said assistant city manager Cassandra Jennings, but internal use is monitored and tracked by IT staff to guard against abuse.

Some Internet sites are blocked; on others, a prompt asks employees if they have permission to view the site, Jennings said.

At Verizon Wireless, which has call centers in Folsom and Rancho Cordova, employees routinely use Facebook and Twitter in an official capacity to connect with customers, but access to those same sites and nearly everything else online is blocked to employees internally.

“The majority of networks are locked down to the essentials you need to do your job,” said Heidi Flato, a Verizon spokeswoman.

Verizon uses an intranet site to communicate with employees. The main focus, Flato said, is productivity.

“Most (employers) are playing catch-up on this,” said Alden Parker, an employment attorney at Sacramento law firm Balsam Parker. “You have to make sure that you’re not losing employee hours to these time-sucking activities.”

But potential problems go beyond simple time wasting. Disgruntled employees, dissatisfied customers and malicious hackers can seriously damage a company’s image.

A 2009 survey by Sunnyvale-based Internet security firm Proofpoint found that 45 percent of U.S. businesses were “highly concerned” about employees leaking information via posts on social network sites; 41 percent were similarly concerned about leaks posted on Twitter and other short-message sites.

One in three companies said they had investigated leaks related to social media postings, Proofpoint reported.

“There’s proprietary information, but there’s also the suggestion of disloyalty, something that doesn’t portray the company in a positive light,” said Parker. “Good will is the last surviving value at a company.”

Like many organizations, the Sacramento River Cats baseball team uses Facebook and Twitter to connect with its customers. But the club’s Facebook account recently was deactivated by a hacker.

The site is now back up, but the team faces the task of reconnecting with the more than 5,500 fans who were followed it as “friends.”

“We use these tools to reach our fan base, but at the same time, they’re vulnerable devices,” said Nicholas Lozito, media relations coordinator for the team.

When High-Tech Institute Inc., which has a school in Sacramento, put out a news release last week announcing it had changed its name to Anthem Education Group, the company was surprised to learn from a reporter that its Wikipedia entry had been rewritten by an unknown party.

The revised entry, ridiculing the company’s schools as overpriced and ineffective, had been online for more than a week.

With so many ways for customers to interact and comment online, protecting and managing the company’s brand and reputation can be a full-time job, said Dave Marcus, director of security and research at Internet security firm McAfee Labs.

“Bad guys are clever and tools are automated,” Marcus said. “This is a Web 2.0 world. You don’t want to give up control of your brand.”

So how do companies negotiate the world of social media, taking advantage of its benefits and avoiding its pitfalls?

“There are no easy answers,” said Turteltaub, the Society of Corporate Compliance and Ethics vice president. “It may be that companies will never figure it out. There’s not an off-shelf answer to this.”

Read more: http://www.sacbee.com/2010/07/11/2880623/social-media-can-help-business.html#ixzz0tUwUYLZH

{ 1 comment }