Tag Archive for Facebook

| December 11, 2012
Comments Off

Disposal Dummies Cause Privacy Problems

Disposal Dummies Cause Privacy ProblemsThe article Disposal Dummies Cause Privacy Problems, posted at  SecureWorld Post by Rebecca Herold lays out the privacy problems caused by dumb disposal policies. The article claims that trash-based breaches are worse than ever.

The oldest security and privacy proPolice Investigating What Woman Found While Dumpster Divingblem, unsecure disposal of personal information, is prevalent today as it was centuries ago reports the author. She says because of the rapidly growing amount of data, in which EMC (EMC) and IDC claim that data is doubling every two years, along with print information, there are even more ways in which disposal-related breaches are occurring. Here are just a few instances I found:

Data disposalThe blog outlines some of the most common egregious information disposal dummy security and privacy mistakes:

  • Donating print documents with personal information on them to outside groups, like pre-schools and community groups, to use as scrap paper.
  • Selling computers, smartphones, copiers, fax machines, and other computing devices, to recoup some of the investment, but not irreversibly removing the data before the sale.
  • Putting digital storage devices in the trash without first irreversibly removing the data.
  • Putting print documents containing personal information into unsecured dumpsters, and not shredding them.
  • Never throwing away no-longer-needed hard copy and digital devices; letting them accumulate in storage areas, with inadequate or no security, allowing them to be taken by anyone who happens along.

Date disposal billData disposal is important because breaches caused by poor disposal activities are getting so bad that the article states there are growing numbers of laws explicitly covering disposal, and bills are being proposed at the state and federal level. The Disposal Rule (part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) has been in effect since 2005. The blog says FACTA has many very specific requirements that basically all types of businesses, of all sizes, that do most types of credit checks must take when disposing of information in all forms.

Michigan IDENTITY THEFT PROTECTIONIn Michigan, data destruction requirements are covered in IDENTITY THEFT PROTECTION ACT MCL Section 445.72a. where destruction of data containing personal information required; violation as misdemeanor; fine; compliance; “destroy” are defined.

Besides the fact that secure information disposal is now a legal requirement for most businesses, it makes sense to dispose of information securely to prevent privacy breaches. By having effective disposal policies, procedures and supporting technologies in place businesses demonstrate reasonable due diligence.

Information disposal practicesMs. Herold argues that all organizations, from the smallest to the largest, need to follow appropriate information disposal practices or they will experience significant privacy breaches and non-compliance penalties. She presents an action plan to get started:

  • Assign overall responsibility for information security and privacy compliance to a position or department within your organization, which will include responsibility for disposal of information in all forms.
  • Perform a disposal risk assessment to determine exactly how your organization really disposes of all types of information.
  • Create information disposal policies and procedures, or update existing ones, based upon the results of the disposal risk assessment.

The policies and procedures need actions:

  • Locate, inventory and gather at the end of their business usefulness all types of digital storage devices, including CDs, DVDs, USB drives, external drives, tapes (yes, many organizations still use them), microfiche (yes, these too) and any other type of storage media.
  • Inventory all types of computing equipment, including not just the “traditional” computers, but also devices such as printers, fax machines, copiers, smartphones, MP3 devices, and any other types of devices that do computing activities.
  • Define acceptable shredding methods and locations for paper documents. Finely cross-shredding hard copy information is recommended, in addition to ensuring any contracted shredding company does such shredding on site.Acceptable shredding methods
  • Define acceptable methods of irreversibly removing data from computing and digital storage devices. Degaussers are still often used, in addition to contracted services to wipe storage devices clean.
  • Make sure you include information backups, and all types of information archives, in your disposal procedures. These items are typically overlooked, and many breaches have resulted with such items.

Bottom line for all organizations, the author argues is: You need to make sure there are proper safeguards for information, computing and storage devices, during the disposal process.

The author concludes with some recommended resources and articles to aid you with improving your own personal, and organizational, disposal practices:

Disposal guidance from the Federal Trade Commission (FTC)
Disposal tips from the Electronic Frontier Foundation (EFF)
Developing a Defensible Disposal Strategy (PDF) (IBM (IBM))
Drowning in Data? Disposing of Unneeded Content with Confidence (IBM)

Related articles
Category: Security | Tags: , , , , , ,
| December 8, 2012
Comments Off

txting bday

txting bday20 years ago this week, one of the largest phenomenons of web 2.0 emerged. On December 3rd 1992, a 22-year-old Canadian test engineer sat down and typed out a very simple message, “Merry Christmas.” Gizmodo says the text flew over the Vodafone (VOD) network to the phone of Richard Jarvis, and since then, we just haven’t been able to stop texting.

Texting is a major staple of communicationTexting is a major staple of communication now, and by far the main use of a phone for many, but it didn’t start out that way. In the very beginning, texts where just a way to send network notifications, namely to let you know you had a voice-mail. In 1993, Nokia (NOK) became the first company to make GSM handsets capable of person-to-person texting, but it still didn’t skyrocket to popularity for several years.

ComputerWorld reports that in late 1995, three years after Papworth’s first text message, users were only sending an average of one text every two and a half months. In 2000 the industry counted 17 billion text messages, according to data from Ericsson. In 2010, the world sent over 6.1 trillion SMS messages, or roughly 193,000 per second.

Today, upwards of 7 trillion text messages are sent7 trillion text messages are sent every yearevery year—that’s more than 200,000 per second.  So while you’re launching your daily flurry of textuals, take a second to consider the fact that your inane contributions are part of zeta-flood of data.

Digital Trends claims that texting is becoming obsolete.They cite data from Chetan Sharma, an independent mobile analyst and wireless carrier consultant, reports that the number of text message exchanges in the U.S. had dropped by about 2 percent in the third quarter. This is a sharp difference from the steady growth that text messaging had previously seen. Sharma says it’s the first time that text messaging has begun to dwindle in the United States.

rb-

Texting is still a huge part of the way people communicate via mobile devices, but the emergence new messaging options have led to the first decline in SMS volume.

Apple‘s (AAPLiMessage, which operates almost Texting is becoming obsoleteexactly like a text message but only communicates between Apple devices. iMessage completely bypasses the carrier when sending text messages between iPhones.

Facebook‘s (FB) Messenger app, which essentially exists as the mobile presence for the social network’s instant messaging feature. Facebook’s Messenger app can be used across multiple platforms, which could give it an advantage when it comes to text messaging alternatives.

Hopefully the competition will force AT&T (T) to stop overcharging its customer. Gizmodo claims AT&T’s New Text Plan Overcharges You by 10,000,000 Percent. Literally.lead the way toward cheaper texting plans.

 

Texting history

 

Related articles
Category: Mobile | Tags: , , , , , , , ,
| August 23, 2012
One comment

Privacy on IPv6 Networks

security and privacyInternet service providers, web sites, and equipment vendors around the globe took part in the World IPv6 launch in June, Internet companies including AT&T (T), Cisco (CSCO), Comcast (CMCSA), Facebook (FB), Google (GOOG), Microsoft (MSFT), Verizon Wireless (VZ), and Yahoo (YHOO) decided to permanently turn on IPv6. A small fraction of Internet users and devices have started communicating via IPv6 networks, with more and more transitioning to the new protocol over the coming months and years. There are security and privacy implications in the switch to IPv6.

Privacy on IPv6 networksAll kinds of devices will get new IPv6 numbers as the addressing format grows. The IPv6 addresses for these networked devices can be generated in a number of different ways and the choice of how they are created has potentially wide-reaching effects for security and privacy Center for Democracy & Technology explains. One of the original methods for assigning new addresses involved using a unique device identifier (known as a MAC address) as the suffix of the IPv6 address. This method creates a permanent, unique address for a device, potentially allowing any server that the device communicates with to indefinitely track the user.

IPv6 designers soon realized the potential security and privacy problems of MAC-based addresses; as a result, they created an alternate method known as “privacy extensions” or “privacy addresses” the article reports. The privacy extensions use a randomly generated number instead of a MAC address. In order to protect privacy on an IPv6 network, the random number is unrelated to any device identifier and in practice lasts no more than a week (and often much less time), ensuring that the user’s IP address cannot be used for long-term user tracking.

SmarrtphoneIt is up to operating system vendors to choose which IP address assignment method will be the default on their devices. The author says that some vendors have made good choices, particularly within the last year. Microsoft has long led the charge on IPv6 privacy, with privacy extensions on by default in all versions of Microsoft Windows since the release of Windows XP nearly a decade ago. Apple followed suit last year, with privacy extensions activated by default in all versions of Mac OS X since 10.7 (Lion) and with the release of iOS 4.3 for iPhone and iPad. Google did likewise in its Android 4.0 release last year.

The CDT says that as long as Internet users choose to upgrade their operating systems to the latest versions, they should be protected against perpetual security and privacy threats from IPv6 network address tracking.

rb-

Security and privacy on IPv6 networkHowever, I wrote about reports from H  Security that mobile operating systems do not protect security or privacy on IPv6 networks. The report says mobile OS’s send private information about their users to the network. The H.Security article says this is not a flaw in IPv6, rather it is lazy programming in some cases. The article points out that neither Apple’s iOS nor Android devices have the option to enable Privacy Extensions or the option to disable IPv6. apparently the only thing the smartphones need is a control option in the user interface to protect mobile OS users privacy and security on an IPv6 network.

 

Related articles
Category: IPv6, Security | Tags: , , , , , , , , , , ,
| August 21, 2012
Comments Off

How to Reinvent Your Personal Brand

BusinessDorie Clark of Clark Strategic Communications, recently posted an excellent article, How to Reinvent Your Personal Brand on the Harvard Business Review blog, The post offers a plan to follow if you want to reinvent yourself. I am on my third career iteration from teacher to techie to manager (I didn’t say it was for the better).

Personal brandIt happens all the time. Your path may make perfect sense to you, but how can you convince others to embrace your new brand, and take you seriously? Ms. Clark explains five steps to reinventing yourself for the business marketplace.

1. What’s Your Destination? The author says you need to develop a detailed understanding of where you want to go, and the knowledge and skills necessary to get there. If you’ve been a techie for the past decade, you may understand every new marketing toy out there, from Facebook (FB) to Foursquare. But can you effectively convey that knowledge to a non-technical audience? Learning the skills you need will help you gain the confidence necessary to start identifying (and publicizing) yourself in your new identity.

Unique Selling Proposition2. Leverage Your Points of Difference. In marketing, it’s called a USP, a “Unique Selling Proposition.” What makes you different from anyone else? That’s what people will remember, and you can use it to your advantage according to the article.

3. Develop a Narrative. Ms. Clark says it’s human nature to have many interests, to seek new experiences, and to want to develop new skills over the course of your life. Unfortunately,that makes you a dilettante. It’s unfair, but to protect your brand you need to develop a coherent narrative. This narrative should explain to people, in a nice, simple way so they can’t miss it, exactly how your past fits into the present. It’s like a job interview, you’re turning what could be perceived as a weakness into a compelling strength that people can remember (he’s got a different take on the industry because he has knowledge most other people don’t).

Reintroduce Yourself4. Reintroduce Yourself. The majority of people, regrettably, aren’t paying much attention to you the author says. That means their perceptions are probably a few years out of date, and it’s not their fault. With hundreds (or thousands) of Facebook friends and vague social connections, we can’t expect everyone to remember all the details of our lives. So we have to strategically re-educate our friends and acquaintances, because, especially if we’re launching a new business venture, they’re going to be our buyers and recommenders. That means a concerted effort to phone or email everyone on your list, individually, to let them know about your new direction and, where appropriate, ask for their help, advice, or business. (Blast emails are a start, but too often go unread.)

5. Prove Your Worth. Ms. Clarks says there’s a difference between knowing that you’ve launched a new business and trusting that you’ll do a good job. She explains that she may like you a lot, but unless she sees proof of your skills, she may hesitate to put her reputation on the line by sending you referrals. That’s where blogs, podcasts, videocasts, and other forms of social media come in. It’s critical to let potential customers see what you’re about and test drive your approach before they make a large commitment

Related articles
Category: Business | Tags: , , , , , ,
| July 25, 2012
Comments Off

Social Networks Are Malware Launch Pads

Social networkingSocial networks’ role in the growth of the global virtual society has been well documented. What is not so well documented according to Help Net Security is the role social networks have in spreading malware. The security and privacy mechanisms of social networking firms such as LinkedIn (LNKD), Twitter and Facebook (FB) have proven insufficient to prevent exploitation.

The article notes that “To Err is Human,” and human errors lead to exploitSocial mediaation and manipulation whether the social network is online or offline. Social networks hold a plethora of personal information on the users that form the network. Individual connections between users collectively form a web of connections. To build each link between users an implicit trust is required between the two users and implicitly across the entire network. Any information provided by an individual user through chained connections becomes a part of the full network. When an attacker is able to exploit one user in the social network, they have the potential to be able to push malicious content into the network. The network’s connectivity enables the spread of the exploitation. The blog explains that attackers exploit the weakest link in the chain.

The inability of users to determine the legitimacy of content flowing through the social network aids this exploitation process. Help Net Security says the biggest problem with the online social networks is that they do not have built-in protection against malware. For example, current social networks do not scan the URL’s and embedded content coming from third-party servers such as Content Delivery Networks. Therefore, there is no way to authenticate the URL’s passed among the user objects in the social networks.

The infection process begins with the exploitation of humanWeakest link ignorance and followed by spreading of the malware through the trust upon which the network is based.

The article further explains that to start the exploitation process, an attacker will pick an issue that affects human emotions to evoke a response so the social network user will do something the attacker wishes. Phishing and spam messages about weather calamities, politics and financial transactions are used for starting infections. The author states that since social network exploitation begins by exploiting an individual’s ignorance common attack strategies have emerged.

One of the simplest infection techniques is to put malicious URLs on a Facebookuser’s Facebook message wall. When a user clicks on an illegitimate hyperlink it can result in automatic download of malware through the browser. Some of exploits used are:

  • Browser Exploit Packs (BEP) which fingerprint the browser version and other software on the user machine. Based on this information, a suitable malware is served to the user which uses exploits for that particular browser.
  • Drive-by-Download attacks begin by visiting a malicious Botnets and Browsers – Brothers in a Ghost Shellpage. They exploit vulnerabilities in browsers and plugins. Successful exploitation of the vulnerability causes a shell code to run that in turn downloads the malware into the system.
  • Malicious advertisements (malvertisements) happen when an attacker injects a malicious link in a users Facebook wall to spread malware. The fake post is linked to a third-party website which has malicious advertisements embedded in it. These advertisements are linked to malicious JavaScripts which executes the malicious content in the browser.

Trojan horseHelp Net Security states that online social networks are not harnessing the power of Safe Browsing API’s from Google (GOOG) or similar services to instantiate a verification procedure before posting a URL back to a user profile. Lack of such basic protections is a key factor in making the social networks vulnerable to exploitation.

Microsoft (MSFT) recently spotted a Facebook attack in the wild that exploited Facebook users trust in a social engineering campaign. The attack tries to trick Facebook users into installing a backdoor Trojan with keylogging capabilities according to the Help Net Security report.

MSFT says the Facebook Wall messages varied but they all lead to Computer trojan horsefake YouTube pages. Once there, the user is urged to download a new version of “Video Embed ActiveX Object” to play the video file. Unfortunately, the offered setup.exe file is the Caphaw Trojan.

The trojan bypasses firewalls, installs a FTP and a proxy server and a keylogger on the affected machine. Microsoft’s Mihai Calota says ” … has built-in remote desktop functionality based on the open source VNC project.” MSFT says the Facebook attack can be used to steal money, “We received a report .. that money had been transferred from his bank account … The keylogging component, coupled with the remote desktop functionality, makes it entirely possible for this to have happened.”

rb-

The articles correctly state that security and Boy with knife and electricityprivacy mechanisms are indispensable for safe online social networking. Built-in security is necessary because attackers exploit the trust, curiosity and ignorance of the social network customers to their own profit. User should demand safe and secure transmission of the information and user’s privacy. These should also be a focus of the social networking companies.

To protect themselves, users should:

  • Have up to date AV software running on their computers
  • Keep their browsers and operating systems fully patched
  • Change the passwords on all their sensitive accounts regularly
  • Warn friends and Facebook if an account seems to be hacked by using the Facebook “report/mark message as spam” option.
Related articles
Category: Security, Social Networking | Tags: , , , , , , , , , ,
« Older Entries  

Switch to our mobile site