FB | Bach Seat - Part 13

Tag Archive for FB

RB | October 1, 2010

Banks & Bosses Use Social Media to Assess Risk

Updated 10-22-10 – GigaOm has a post about Rapleaf here.

If you’re among the 67% of the global online population which Nielsen Online says uses social media networks to stay in touch with friends, grow their business, or just have fun then your information is for sale to banks, insurance companies, employers, and the government. Some banks are turning to social media analytics firms to enhance their credit-check procedures.

Banks are now looking at an applicant’s social media profile, behavior, and associations on sites like Facebook (FB), Twitter, and MySpace according to a recent article on the banking industry site CreditCards.com. The banker’s theory is that people run with folks who share their values and behavior. If your Facebook friends are deadbeats, the banks theorize you are a deadbeat also. These assumptions may make it harder to get a credit card or mortgage, according to CreditCards.com.

Many banks are now outsourcing their social network data mining operations to firms such as Rapleaf. Rapleaf, is a San Francisco, CA-based company that specializes in social media monitoring. According to CreditCard.com, Rapleaf compiles everything you and your network do – including status updates, “tweets,” joining online clubs, linking a Web site or posting a comment on a blog or news Web site. These firms turn the conversations into consumer profiles called social graphs. Social graphs give companies insight into behavior patterns: what you like and dislike, want and don’t want, do well and do poorly.

In the article, Rapleaf characterizes its social network data mining operations as “a unique way to improve customer experience by whitelisting customers based on their social circles and friend relationships.” Since the firm uses data to “whitelist” people, it may also very easily be used to “blacklist” people and deny them a credit card or a job. “Who you hang around with has empirical implications with how you behave,” Joel Jewitt, Rapleaf’s vice president of business development told FastCompany.

“It’s a marketing trend as opposed to a credit score trend,” says Jewitt. Despite his assurances, Rapleaf’s Web site suggests that clients “use friend networks to enhance … credit scoring” according to FastCompany. Jesse Torres, president, and CEO of Pan American Bank in Los Angeles told CreditCards.com that online information aggregators fill a need within the banking community. “They’re able to scour the social media universe. They are constantly listening and reporting back.”

The bankers are protecting their bottom line, “credit card companies have been stung very hard during this downturn, and they’re going to work that much harder to avoid extending credit…,” Ken Clark, author of The Complete Idiot’s Guide to Boosting Your Financial IQ told CreditCards.com. Rob Garcia, senior director of product strategy at The Lending Club, a peer-to-peer lender, says his firm uses multiple sources of “social information collateral” for its decision-making processes “It’s a wealth of information about a person,” says Garcia.

Not everyone in the industry is data mining social networks. “It’s difficult to make a judgment about an individual’s credit based on the people around them,” says Gregory Meyer, community relations manager for Meriwest Credit Union in San José, CA. Meriwest only assesses credit reports and application data to make lending decisions. “[Social media] is a great way to keep up with what my 10-year-old nephew is up to, but it doesn’t have a place in the credit process.”

What you divulge can have an unintended impact. “We’ve seen this with applicants not getting jobs and employees getting fired for their Facebook and Twitter-based escapades,” financial personality Clark told CreditCards.com, “so we shouldn’t imagine this to be any different.” There are steps to take to guard your privacy. “I think it is crucial that everyone visit the privacy notices for the sites they use, read them, and change their settings to limit who can see their information,” says Clark. “For example, on Facebook, you can change your privacy settings so that only your acknowledged friends can see the majority of your information.” You can also enable “private filtering” on your browser. Do so and your activity will be entirely out of the Web profiling system.

Scott Stevenson, president, and CEO of EliminateIDTheft.com told CreditCards.com people should:

Don’t accept invitations until you check the profile out first.
Be acutely aware of what you write. Don’t make public anything you don’t want public.
Take an annual inventory of all your social networking sites and delete people and information that can potentially damage you in the eyes of a creditor or employer.

Rapleaf offers a service to discover your online footprint and see what others might see on your social graph. Google (GOOG) offers a similar tool, the Google Privacy Dashboard. which presents an overview of the accounts and information you are connected with through Google. Take advantage of tools like these to check your own online reputation. What you don’t know can hurt you. Rapleaf’s Jewitt reminds users that, “The custodian of the information is you.”

rb-

There is nothing illegal about social network data mining banks and firms like Rapleaf do. Facebook and the other social networks are legal commercial enterprises that openly broker user data for exactly these kinds of purposes. People freely put information on Facebook with the full knowledge that it will become permanent parts of the public Internet record. Users need to know about this kind of data mining for two reasons. First, the stakes are high. It’s about getting access to credit that might be necessary for your family or business or even getting your next job.

Second, data mining gives the lenders insights into relationships that are unknown to and often completely out of the control of the applicant. Maybe being a Facebook fan of NASCAR says something in the sum about your socioeconomic status and your creditworthiness or employability, according to some second-order derivative analysis of millions of data records.

The asymmetry in the relationship between data-driven marketers and consumers is structural and permanent. Institutions like banks (and, potentially, insurance companies, employers, and the government) will use it to gain an advantage, because that’s what they do.

With data brokers selling lists of alcoholics to big business, the feds have some thinking to do [GigaOM] (gigaom.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Social Networking | Tags: 2010, Android, AOL, Data, Facebook, FB, GOOG, Google, Mining, MySpace, PII, Policy, Privacy, Rapleaf, Snapchat

RB | September 10, 2010

Comments Off

Microsoft Founder Sues GOOG, FB and AAPL

– Updated 12-13-10 – Physorg is reporting that a U.S. district judge tossed out the patent infringement lawsuit filed by Interval Licensing owned by Microsoft co-founder Paul Allen. The judge ruled that the suit failed to specify devices or products violating patents at issue in the case. A spokesman for Allen dismissed the ruling as a procedural matter and said that an amended complaint will be filed addressing the judge’s concern.

– Updated – Google responded to the suit by stating in court documents “Interval’s complaint is so devoid of any facts to support its infringement contentions that it is impossible for Google to reasonably prepare a defense.” According to VON | xchange Apple agreed and called on judges to “insist upon some specificity” before proceeding.

The UK’s Guardian is reporting that eleven major Internet companies including AOL, Apple, eBay, Facebook, Google, Netflix, Office Depot, OfficeMax, Staples, Yahoo, and YouTube are being sued by Interval Licensing. The firm, lead by ex-Microsoft founder Paul Allen is suing for alleged infringement of patents that relate to e-commerce and search. A copy of the complaint is available here (PDF). Notably absent from the list are Microsoft and Amazon.com. Amazon, the Seattle e-commerce giant just moved into a new headquarters campus developed by Allen’s Vulcan Inc. Interval is seeking damages and the end of the infringement. Among the patents being contested are:

6,263,507: “Browser for use in navigating a body of information, with particular application to browsing information represented by audio data.”
6,034,652 & 6,788,314 (really the same patent, involving continuations): “Attention manager for occupying the peripheral attention of a person in the vicinity of a display device.”
6,757,682: “Alerting users to items of current interest”
TechFlash has a deeper analysis of these patents.

Google and Facebook told the Guardian they will fight the accusations by Interval. “This lawsuit against some of America’s most innovative companies reflects an unfortunate trend of people trying to compete in the courtroom instead of the marketplace,” a Google spokesperson said in an emailed statement to the Guardian. “Innovation – not litigation – is the way to bring to market the kinds of products and services that benefit millions of people around the world.” Facebook spokesperson Andrew Noyes said: “We believe this suit is completely without merit and we will fight it vigorously.”

The Guardian reports that these claims have led to accusations by some observers that Allen, who is worth a reported $13.5bn is acting as a “patent troll” – suing active companies via patents obtained by now-defunct or inactive companies which are not actively developing technology. However, David Postman, an Interval official, defended the lawsuit as necessary to protect its investment in innovation.”We are not asserting patents that other companies have filed, nor are we buying patents originally assigned to someone else,” he told the Guardian. “These are patents developed by and for Interval.” Allen is not a named inventor on any of the patents according to Bloomberg.

Allen co-founded Interval Research in 1992 to develop communications and computer technology. The firm was reportedly designed to be a pure research institute “done right” which would replicate Xerox PARC, but that it would actually commercialize the amazing ideas. At its largest, it employed more than 110 scientists and engineers, and filed patents covering internet search and display innovations, according to the lawsuit. Interval Research officially closed in April 2000 when its 300+ patents were taken over by Interval Licensing.

Apparently, Allen has support from another tech founder. TechDirt reports that Apple co-founder Steve Wozniak comes out in favor of “patent trolls” and patent holders suing companies who actually innovate. Woz told Bloomberg TV that patents somehow help out the small guy (Paul Allen, the 37th-richest person in the world?):

I think this lawsuit represents the idea that hey, patents, individual inventors, they don’t have the funds to go up against big companies. So he’s sorta representing some original investors. And I’m not at all against the idea of patent trolls.

The Bloomberg interviewer points out that Paul Allen is not the inventor and there’s no sign that the inventors on these patents would actually get any of the money should Allen succeed. Woz says that Allen “represents inventors.” According to TechDirt Woz seems uninformed about the patent world today. For example, the interviewer notes that dealing with patents has become a “cost of doing business” and Woz seems to think that’s a good thing:

Every tech company is very aware that patents are really the heart of our innovation and invention system and (a) that you have to have your own patent position and you gotta be aware that there might be others. And, yes, you might be infringing. It’s very awkward, because some patents are so general. It’s hard to say how they’ll be interpreted. There’s a lot of ambiguity in the system.

TechDirt notes the irony that in Woz’s autobiography iWoz, he talked about how much of a success Apple was without relying on patents at the beginning.

Patents on software and business processes have become a lightning rod issue for web companies. They claim that patents act as a financial drag on innovation and that the US Patent Office (USPTO) is especially poor at examining patent claims for “prior art” which would disqualify them, or that it awards patents on needlessly wide claims which mean that it is almost impossible for companies to use accepted web technologies without accidentally infringing on them.

One of the most notable was Amazon’s 1997 patent for its “1-Click” shopping system, which was, accepted and then rejected and finally passed by the USPTO in March 2010. Amazon has licensed the technology to Apple, among others. Other infamous software patent abuses include:

British Telecom attempted to claim a patent on the hyperlink; its claim collapsed in 2002 on the basis that the patent referred to a “central computer” – which the internet does not have.
SCO sued IBM, Red Hat, Novell. AutoZone and DaimlerChrysler for claimed patents rights that would cover significant parts of the free Linux operating system.

Category: Uncategorized | Tags: 2010, AAPL, AOL, Apple, Business, EBay, Facebook, FB, GOOG, Google, Netflix, Office Depot, OfficeMax, Patents, Paul Allen, Politics, Prior art, Staples, Yahoo, YouTube

RB | August 28, 2010

Comments Off

New School Year Same Security Threats

Another school year is starting up and security firm WatchGuard has a list of the top threat to school IT systems as classes start up again. Eric Aarrestad, Vice President at privately held WatchGuard Technologies says, “With so much at risk and so much to gain by cybercriminals, today’s campus is one of the most dangerous IT environments around.” He continues, “Unlike enterprise organizations that can throw substantial resources towards network and data protection, schools and universities are more constrained, yet they face some of the most demanding security challenges due to the dynamic interaction between students and their school’s IT resources.”

Top threats at school

WatchGuard’s top at school threats include:

Social Networks The security firm calls social networks, the number one threat to school and university networks is social networks, such as Facebook and MySpace. Unfortunately, social networks act as an ideal platform to launch a myriad of attacks against students and departments, including spam, viruses, malware, phishing, and more. Adding to this, socially engineered attacks are often extremely successful due to the “trusted” environment that social networks create.

Malware As students and teachers use the web for educational purposes, the Seattle-based firm company says many unwittingly expose themselves to drive-by downloads or corrupted websites, which inject malicious forms of software on their computers. Once infected, they risk becoming victims of identity theft or loss of personal information via spyware and keyloggers.

Viruses Today, email remains one of the primary ways of delivering viruses. According to the release, recent surveys suggest that 27 percent of users fail to keep their antivirus signatures which may, in any case, be unable to up stop the new generation of viruses with polymorphic properties.

Botnets The privately held security firm estimates that 15 to 20 percent of all school and university computers connected to the Internet are part of a botnet. As part of a botnet, school and university systems can be used in a variety of unknown exploits, including spam delivery, denial of service attacks, click-fraud, identity theft, and more.

Phishing scams continue to get more advanced and selective, with students being specifically targeted. WatchGuard claims that phishing attacks via social networks achieve a success rate of over 70 percent.

Hacking In a recent survey of education IT professionals, 23 percent ranked student hackers as one of their greatest threats to network security.

Access Control Usage of mobile devices and wireless access to education IT resources continues to plague network administrators. As the use of mobile devices escalates, schools will face increasing challenges in managing authorized network access according to the security vendor.

WatchGuard Technologies provides a variety of Internet security software and hardware products, including firewalls, virtual private network (VPN) appliances, and anti-virus applications under the XTM, XCS, and e-Series brands.

The Science of Cyber Security (usnews.com)

Category: Uncategorized | Tags: 2010, Facebook, FB, K12, Malware, MySpace, Network security, Phishing, Security, Social media, Virtual private network, WatchGuard

RB | June 20, 2010

Comments Off

Facebook Adds IPv6

NetworkWold is reporting that Facebook began offering “experimental, non-production” support for IPv6 on June 10,2010. With more than 350 million active users. 65 million of them accessing the site through mobile devices, Facebook is planning its deployment of native IPv6 to its network backbone. The social network says it wants to support both IPv4 and IPv6-aware clients. In a presentation at the Google IPv6 Implementors Conference, Facebook’s network engineers said it was “easy to make [the] site available on v6.”

Facebook said it deployed dual-stack IPv4 and IPv6 support on its routers, and that it made no changes to its hosts to support IPv6. FB also said it was supporting an emerging encapsulation mechanism known as Locator/ID Separation Protocol (LISP), which separates Internet addresses from endpoint identifiers to improve the scalability of IPv6 deployments. “Facebook was the first major Web site on LISP (v4 and v6),” Facebook engineers said during their presentation. They also said that using LISP allowed them to deploy IPv6 services quickly with no extra cost. Facebook’s IPv6 services are available at www.v6.facebook.com, m.v6.facebook.com, www.lisp6.facebook.com, and m.lisp6.facebook.com.

John Curran, president, and CEO of the American Registry for Internet Numbers (ARIN) has been urging Web site operators to deploy IPv6. Curran set a deadline of Jan. 1, 2012, when all public-facing Web sites must support IPv6 or risk providing visitors with lower-grade connectivity. The remaining pool of unallocated IPv4 addresses could be depleted as early as December due to unprecedented levels of broadband and wireless adoption in the Asia-Pacific region, experts say.

Richard Jimmerson, CIO at the American Registry for Internet Numbers (ARIN), told NetworkWorld, “It’s moving so fast now that it’s hard for us to be current on it any longer,” ARIN provides IPv4 addresses to carriers in North America. “We’ve gone through 10 /8s since the beginning of this year,” Jimmerson says. “To put that in perspective, in all of 2009, we only went through eight /8s. It’s very possible that the IANA free pool will deplete in December or January at the earliest.”

The article reports that demand for IPv4 addresses remains flat in North America, there has been a huge surge in the Asia-Pacific region this year that is likely to stay strong. “The Asia-Pacific region has very large economies that are underserved by IP addresses such as India, China, and other places,” Jimmerson told NetworkWorld. “They are really seeing a big surge in broadband deployment and wireless data handset deployment, and that translates into having to have unique IP address space. That trend is likely to continue.”

rb-

Just last week, I was speaking with a potential client about getting ready for IPv6 on their network. They had not even talked yet with their ISP about getting IPv6 traffic to them, let alone how they were going to deal with IPv6 in and out of the network.

Category: Uncategorized | Tags: 2010, Facebook, FB, IPV4, IPv6, Networking

RB | January 30, 2010

Comments Off

Password Insecurity

The massive Rockyou.com breach reveals the weakness of the password. The Rockyou.com breach provided an opportunity to evaluate the true strength of passwords as a security mechanism. California-based security firm Imperva analyzed the stolen cache of 32 million passwords and the results are not pretty. According to researchers, most passwords are eight or fewer characters and nearly 30% of passwords were six characters or less. They also found Nearly 50% of users used names, slang words, dictionary words, or trivial passwords (consecutive digits, adjacent keyboard keys, and so on), and 20 percent are from a pool of 5,000 passwords. The ten most common passwords used were:

123456
12345
123456789
Password
iloveyou
princess
rockyou
1234567
12345678
abc123

“The problem has changed very little over the past 20 years,” explained Imperva’s CTO Amichai Shulman, referring to a 1990 Unix password study that showed a password selection pattern similar to what consumers select today. “It’s time for everyone to take password security seriously; it’s an important first step in data security. It’s important to point out that, the same password “123456” also topped a similar chart based on a statistical analysis of 10,000 Hotmail passwords published (Link removed at the request of Acunetix) October 2009 by Acunetix (Link removed at the request of Acunetix).

“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes,” explained Shulman in a press release.

For enterprises, password insecurity can have serious consequences. “Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like ‘123456’,” said Shulman.

The rest of the passwords rated by popularity:

Some of the lessons that firms can lead from the Imperva research are:

1) Most users use short passwords which lack a lower-capital-numeric characters mix or trivial dictionary words which every decent brute-forcing/password recovery application can find in a matter of minutes. A hacker will typically take 17 minutes to gain access to 1000 accounts.

2) Strong password algorithms must be coupled with longer passwords that contain a mix of letters, numbers, and, where possible, punctuation.

3) Firms should emulate Twitter’s “banned passwords” list consisting of 370 passwords that are not allowed to be used.

The analysis proves that most people don’t care enough about their own online security to give more than a fleeting thought when choosing the password which secures access to their accounts. This research shows why firms must take proactive actions to manage their users’ choices in passwords.

PASSWORD RELATED SECURITY BEST PRACTICES:

• All passwords are to be treated as sensitive, confidential corporate information.
• Don’t use the same password for corporate accounts and non-corporate accounts (e.g., Facebook, Twitter, personal ISP account, etc.).
• If someone demands a password call someone in the Information Security Department.
• Change passwords at least once every four months.
• Do not use the “Remember Password” feature of applications (e.g., Eudora, Outlook, Netscape Messenger).
• If an account or password is suspected to have been compromised, report the incident and change all passwords.

Strong passwords characteristics:
• At least eight (8) alpha-numeric characters
• At least one numeric character (0-9)
• At least one lower case character (a-z)
• At least one upper case character (A-Z)
• At least one non-alphanumeric character* (~, !, @, #, $, %, ^, &, *, (, ), -, =, +, ?, [, ], {, })
• Are not a word in any language, slang, dialect, jargon, etc.
• Are not based on personal information, names of family, etc.
• Are never written down or stored online.

Password “dont’s”:
• Don’t reveal a password over the phone to ANYONE
• Don’t reveal a password in an email message
• Don’t reveal a password to the boss
• Don’t talk about a password in front of others
• Don’t hint at the format of a password (e.g., “my family name”)
• Don’t reveal a password on questionnaires or security forms
• Don’t share a password with family members
• Don’t reveal a password to co-workers while on vacation

OTHER PASSWORD-RELATED SECURITY BEST PRACTICES:
• Account Lockout: all systems should be set to “lockout” a user after a maximum of 5 incorrect passwords or failed login attempts
• Lockout Threshold: all systems should have a minimum “lockout” time of five (5) minutes
• Password History: systems should be configured to require a password that is different from the last ten (10) passwords

How Upper and Lower Case Letters Changed the World (ryanlanz.com)

Category: Uncategorized | Tags: 2010, Facebook, FB, Imperva, Passwords, Rockyou, Security, Weak

« Older Entries Recent Entries »

Bach Seat

Tag Archive for FB

Microsoft Founder Sues GOOG, FB and AAPL

Facebook Adds IPv6

Password Insecurity

Related articles

Meta