Sunday, May 25, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Leave Twitter Alone! [Mediaphyter - A Communications Cocktail]

Posted: 23 May 2008 07:08 PM CDT


No no, I haven’t gone batty with all of the Twitter Love Day fangirl business. We all fondly remember Chris “Leave Britney Alone!” Crocker from YouTube (and currently in the rockin’ new Weezer video). Today during one of the Twitter outtages, Kevin Bondelli made what I believe is the funniest replacement Twitter 404 message, featuring our favorite obsessively crazed pop princess fan:

Hey Kevin, consider making this into a t-shirt? :)

Untangle Launches MSP Benchmark Survey [untangling the future...]

Posted: 23 May 2008 03:48 PM CDT

One of the “mega” trends happening in small business IT today is the transition of traditional hardware focused VARs into managed service providers (MSPs). Yet, for all the prognostication and predictions, no clear industry best practices have emerged about what exactly delivering managed services means. What are the core services that every MSP should aspire to deliver to their customers? What should they cost? What does a typical MSP customer look like… Are they big, small or clustered in particular geographies or verticals?

In order to add clarity to these questions, Untangle is launching an MSP Benchmark Study in partnership with the Pacifica Group. The study will provide an objective set of business metrics with insight into the range of MSP business models and performance. We hope that the study will serve as a resource for existing MSPs to see how they compare with their peers and offer guidance to traditional VARs, consultants and systems integrators considering making the transition.

If you’re an MSP or VAR considering making the transition we’d love to include your experiences into the study! The survey takes about 15 minutes and can be found here:

http://www.surveymonkey.com/s.aspx?sm=fz9rscXI52F3PNQoFuyCRA_3d_3d\

tissynbe.py — Insert Nessus results into MySQL, output as a CSV [tssci security]

Posted: 23 May 2008 02:33 PM CDT

I mentioned in previous posts that I had been working with Nessus — I used it a lot. At the end of the engagement, we had almost a gigabyte of Nessus data saved in nbe format. So to quickly go through and analyze all the results, inserting it into a database was essential. I was using Nessquick at the time, which was a couple of Perl scripts used for inserting the data into a database and exporting the data. I also had a bunch of sed and awk scripts that would then clean up the results and fix various punctuation and presentation issues I didn’t like. The process became a bit tedious, so I decided to write up a Python script to do all this for me.

Here are some example uses from the usage:

./tissynbe.py -d database -f results.nbe
./tissynbe.py -d database -o output.csv
./tissynbe.py -d database -o output.csv --order scriptid --sort desc
./tissynbe.py -d database -o output.csv --count
./tissynbe.py -f results.nbe -o output.csv
./tissynbe.py -f results.nbe -d database -o output.csv

You can download tissynbe.py from the tissynbe.py project page.

Now here’s where I ask for some help. I’m by no means a programming guru, so to all you Python developers and hackers, if you can take a look at my code and offer any suggestions, I would greatly appreciate it. I think I have a handle on most of the code as it’s fairly straightforward, but I think it could use some tweaking and optimization in the clean_nbe() method.

Comments and suggestions are encouraged!

Stopbadware Scolds Apple Over Safari ‘Carpet Bomb’ [Liquidmatrix Security Digest]

Posted: 23 May 2008 01:11 PM CDT

From Network World:

An antimalware organization has called on Apple to beef up its Safari Web browser to protect users from exploits that could let attackers download malicious code to a Mac or Windows user’s desktop.

Stopbadware.org, a group founded by Google, Chinese computer maker Lenovo Group and Sun, on Monday asked Apple to reconsider its refusal to address the flaw as a security problem.

“StopBadware.org believes that users should have control over software being downloaded to their computers, and we encourage Apple to reconsider its stance and treat this as the security issue that it is,” Stopbadware.org said in an appeal posted to its Web site.

Read on.

Article Link

When Malware Attacks (Anything but Windows) Caution: Uses Game theory [Amrit Williams Blog]

Posted: 23 May 2008 12:43 PM CDT


Adam J. O'Donnell (here) has an interesting article providing a quantifiable basis for the spread of malware to non-windows platforms (here) using game theory…

Predicting the minimum necessary criteria that defines when attackers will move to a new platform becomes a matter of measuring market share and the effectiveness of security mechanisms for the majority platform.

I have a lot of respect for Adam and this body of work. I also appreciate his use of game theory in a non-sensationalist way, even though just a couple of days ago I made fun of the term - at a boy Adam!

Companies Admit To Reading Email [Liquidmatrix Security Digest]

Posted: 23 May 2008 09:40 AM CDT

No great shock here. I used to be one of “those guys” years ago who read employee email. And let me tell you, most non-spam email (try 90%) is trivial crap.

From Tech Herald:

So who reads your email at the office? Apparently more people than you think. Forty-four percent of the companies responding to the study said that they investigated an email leak of confidential information in the past year. Forty-one percent reported that they employ staff to read or otherwise analyze the contents of outbound email. In addition, twenty-two percent said they employ staff primarily or exclusively for this purpose.

There are several cases where someone has been terminated over the contents of email. Most are fired under a clause in the company's Internet Usage Policy. The debate is a huge one, with people expecting privacy when they send email, often personal, from a work account or access personal accounts at the office. Simply put, you have no privacy at the office, and if you get any at all, you should expect very little. Some companies will offer some "personal time" and allow internet usage, but mostly everything you send is logged and monitored, and yes even read by someone else.

Mostly? Try damn near everything for most firms. Email was read only at the behest of legal or HR. Thankfully, those requests seldom arrived.

When people start a new job more often than not they are handed a copy of the acceptable use policy for their respective firm. It is staggering how often people glance over it while pondering dinner plans. Then sign off that they read and accept. It’s like people that click on EULA’s mindlessly.

Later, they potentially pay the price for that lack of attention to detail.

Article Link

Trillian Hit With Security Bug [Liquidmatrix Security Digest]

Posted: 23 May 2008 08:23 AM CDT

From the Register:

The discovery of a trio of security bugs means that users of the popular Trillian instant messaging client need to update their software.

All three of the newly discovered bugs create a means for hackers to inject malware onto the PCs of surfers running vulnerable versions of the multi-protocol chat application from Cerulean Studios. The vulnerabilities involve flaws in how Trillian parses MSN protocol traffic, an error within XML parsing, and a third flaw involving the processing of messages with long (malformed) attribute values within the FONT tag can be exploited.

Read on.

Article Link

A Return to ROSI: The Economics of Security [BlogInfoSec.com]

Posted: 23 May 2008 06:00 AM CDT

It has been interesting to observe that two posts on ROSI (return on security investment) have been on this web site’s most popular list for more than a month. And it is further of interest in that the two posts take somewhat opposing views, which is actually quite representative of the dilemma that information security professionals are facing. Many agree with the general concept of risk assessment and risk-return analysis. The question is whether it is in fact possible to derive the inputs, consisting of probability estimates relating to losses incurred and losses avoided or to measure intangible costs and benefits. You can either dismiss the whole ROSI approach as being undoable or, as I described in my very first column, you can make a couple of assumptions, derive some estimates and come up with an answer that improves decisions and reduces risk.

I recall a Scottish mathematics professor (which is not surprising given that I attended Glasgow University), who was attempting, with only moderate success, to imbue his class of engineering students with a sense of the beauty and elegance of mathematics. In feigned annoyance, he explained that the difference between engineers and physicists (or mathematicians) is that the latter will look at a problem and deem it to be unsolvable, whereas an engineer will make a few simplifying assumptions and build it - and guess what? It works! You should know that this was at a time when the Physics Department at Glasgow University was still called the Department of “Natural Philosophy.”

I admit it, I’m an engineer at heart and by training. I don’t see the point in all these intellectual gyrations over the meaning of “return” in ROSI, the accuracy estimates of the probabilities and magnitudes of losses and the consequent validity of risk numbers. Spending my formative years in Scotland taught me the importance of common sense. The Scots are ever pragmatic (they had to be in order to survive the rugged life in the Highlands and the attacks of the Gaels, Celts, Picts, Scots, Vikings, Romans, English and other such ne’er do wells) and so have no time for puffery. They just want to get the job done. That is probably why the country is so well known for its engineers; counting among its numbers Lord Kelvin, who (unfortunately, in my view) originated the mantra “You can’t manage that which you can’t measure” - and John Logie Baird, the true inventor of television!

So what brought me, an engineer, to security economics? Well, I decided to take a masters degree in economics in Glasgow University’s “Political Economy” Department, which, as you might guess, was not in any way mathematically orientated - a difficult cultural change for an engineer. Lecturers would apologize for having to draw graphs on the blackboard, taking care to explain each time that “this is the x-axis, and this is the y-axis.” From Glasgow I went through a second culture shock by entering a doctoral program at the Johnson Graduate School of Management at Cornell University where I studied managerial economics under such luminaries as Hal Bierman and Sy Smidt, among the fathers of capital budgeting and decision-making under uncertainty. I chose as my thesis topic the economic evaluation of computer resources, an area that was being championed at the time by later-to-become Nobel laureate William F. Sharpe in his definitive book The Economics of Computers.

Scroll forward several decades … Having held a series of staff and line IT management jobs, mostly in financial services, I moved into information security full-time more than ten years ago. Only within the past few years did I become aware of work being done on security economics by Ross Anderson at Cambridge University and by Larry Gordon and Martin Loeb of the Robert H. Smith School of Business at the University of Maryland. Quite coincidentally, Ken Belva, the editor of this magazine, introduced me to Professor Gordon, who, I was delighted to learn, had majored in managerial economics and was very familiar with the work of Bierman and Smidt.

On May 1st I was privileged to meet Larry Gordon in person, as we were both participating on a panel at a Financial Fortress Leadership Group (FFLG) meeting in New York. FFLG is sponsored by Ernst & Young and organized by E&Y Director Bob Gleason. The excellent bimonthly meeting assembles senior information security professionals in financial services industry in the New York area. It was a stimulating meeting with enthusiastic dialog between presenters and attendees. We quickly discovered the high level of audience interest in learning how to use microeconomics to justify investments in security-related resources. Signed copies of Gordon and Loeb’s book, Managing Cyber-Security Resources: A Cost-Benefit Analysis, were distributed to attendees.

The third member of the panel was Bob Reinhold, from E&Y, who had co-authored, with Allen Ureta, an article on IT effectiveness in the Winter 2007-2008 issue of E&Y’s magazine CrossCurrents. This article was actually the catalyst behind the FFLG session. I had read his article and suggested that we have a meeting on the subject. Bob Gleason said that the meeting topic had to be about information security, not just about IT. That’s when I realized that if one substituted “information security” for “information technology” in Bob’s article, practically every recommendation was applicable to infosec. We were then very fortunate to have Larry Gordon agree to join the panel.

So what’s the point of this somewhat lengthy story? Well, the point is that there is an emerging aspect of information security that you should be aware of and learn more about. The Gordon and Loeb book is a good place to start. It is important for information security managers to understand the fundamentals of microeconomics and apply them to budgeting and investing decisions relating to security resources. This approach has already taken hold in the broader IT world, so not only will it serve to improve decision making for security but will facilitate more productive communications with the senior IT management and business unit executives in your organization in terms with which they are familiar.

As Professor Gordon so rightly pointed out at the meeting, decisions to invest in security are never made based solely on the results of microeconomic models, but cost-benefit analysis should always be a key input to such decisions.


Copyright © 2008 BlogInfoSec.com. This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright()bloginfosec.com. Thank you! Again, please contact copyright@bloginfosec.com so we can take legal action immediately.

Security Briefing: May 23rd [Liquidmatrix Security Digest]

Posted: 23 May 2008 05:43 AM CDT

newspapera.jpg

Sorry for the lack of content yesterday. Due to a PBCAK I neglected to publish yesterday’s articles. So, they’ll trickle out over the next couple days. Thanks to all of our new subscribers that joined us yesterday. Welcome!

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

  1. Power Company Slammed For Weak Cyber Security (more on TVA)
  2. Congress Alarmed At Cyber-Vulnerability Of Power Grid (TVA again)
  3. Customer Info From More Banks May Be On Lost Tape
  4. Police: Student Hacker Stole Personal Info Of 55,000
  5. Notes from AusCERT 2008
  6. Expert dissects Estonian cyber-war
  7. ISO 27001 Firewall Compliance Solution Debuts
  8. Guidance Software to Offer HBGary Responder™ for Live Memory Analysis in Digital Investigations
  9. Microsoft gives students a peek at the future

Tags: , , , ,

Cisco CSO, Antivirus is ‘Completely Wasted Money’ [Liquidmatrix Security Digest]

Posted: 22 May 2008 09:12 PM CDT

random baby picture

Part of me has a hard time disagreeing in principle. But, then again what is better to protect users from themselves as they savage Windows Vista?

Yes, I’m being sarcastic. Who’d a thunk it.

:)

From ZDNet Australia:

Companies are wasting money on security processes — such as applying patches and using antivirus software — which just don’t work, according to Cisco’s chief security officer John Stewart.

Speaking at the AusCERT 2008 conference in the Gold Coast yesterday, Stewart said the malware industry is moving faster than the security industry, making it impossible for users to remain secure.

“If patching and antivirus is where I spend my money, and I’m still getting infected and I still have to clean up computers and I still need to reload them and still have to recover the user’s data and I still have to reinstall it, the entire cost equation of that is a waste.

“It’s completely wasted money,” Stewart told delegates.

He said infections have become so common that most companies have learned to live with them.

So, he thinks that antivirus is a waste of time and that companies should concentrate on “whitelisting”. So when the rubber meets the road you wanna guess who’s going to be managing that kind of headache? Not Mr. Stewart.

OK, you throw out the bath water and….

Article Link

Lenovo Unbowed By U.S. Slowdown [Telecom,Security & P2P]

Posted: 22 May 2008 08:18 PM CDT

This morning the great news is announced - Lenovo has a great fiscal year. Some financial detailed could be found at the official financial report. The below news report by Melinda Peer is also very worthy of your reading.

Slower consumer spending dampened sales of personal computers in the U.S., but Lenovo barely felt it thanks to higher shipments to emerging markets.

China’s largest personal computer maker said Thursday that fourth-quarter demand grew fastest in its Europe, Middle East and Africa region, where shipments jumped 30.0% in the fourth quarter. The segment offset weak demand in the U.S. where consumers have cut back on spending, which spells trouble for U.S. tech companies that haven’t fostered strong overseas growth.

Lenovo, which bought the personal computer division of IBM (nyse: IBM - news - people ) in 2005, reported sales of $1.3 billion in its core Chinese market, an increase of 18.0% from 2007’s fourth quarter. The country’s sales accounted for 34.0% of Lenovo’s fourth-quarter sales.

Despite slowed notebook sales in the U.S., the Americas accounted for 27.0% of Lenovo’s quarterly sales, at $1.0 billion.

Lenovo, the world’s fourth-largest computer maker by sales, said fourth-quarter profit more than doubled to $140.0 million, or $1.44 a share, from $60.0 million, or 68 cents a share, in the previous year. The quarter’s earnings included a $36.0 million gain, or $65.0 million for the full-year, related to the sale of its mobile handset business, which had been dragging on Lenovo’s balance sheet. Last quarter, the unit’s shipments fell 31.0%. (See: ” Lenovo Triples Profit”)

Earnings before interest, taxes, depreciation and amortization rose 39.1% to $152.0 million from $110.0 million a year ago. The mean estimate of analysts polled by Reuters was for fourth-quarter earnings of $129.2 million.

Sales rose 13.5% to $3.7 billion from $3.3 billion in 2007’s fourth-quarter. The company’s global personal computer shipments grew 21.0%, surpassing the industry’s average growth of 15.0%.

“Looking forward, Lenovo will continue to maintain our momentum in the relationship business and the Greater China region, while pursuing growth opportunities in the emerging markets, notebook markets and transaction business, specifically the consumer business, and actively fostering new business to maintain profitable growth that out-paces the industry,” said the company’s chairman, Yang Yuanquing.

For the full-year, net profits tripled to $484.0 million from $161.0 million a year ago. Sales rose 17.0% to $16.4 billion and the Raleigh, N.C.-based company’s total shipments of personal computers increased 22.0%. The estimated industry average for personal computer shipments is 16.0%.

Also on Thursday, Lenovo said its board proposed a final dividend of 1.6 cents a share.

Lenovo shares have gained $1.25, or 8.1% at $16.60 from a month-ago in over-the-counter trading.

At the beginning of the year, Yang sparked concerns that Lenovo’s sales would slump due to the downturn in the U.S. economy since China depends heavily on exports to the U.S. for growth. (See: ” Lenovo: Fear And Loathing In Las Vegas”) Yang said the company would target emerging markets to drive growth.

In 2007, more than 60.0% of Texas-based Dell (nasdaq: DELL - news - people ) sales came from the Americas, according to Revere Research. Last month, the company announced stringent cost-cutting measures. (See: ” Dell Tries To Reboot, Again”)

ShareThis

Death toll of Sichuan earthquake reached 51151 [Telecom,Security & P2P]

Posted: 22 May 2008 07:44 PM CDT

The death toll of China Sichuan(Wenchuan) earthquake has reached up to 51151, while 288431 wounded, and 29328 missed.

Along with the death toll is still increasing, yesterday, at some major BBS and forums, a story is quickly spreaded out about the abuse of earthquack relief materials - the camp. It’s said some earthquake camps were found at Chengdu city areas, which should not be covered by the relief.  This news made people very angry.

The government authority promised to investigate this and back to the people with a fair and transparent result.

ShareThis

Security Twits - Represent on FriendFeed [Mediaphyter - A Communications Cocktail]

Posted: 22 May 2008 06:20 PM CDT


There’s been a lot of hubbub the last few days about Twitter and Twit-Outs and Twitter Love Day and FriendFeed vs. Twitter (in the social media heavy weight match-up of the year! - sorry, had to say it). In the end we’ve all come to a warm and fuzzy place of peace, love and networking. So much so that I’ve learned to let my Twitter and FriendFeed habits, er experience, happily co-exist in my world.

Today, FriendFeed introduced “rooms.” Basically chat groups based on area of interest. Me being the social media geek, er fan, that I am I immediately noticed it as I refreshed the page. My next step was to create the Security Twits Room.

This room is less inclusive than the Security Twits list (which will soon be massively overhauled and moved to its own dedicated place) and is intended to be an interactive environment for security professionals and the people who love… security.

Join us.

Free Candy. Free Book Deals? [Mediaphyter - A Communications Cocktail]

Posted: 22 May 2008 03:26 PM CDT


In the movie Swingers, Jon Favreau’s character “Mikey” made a comment about how when he first went to Los Angeles, it seemed they were handing out sitcoms at the airport.

From my perspective, it sort of seems that these days, they are handing out book deals to almost anyone who can wield a pen. I’d like to think that I just know or know of a ridiculously high number of talented authors. But I’m starting to wonder if perhaps the publishing companies came into some stash of hidden millions that they want to dole out. Sometimes the books in process or recently published seem like no more than slightly edited versions of books written by established authors.

What also gets me is how many of these books are produced by very, very small publishing houses. In an age when magazines and newspapers are facing financial crisis due to digitalized libraries, blogs and pirated material, how is it that the book publishing industry is continuing to thrive?

I’m not an avid book reader (everyone claims to be but I think only about 60 percent of the population is…). I do have stacks of great books piled throughout the house. When I do read I try to make sure its either something from which I am guaranteed to learn or at least be entertained. I am also not an author — at least of anything more than a few thousand words. I don’t have the attention span.

Given the surge of book deals out there, I’m wondering - what would YOU write about? More important, what would you read?

MSSP and NAC - true love or lust? [StillSecure, After All These Years]

Posted: 22 May 2008 10:51 AM CDT

A recent edition to the Security Bloggers Network (over 50,000 combined subscribers strong now!) is Grant Hartline, CTO of Mirage Networks, Mirage blog. Mirage is a competitor of StillSecure in the NAC marketplace, sometimes (actually we don't run into them very often) but I was happy to see them join the SBN. I have certainly taken shots at them in the past and am glad they are using the blogging medium to put their own point of view out there. Networks like the SBN are strongest when multiple and different points of view are represented. Anyway, Grant has been blogging up a bit over there with some good stuff, especially about post-connect, NAP, Interop and Joel Snyder. Grant's most recent article is called MSSP and NAC - True Love.

For the most part I agree with Grant that NAC is a natural for the managed services space. However, I think for the MSSP (managed security services provider) market specifically it may be beyond their current offering levels. Most MSSP offerings today are focused at the perimeter. They have grown from managed firewall to managed IDS/IPS, managed anti-spam and managed content filtering. Now managed UTM is all the rage. However, all of these technologies are perimeter based. If I am not mistaken Mirage's early experience offering a managed service was with AT&T offering it as a behavior based type of intrusion prevention and worm detection. I think moving into the internal network with a more traditional NAC offering might beyond the current scope of most pure MSSPs. However, managed service providers who are already providing desktop management and full network management like an EDS, IBM or HP are indeed natural candidates to provide a managed NAC service. I think we will be seeing much more of managed NAC from these type of providers in the future, but it will be a while until the pureplay MSSPs have managed NAC.

Google Health [Network Security Blog]

Posted: 22 May 2008 08:21 AM CDT

Eric Irvin, Senior Consultant at IrvTech, suggested I blog about Google’s recent announcement of Google Health and I countered by challenging him to write up a post of his own, and here it is. Eric doesn’t have a blog, so if you want to get in touch with him, leave a comment or contact me and I’ll forward it on to him. Without further ado:

Google Health by Eric Irvin:

Google has recently offered a service to track and monitor your own personal health records. Google Health provides a centralized manner of health information management, utilizing Google’s signature API. Google has assured users that they will protect and secure the data. The problem is the Health Care Industry already has a standard of privacy and protection with HIPAA.
Health portability and privacy has always been a problem in the Health Care Industry. This has been largely due to the industry facing lawsuits due to a lack of privacy regulations, and/or questions relating to how data should be shared between insurance companies, hospitals, and other medical care providers. Out of these legal questions, and lack of clarity, the Health Insurance Portability and Accountability Act was passed in 1996.

Google believes that it should not be regulated by HIPAA because they are not a health care provider. Google addresses this in a post from a development blog.

“Some have asked how Google Health relates and compares to the privacy protections for patients under the Health Insurance Portability and Accountability Act (HIPAA), a federal law that establishes privacy standards for patient health information. Unlike a doctor or health plan, Google Health is not regulated by HIPAA because Google does not provide health care services.”

I disagree with Google’s not wishing to comply with HIPAA regulations, which would apply a baseline of security checks and safeguards to protect customer information. With other industry requirements (such as PCI, SOX), privacy and protections extends itself towards anyone exchanging customer information. While the law, in itself, does not require Google to do so, I think it sets a standard of expectation for people who choose to use the service. Because Google is not subjecting itself to HIPAA, there is no legal requirement for them to keep your information private, other than the terms of service.

Google could begin providing information to pharmaceutical companies as to who has which medical problems, and allow them to target advertisements to them. This would be a horrible invasion of privacy, and breach of a basic trust. While Google has not announced any plans to do so, their own terms of service allow them to change their own policies at any time without notice. At least HIPAA requires a vote from Congress to extend, withdraw, or modify any protections or use of said information.

While HIPAA was established for the sake of protecting patients rights from Health Providers, Insurance Companies, et al., the question remains, should a third-party company who has access to Health Information be governed by those same rules?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Kunshan Red Cross website compromised [The Dark Visitor]

Posted: 22 May 2008 07:16 AM CDT

According to reports, a detachment from the Shenzhen Public Security Bureau Internet Police organization, assisted the Jiangsu Police Department in arresting a male suspect who had hacked into the Kunshan Red Cross website to defraud people donating to victims of the Sichuan earthquake.

A 24 year old suspect, named Yang (from Hubei), was arrested for altering the information on the homepage that listed the phone number and bank account number used to make donations.

In the above shot, I have shown the area the hacker altered.  It is unclear if this is somehow related to the previous incident.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Losing Friends on Facebook: A Privacy Story [BlogInfoSec.com]

Posted: 22 May 2008 06:00 AM CDT

Reconnecting with past friends and acquaintances, to me, is the primary value of Facebook. It is a simple way to establish ties to people you knew but lost touch with over the years. It’s a common experience on Facebook to befriend past best friends, people you’ve dated, and high school friends who were in your social circle. I’m not an exception in this case: I’ve experienced all of this including befriending business acquaintances, past co-workers and people on the other side of the globe (who I do not know) wanting to befriend me due to Information Security.

Normally I do not publish personal stories and experiences, even on Facebook. So, this article is an exception. For those readers who are not familiar with Facebook, an important component to this story is the Facebook News Feed. When one logs into Facebook, a Facebook member is displayed a page that lists all the events that one’s friends have published about themselves and other Facebook events that relate to them. For example, if one of my friends comments on a photograph of themselves or others, I see it. If one of my friends becomes friends with someone else, that will show up in my feed as well. Other things that may pop-up in one’s feed include profile changes: dating status (single, married), date of birth, employment, etc. These settings may be controlled via Facebook’s privacy settings, but people rarely do.

A few months ago I befriended a woman with whom I attended elementary school through high school. We were both in the same social circles and had mutual friends, even though we weren’t best of friends. When we befriended each other on Facebook, I checked out her profile and that was that: standard operating procedure. No real further interest there… until what she was posting on Facebook started arriving in my News Feed.

She began to write personal jokes, stories and various details to her sister and her friends about her personal life. This was entertainment: the stripper they hired for a party, the drama when her dog went to the vet hospital, jokingly negative comments about her sister’s child, etc. I didn’t search this stuff out: when it’s delivered to your homepage one has a tendency to read it!

Fast forward a few months. Two weeks ago I find myself on a random blind date. She’s a few years younger than me and, coincidentally, it turns out that she’s good friends with the younger sister of my Facebook friend above! Dang! In the course of dinner, a few drinks and the “who do you know” conversation, I happened mentioned my date’s friend’s child’s name whom I read about so much on Facebook but never met in person. Then my date brings up a big party at which she and the two sisters were present. Low and behold, I put two and two together and it’s the party with the stripper! I just can’t make this stuff up! Although I withheld the fact that I knew about the stripper, I think she realized there was something that I knew but wasn’t saying. Anyway, the date ended and we went our separate ways. My date must have told her friend about our conversations: a few days later, out of the blue, my Facebook friend above deletes the online link representing our friendship.

I completely understand and empathize with why she did it. When I first started blogging, I kept a personal blog in addition to the security one. Since I was well aware of the privacy issues surrounding online self-publishing, I decided to only write about things that I wouldn’t mind being public or already were public. I was still unaware of what it would be like to have this information come back to me.

At an information security networking dinner a few years ago, someone approached me and asked about a large book donation I made to my undergraduate College. It was a direct reference to my blog post. While the donation was not something of a private, personal nature, it was still unnerving. The donation was not a topic that naturally arose from between myself and this individual. I was stunned: people were searching and reading about me! For the same reason I took my personal blog offline, I can understand why I was removed from being her friend. And, I don’t blame her.

Facebook’s privacy setting are by default open. The site encourages information sharing. One just really needs to be careful about with whom one is sharing those personal stories. If one uses a social networking tool, learn the site’s privacy settings (including Facebook/MySpace/etc. applications!). Do not post anything that one would not want everyone else in the world to read. After all, data leaks! It makes its way into unexpected areas. In addition, remember: if you publish it, someone will read it and not necessarily the people you intend.

While it’s unfortunate that someone with whom I grew up decided to remove me from her circle of online friends, I should not be her biggest concern. It’s been about 15 years since I last saw her. I have my own group of friends and do not keep in touch with any of her’s. And, although I’m always interested to hear what my friends are doing, without any disrespect, I’m not abundantly interested in her life because I have my own to live. If I were her, though, my concerns would lie elsewhere: those entertaining stories were popping up on the Facebook Feeds of her coworkers too.


Copyright © 2008 BlogInfoSec.com. This feed is copyrighted by bloginfosec.com. The feed may be syndicated only with our permission. If you feel that this feed is being syndicated by a website other than through us or one of our partners, please contact bloginfosec.com immediately at copyright()bloginfosec.com. Thank you! Again, please contact copyright@bloginfosec.com so we can take legal action immediately.

No comments: