Are you rethinking Facebook?

Facebook is currently the world’s most popular social media site, with
over 400 million users. Long plagued by accusations of security leaks
and lackluster privacy practices, the corporation is currently defending itself against
a barrage of new criticism. CEO Mark Zuckerberg gave an interview
earlier this year arguing that privacy is no longer a “social norm.”
Facebook privacy policies have been rapidly shifting to reflect this
position.

The latest firestorm centers around a new feature called “instant
personalization,” a targeted advertising service that supplies
personal user data to advertising partners like Pandora and Microsoft
Docs. All Facebook accounts were included in this service when it was
rolled out, and opting out is a convoluted, multi-step process. In a
move that some users are calling deliberately deceptive, simply
clicking an “opt out” check box does not protect your user data from
being shared.

So far, the beta service is limited to three corporate partners — all
of whom have promised not to behave inappropriately with the shared
user data — but the feature is slated to be expanded over time. This
puts millions of user accounts and their personal information at the
mercy not just of Facebook, but of the ethics of every company who
becomes an instant personalization partner in the future.

Other unintentional security breaches are also making headlines. A Russian
hacker who calls himself “kirllos” recently claimed to possess the
logins and passwords to 1.5 million Facebook user accounts — and he
is putting them up for sale, cheap. Though no one has officially verified whether these user credentials are real or fake, kirllos has already sold off around 700,000 of them.

If true, this incident puts another crack into Facebook’s already-besieged reputation. Account compromises not only leaks a user’s private information, including photos, status updates, and private messages sent between users, but can also lead to increased phishing risks – imagine a trusted Facebook friend sending you a message with a malicious embedded link, once clicked, can direct you to a malware laden site.

What does this mean for corporate users? Opening up your company to Facebook access could lead to increased phishing and malware threats, which could further cause data breaches and other more serious forms of security incidents within your corporate network. Given the soaring popularity of Facebook as a casual communication tool, the usual acceptable usage recommendations — urging employees to use discretion and avoid discussing sensitive information via Facebook – is far from sufficient.

Social media can be a corporate asset. Facebook provides a high-profile tool for company exposure and branding, and the wide reach of such a social platform can facilitate business networking. But if you had known that the media giant would be
riddled with security holes, while at the same time deliberately taking on a cavalier attitude toward user privacy — would you have allowed your users access to Facebook?

Advertisements
Posted in Uncategorized | Leave a comment

Ok. There is more (or may be less) to the VPN story, Google says

Google called me again after I posted the latest follow up to the Google hack story. Wow, two calls from Google AR in the span of an hour! They were uncomfortable about the way I characterized the involvement of the corporate VPN in the Google attack. The official on-the-record word from Google is that: “This is not accurate”.  So, I should rephrase how the attack happened:

a) A Google employee’s machine that was running IE v6 was compromised via the IE vulnerability.

b) The attacker used the compromised machine to somehow gain access to Google servers (some of which housed critical information). The method of access, at some point, may have involved VPN, but Google does not agree with the characterization that “the compromised client used their corporate VPN to gain access to the servers”.

At Google’s request, I retract that particular statement.

This is what we do know factually:

1) The attack on Google server happened

2) Google immediately decided to do an emergency update of their entire corporate VPN infrastructure.

Could these two things be entirely unrelated? I doubt it. But Google isn’t going on the record to say that the attack came in via the VPN, and that’s their official position.

Posted in Application Security, Cloud security | 7 Comments

Follow up: Google calls and confirms the VPN story.

Google called me, five minutes ago, confirmed that the attacker indeed came in via the corporate VPN access. On top of that, they told me that the victim machine was a corporate managed machine, not a home computer.

As to why Google employees were running IE v6, Google’s position is that someone might be running IE v6 for testing purposes. Whether this was indeed what happened, they wouldn’t say. Ok, I can buy that you might be running an older version of browser for testing purposes (for backwards compatibility), but why wasn’t the testing environment isolated from production and from access to critical assets? Isn’t that one of the first thing you do in setting up a test environment? Google assured me that they are taking steps to rectify the situation, and for the sake of everyone who trusts Google with their data and applications, I hope they do it soon.

A funny related note: I’ve been trying to get Google’s attention for over a week on a security interview, but they were too busy to respond (understandably, I guess), but five minutes after I put up this blog entry. Google calls me on my mobile. :-).

Posted in Application Security, Cloud security | 2 Comments

Why Google and Microsoft were at fault for the attack, not cloud computing

By now, much has been written about last week’s attack on Google, Yahoo, and more than 30 other companies. Google’s stark reaction to the attack has put the company at the forefront of this news story. At stake is one of the world’s largest Internet market as well as the already tenuous relationship between US and China, it is no wonder this attack is drawing the attention of headlines worldwide.

Why isn’t this an attack on cloud computing?

First of all, the mechanics of the attack, though not entirely clear, have nothing to do with cloud computing. What we do know is the following: A Microsoft browser vulnerability was exploited, some employees’ desktops were compromised, and the attacker used the compromised desktops via Google’s VPN to get to some of the servers. As a result, Google apparently issued an emergency refresh of the entire corporate VPN infrastructure last week, leading to more than a little bump in the road for employee productivity, which lasted more than 24 hours.

So, let’s look at the facts here. Exploiting browser vulnerabilities is a familiar attack method, one that has nothing to do with cloud computing. Compromising desktops and using VPN to further compromise servers is again nothing new. What is at the root of the problem here is a vulnerability from everybody’s “favorite” software company (more about this vulnerability to come later today), not the fact that the target of the attack is a prolific cloud computing company.

However, some of my clients (and many others) were asking why they would want Google to host their applications/data if Google is a bigger attack target than themselves. This is indeed an interesting question, one that is worth exploring. This question is particularly interesting when you consider that the attack in question involved exploiting vulnerabilities in IE 6. Why would Google employees still be running IE 6, an outdated browser? Clearly Google’s corporate IT isn’t doing a good job. But the fact that the attacker used VPN to further its attack suggested that the initial victim machine may not be a corporate managed machine. However, we do not know for sure. In any case, Google is at fault here for not managing its risks adequately. And being one of the biggest cloud computing companies, they should know better.

I will be uploading another entry on the specifics of the Microsoft vulnerability after 10am pacific today. Stay tuned. In the meantime, let me know what you think of the attack and the implications.

This entry will be cross-posted to Forrester’s SRM blog: http://blogs.forrester.com/srm.

Posted in Application Security, Cloud security | 1 Comment

An interesting cloud computing panel to start the new year

On Thursday January 7th 1pm pacific, I will be moderating what promises to be an exciting panel–“Cloud computing: A positive disruption to IT security”– with panelist Qualys CEO Philippe Courtot and Cisco’s Chief Security Officer  John Stewart.  See what Forrester, Cisco, and Qualys have to say about Cloud Computing and IT security, register at:  http://www.businesswire.com/portal/site/home/permalink/?ndmViewId=news_view&newsId=20100104005080&newsLang=en

Posted in Cloud security | Leave a comment

Facebook’s new privacy settings

Last week, Facebook just upgraded its privacy settings. I am sure by now many of you have gone through the new privacy setting wizard. But do you know all the ins and outs of the new settings and how to navigate them?

In general, the new Facebook privacy setting menu is easy to use and straightforward. Some of the new options Facebook provides are positive changes. For instance, you can now hide a wall post to specific individuals (or make them visible to specific individuals). This level of fine-grained control was not available before, which is a welcome change.

However, in the course of migrating to the new privacy settings, Facebook has made several categories of information visible by default to “Everyone”. If you didn’t actively manage your privacy settings through this new migration, some of your information, such as Family and Relationship, Education and work, and your posts will be left visible to everyone, regardless of what your previous privacy settings were.

Another puzzling thing is that Facebook apparently does not think the ability to control who can see your “Friends list” belongs in privacy settings. Moreover, they’ve made everybody’s Friends list visible to the world by default. To turn that off, you have to go to your profile page and click the little crayon icon next to your friends list to unselect the “Show Friend List to everyone” option. If you have previously hidden your Friend list from public view, they are now free for all to see unless you did the little trick with the crayon icon! Even worse, your Friend list will now show up in search engine results.

Speaking of indexing by search engines, Facebook’s privacy settings do provide an option via which you can prevent search engines from indexing your public Facebook information, which is information that you’ve elected to be viewable by everyone (or is it?). Despite the fact that I had strenuously set and checked all my privacy settings, including uncheck the “Show Friend List to everyone” option, Facebook is still showing a sample of my friends to search engines! And we know that once a search engine has indexed and cached your information, it’s virtually impossible to purge the info completely. 

The specific options and settings aside, this concept of PAI, short for publicly available information, is one that worth a bit of ink. Everyone has a different idea of what their PAI should be. However, Facebook has decided that certain categories of information, such as your profile picture, family and relationship info, education and work info, interest and activities, and group memberships, etc. should be PAI, and they’ve gone ahead and made these categories visible to everyone by default. You have to go through the entire privacy menu to change that.

In this age of search engines, content caching, and near-ubiquitous connectivity, have you really thought about what you should place (and not place) in your PAI? Do you really understand all the consequences of putting a specific piece of information in PAI? Do you know how long the information will be available long after Facebook has become yesterday’s news? Most of us don’t internalize the fact that every time you label something public, this “thing” will probably live in the public domain forever in some way, shape and form. Is this something you can live with? Will you still write that paragraph of “About me” and make it viewable by “Everyone”, if you know 50 years from now people can still find that? This is of course independent of Facebook or any social networking platforms in general, it is about fundamentally what information, as an individual, you want to expose to the world. Once we have a good grasp of PAI, we can then look at specific social networking or social media tools and demand them to give us the flexibility and controls to manage our PAI.

Posted in Uncategorized | 1 Comment

(Updated) Cloudy with a chance of “non-compliance”

Compliance, along with security and privacy, is a big topic when firms consider cloud services. I recently did a Forrester Webinar on the topic of compliance for cloud computing. You can access the recording here: http://www.forrester.com/cloudsecuritywebinar. This blog entry is a recap of the Webinar.

In terms of compliance for cloud services, there are four categories of issues of concern:

  • Where: Geographically related issues
  • How: This is about operational details that affect compliance
  • Audit: Show me evidence that you can help me achieve compliance
  • Others: Everything that doesn’t fit into the above categories

 For the “where” category, you need to be conscientious of the following aspects:

  • Datacenter locations
  • Implications of local laws and regulations (where the datacenters are operating)
  • Third-party access: Does the vendor use any “third-party” resources that may affect the locations of relevant data?

 We recently helped a client evaluate the business suitability of a SaaS provider. In the course of doing so, we discovered that the SaaS vendor used a third-party backup service to back up their logs. Although the SaaS provider is located entirely in the US, the backup service provider is not. Therefore there is a question whether my client’s logs will get stored in a datacenter outside the country. This made my client uneasy.

The “How” category is the biggest and most comprehensive, as it includes many operational aspects. For example, along with other aspects, you need to consider:

  • Do the datacenter’s operations meet the specific regulatory requirements that you have (e.g., is it PCI compliant – audited by a PCI QSA?)
  • Does the provider have a compliance management program?
  • Does the provider have a DR/BC plan that is consistent with my requirements?
  • Does the provider’s data breach/incident handling procedure meet your requirements?
  • Is the data center SAS 70 Type II certified?

 The “Audit” category deals with the procedure of audits, framework of audits, whether or not the provider can supply adequate audit evidence or agree to a third-party audit.

In addition, you need to consider eDiscovery and enterprise investigation support. Too often enterprises tell me that cloud providers do not let them be the administrator of their data living in the cloud. You need to ask your vendor what support they will provide for discovery and investigation purposes, such as any restrictions on access to data, means of access to data (self servicing vs. manual), responsiveness to discovery requests, flexibility to data access, etc.

Finally, third party is often the “fly in the ointment”. Even when you are satisfied with every aspect that you can conceivably think of with respect to your cloud provider’s operations. You need to understand whether they use any third party in a way that impacts your compliance status (see the example I listed above). Everything we talked about so far applies to third party accesses.

What does this boil down to? In the next 90 days, we recommend that you form a cloud game plan, which looks like the following (for compliance aspects):

  • First step, gather legal and regulatory requirements, involve legal/compliance/risk officers early
  • Second, conduct a high-level feasibility study based on these requirements
  • If the feasibility study indicates a preliminary green light, then perform detailed evaluation (based on the “where”, “how”, “audit” framework here)
  • Require audits when in doubt, embed recourse actions in your contracts, and engage trusted third-party assessment services.

For details, please refer to the Webinar recording located at: http://www.forrester.com/cloudsecuritywebinar

Let me know what you think. Any other compliance aspects that we missed here?

Posted in Cloud security | Leave a comment