Computer World, IDG and DN today writes that Microsoft has bought 1.6% of the shares in Facebook for the amount of 240 million dollars! I can just congratulate Mark Zuckerberg and Facebook. But, the questions remains if it’s in the best interest of the users to get Microsoft involved in Facebook due to the enormous wealth of information that the users has provided Facebook with - for free - about themselves!

So how many of the estimated 50 million users has actually given it a thought about the information that they have submitted to Facebook and of them how many have actually read the Terms of Use and the Privacy Policy? It can’t be that many of the existing users! Either people are very well aware of what they sign or they don’t care. But they should; since when they signed up at Facebook they give the company exclusive rights to the material submitted and to be used in what ever way that they like!

“You acknowledge and agree that any questions, comments, suggestions, ideas, feedback or other information about the Site or the Service (”Submissions”), provided by you to Company are non-confidential and shall become the sole property of Company. Company shall own exclusive rights, including all intellectual property rights, and shall be entitled to the unrestricted use and dissemination of these Submissions for any purpose, commercial or otherwise, without acknowledgment or compensation to you.”

Even if you as user have the possibility to delete your account, Facebook has following lines in the Privacy Policy to inform you that the user data may exist in backup copies for reasonable time:

“Removed information may persist in backup copies for a reasonable period of time but will not be generally available to members of Facebook.”

My question to above is how short or long is their definition of reasonable period?

The Terms of Use has a few lines about what you as uses can do or not do when it comes to harvest or collect information about other users; it doesn’t really say anything about what Facebook rights to harvest or collect information about their users; so let’s check the Privacy Policy.

Facebooks Privacy Policy clearly states that they harvest and collect information about you as user and as well tries to figure out user patterns.

“When you use Facebook, you may set up your personal profile, form relationships, send messages, perform searches and queries, form groups, set up events, add applications, and transmit information through various channels. We collect this information so that we can provide you the service and offer personalized features.”

They actually say that they in most cases inform they user about prior activities so that you can choose or not to participate; I would say that they in most cases don’t inform you as user about how they plan to use the collected information.

Following next lines should indicate red flag by most people, when talking about aggregating user information that they’ve gathered and that you as user already given Facebook exclusive rights to, but it doesn’t, sadly:

“Facebook may use information in your profile without identifying you as an individual to third parties. We do this for purposes such as aggregating how many people in a network like a band or movie and personalizing advertisements and promotions so that we can provide you Facebook. We believe this benefits you.”

I’m fully aware of the Facebook is a corporation that wants to make money and that they provide a free service; but are people aware of what kind of spin off industry and products that might come out of this huge information that they’ve gathered? Working with business development at Facebook must be one of the greatest jobs around due to the huge potential they have with all the raw data. And I doubt that Facebook will aggregate more than just what kind of bands or movies that you or a group of users likes.

So think twice when you sign up with Facebook or similar community; you might just end up signing over your entire life story to company behind the community and by that ruin your future.

So when you in the future gets questions about activities that you you’ve done in the past and thought that they where harmless at that time. Think twice before answering; what does he or she knows about you that you forgotten?

Kim Haverblad

Bookmark to:

I finally got around to upgrade to the latest WordPress (version 2.3) and I think it was highly needed due to that I’ve received unwanted comments posted to the blog from unregistered user.

The vulnerabilities that have been reported in Wordpress lets malicious users to conduct script insertion attacks and to conduct SQL injection attacks. Checking the vulnerability it states that it’s been reported in Wordpress prior to 2.2.3 and Wordpress MU prior to 1.2.5a.

Either there is a new vulnerability available for Wordpress or similar vulnerability works as well with version 2.2.3. So if you haven’t upgraded yet, recommendation is to download the latest version as soon as possible.

Kim Haverblad

Bookmark to:

The Danish security firm CSIS was taken down by a massive attack by Russian hackers last week by using a zombie network to perform a denial of service attack against them. The best guess why they where attacked might has to do that they accidentally scanned botnet servers and properly got attacked as a counter-measure.

Several other Danish security organisations are now afraid that similar attacks will aimed towards more sensitive targets such as large Danish ISP or governmental institutions. Shehzad Ahmad from DK Cert even talks about that the entire Danish internet could be taken down by a similar attack aimed towards CSIS, but in a larger scale.

The reason why Shehzad Ahmed claims that Denmark easily could be taken down is based on that the Russian zombie network has been estimated to consist of 1.7 million zombie-computers and that it only took them around 20.000 zombie computers to take down the central part of Estonian internet.

But on what grounds does DK Cert base their assumption that there actually would be any kind of interest to take down the entire Danish internet? And would they actually waste all 1.7 million bots on one attack? No I don’t think so. It’s all about making money. Quite a few of the bots are being used for sending spam and as well, once a while one can find adds at sites such as bulkerforum.biz where you can buy 1000 bots for as low as 20-30 USD. So for 200-300 USD you can finance your own little cyber attack with 20.000 bots and take down a small country! Or?

Kim Haverblad

Note: For more reading Jyllands-Posten.dk. Update: IDG.se and PC-Word has some reading about trojans for sale as well.

Bookmark to:

By now I guess that no one has missed out on the embassy password hack that was pulled off by Swedish individual. I’m saying individual since I don’t believe in the way how the entire affair was handled or should I say miss handled? Based on what the Swedish IT tabloid press has written about this case there where several attempt to contact a few embassies but they didn’t have any interest of taking up a dialogue…. D’Oh! Come one! Why wasn’t there a more formal attempt to contact the embassies via the Swedish Ministry for Foreign Affairs? Why where there no attempt to document and publish the vulnerability via any of the major vulnerability lists available? Also when reading other comments about this story, the majority, at least in Sweden is quite negative on how the information gained was handled. They should! Next time it could be information from any of the major Swedish (or any other countries for that matter) companies that get leaked out this way to proof ones points about a security flaw.

Deranged security? Yes, it sure is! But, who has the most deranged mind when it comes to ethics and moral on how to handle with sensitive information?

Kim Haverblad

Note: For more reading check following stories at Security Focus, Computer Sweden and Computer World.

Bookmark to:

One thing that I’m quite often astonished about is how low awareness is when it comes to risk management and where risk management can and should be applied. So reading an interview with Thomas Djurling, FRA (the National Defence Radio Establishment) in Computer Sweden where he says that Swedish companies are naive when it comes to industrial espionage and I couldn’t agree more. But, I clearly don’t agree with that Swedish governmental organisation such as FRA, SÄPO (Swedish Security Service) and SITIC (Sitic is a part of the National Post and Telecom Agency, PTS) should offer the services to the public due to that there are quite a few other security vendors on the Swedish marked that have the proper knowledge.

This problem is rather that knowledge and awareness regarding how to handle risk management is quite low and if either FRA, SÄPO or SITIC should offer their services the suggestion would be to focus within their own domains, i.e. governmental institutions. For example to quote FRA’s own home page it also clearly describes their mission:

“FRA is also engaged in information assurance. On demand, we support government authorities and state owned companies regarding current IT threats as well as general advice to improve security. ”

The problem is that it says on-demand; what about a mandatory security audit once or every second year? Currently today it’s up to the local authorities if they want to perform a security audit or not and the audit material I’ve seen are often focused on technical aspects. What should be said is that I’ve also seen great efforts of implementing security standards; but the difference between governmental organisations is way too big.

I’ve seen many government authorities and state owned companies that lack a proper implemented awareness program. Risk can’t be eliminated, but it can be minimized to a level where the organisation can accept it. It’s all about how much resource you’re willing to put in. When speaking about risks most people think security and if speaking about IT-security most people think firewall, anti virus and so on. Also when speaking about changes within an organisation, for example changing a procedure or implementation of a new process, it’s quite common that no kind of risk analyse is done to see how a failure to implement the change will affect the organisation. The failure itself can be that the procedure is badly documented and by that the users or the employees don’t know how to act up on in a certain situation. This it self can then lead to that the employees can’t fulfil the duties and by that we have a monetary loss. Of course it’s not always about monetary losses since risk also includes for example negative publicity in media or employees losing the faith on the company - try defining the monetary value for that!

It’s all about identifying, minimizing and accepting risk that can be found in all activities and assets in an organisation; if this can’t be accepted; there is a serious problem.

Kim Haverblad

Note: For more reading about this topic, please check the article at Computer Sweden (Swedish).

Bookmark to: