Somebody’s Watching Me

The last couple of weeks have seen UK newspapers filled with stories over UK Government plans to expand its monitoring activities to include email and social media. The two extreme ends of the point of view being it’s either the only way to stop criminal activity or one step away from a draconian privacy invasion something a kin to 1984.

Neither extreme is accurate. Obviously the more seriously criminally minded will start to use other methods of communication that are more secure, if indeed they are not already. In a humorous look of the proposed legislation comedian and presenter of the BBC’s Friday Night comedy, Sandi Toksvig recently conjured up the image of two terrorists in balaclavas talking to each other on Skype saying “Yes, I promise you it really is me under here.” However, with the right controls, it can play a significant role in the fight against crime.

At the same time, most people don’t have time to read their own email, let alone anyone else’s. If Government was planning on checking content, which incidentally it says it is not, then it would have to be using keyword or lexicon search.

Type “bomb site:twitter.com” into Google and it is easy to see that just the profile names of tweeters alone would keep someone busy for a long time let alone the messages, so it’s clear that some intelligence would need to be applied to make searching content worthwhile. It also highlights the challenges of scale, something that defeated the Labour government in its attempt to introduce similar legislation in 2009.

Perhaps one of the key issues is that of trust. With stories of local councils using RIPA (Regulatory Investigatory Powers Act) to accuse citizens of flouting the school catchment rules, it’s no wonder many people are wary of giving any government power to see who they call or chat to over the internet. If the TV programme Spooks is to be believed, the security services already have the technology anyway and are using it to listen in to every mundane conversation, text stream and email conversation anyway so what’s the difference? This of course is a long way from reality. However, the monitoring of suspicious traffic is a logical and more importantly, justifiable part of the crime-fighters armoury and with the massive strides being made in keyword and lexicon search and identification technology, also relatively easy to implement.

It is not the ability to listen-in to me telling the world what I am having for dinner on Facebook that is the issue, but how much control is in place to ensure we know who can listen to what.

The bottom line is that the growth of social and electronic media use by the criminal fraternity is a serious threat to our national security and well-being. Last summer’s riots grew at the pace they did because of the use of technology such as Blackberry Messaging, SMS and Twitter and monitoring will allow for the police and security organisations to react quickly and effectively to protect our safety. Terrorist communications have been proven to often be in the form of cleverly coded electronic communications.

“Ah”, I hear you say, “but what about human rights?”. Well, I think we have a decision to make – either we take the view that logically, there will be far too much traffic to allow for any investigator to focus on anything other than posts, tweets and blogs that trigger alarm bells OR we do nothing and run the risk of the criminal element enjoying unparalleled freedom of communication. The real issue is one of checks and balances to ensure responsible application of regulations around monitoring.

For this reason the UK Government, and indeed the others that are bound to follow suit, must ensure that the legislation protects society, whilst also protecting the rights of the individual.

When we look at most industry regulation today, that means implementing the technology to enforce a policy, archive it and provide a full audit trail to ensure that actions are accountable and that only authorised personnel have access. This technology is available today and its use needs to be factored into any policy discussion by government

Although we will have to wait until the full plan is revealed to truly analyse the consequences, I think it is inevitable that this type of legislation will eventually come into force.  We live in a world where real-time communications is the norm, it is unrealistic to expect those we look to protect us to do so without the tools to combat others that use them for nefarious activities.

Chief Data Protection Officer (CDPO): The new C-level exec?

The European Union (EU) may possibly be on the verge of creating a new C-level job title, according to a draft proposal from the European Commission.  Reflecting the growing concern over security and data protection, the EU has proposed making it mandatory to have a data protection officer for the public sector, for large enterprises, and for organizations where the “core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.”

This has definitely caught the attention of those in the financial services sector because the proposal also includes provisions for fining businesses up to five percent of their revenue for data breaches.  That’s not a percentage to sneeze at when multiplied against billions of euros/pounds/Swiss francs.  The potential for security breaches increases exponentially as more people turn to online resources to conduct business.  Increasingly, financial services firms are utilizing social media and instant messaging to communicate with clients and prospective clients.

However, the downside is that all these new communications channels and transaction platforms are inviting targets for hackers.  The Skypes and Twitters of the world all represent new channels for malware to enter the corporate network.  Just a couple of weeks ago, this author himself was a victim of identity theft.  So, the threat is real and billions of dollars are at stake.  Just look what happened to Citigroup earlier this year.

Already, we’ve begun to see titles like “VP of Digital Marketing” and “Social Media Manager” pop up.  So, it logically follows that we will see a “Chief Data Protection Officer” title emerge too.  Hackers are becoming ever more sophisticated and the tools at their disposal are the most powerful they’ve ever been.  The EU is therefore clearly keen to keep pace with the constant innovation flowing from the technology world.  That innovation is responsible for much of the threat, but equally, advances in security and compliance technologies are also a key part of the solution and will be a critical part of the CPDO’s armoury.

The game of cat and mouse will no doubt continue, but at least, there’ll be a CDPO focused on minimizing, if not totally eradicating, the consequences of security and data breaches.  Certainly, a framework around how security breaches will be handled and communicated to the public is a good starting point.

So maybe Brussels is finally doing the right thing!

School’s not quite out, but the results are in.

You know that there’s been a seismic shift in the US Government’s communications strategy when guidelines are published by the government for agencies about how they can adopt social networks to deliver a better customer experience.

We can all applaud the good – when the magnitude 5.8 earthquake shook the East Coast in August, the Department of Homeland security was quick to tweet advice on getting in touch with loved ones via social networks, eschewing phone lines which were getting clogged.

But before we get carried away, we need to put this success in perspective.

Just last week, news was released that Air Force One’s flight plans were inadvertently leaked when a Japanese air traffic controller decided to post them on his blog to show off to his friends.

Who needs Wikileaks when you have to contend with the foibles of your own staff?

The threat of malware infection continues to loom large, as our own Jae found out to his chagrin.

There is no time to be complacent.  This is why we’ve knuckled down and begun the process of testing our platform for federal government usage.  We’ve kicked of with subjecting Vantage and Unified Security Gateway (USG) to the rigorous tests conducted by Science Applications International Corporation (SAIC) Labs.

It is with a mixture of post-exam relief, pleasure and pride that we can reveal that (drumroll please…) we have met the initial requirements for Common Criteria IA SL2 and The Federal Information Processing Standard (FIPS) 140-2.

The process is by no means over, but we’re certainly well on the way, but it’s another confirmation that Federal Agencies can rest assured that our solutions are robust, enterprise-ready and will do what they say on the ‘can’.

Regardless of media – it could be Jabber, Microsoft Lync or Facebook – we can monitor, track and archive content to protect against unsanctioned disclosures and security threats.

What is YOUR federal agency doing with regard to new communications modalities?

The House is on fire. We don’t need no water, just some Skype.

Wow, for you naysayers out there that think the government is slow, archaic, and behind-the-times, you may have to reconsider your position.  The House of Representatives has OK’d the use of Skype and ooVoo within its hallowed halls.  Up to now, security concerns had impeded adoption of these popular Internet phone and video conferencing tools, respectively, but now that those concerns have been addressed, the House is ready to move forward on its plan to improve communications and transparency with its constituents.

In these tough economic times where government budgets are strapped, leveraging technology solutions that tout cost efficiencies are gaining traction.  Moreover, technological enhancements and plentiful bandwidth are driving the government to look at other real-time alternatives.  Applications like Skype and ooVoo allow for virtual town hall meetings, facilitate responding to constituent inquiries, and obviate the need for travel in many instances.  The net effect is a fluid, cost-effective communications channel between representatives and their constituents.

Now, the House had every right to take its time in blessing the use of Skype and ooVoo.  Security concerns are justified, given the abundance of horror stories involving security breaches in government and other industries as well.  The problem with social media and other Web 2.0 applications is that their ubiquity opens whole new vectors for malware and other types of evil to infiltrate the corporate or government network.  The proliferation of content on these types of sites is mind-boggling – photos, videos, wikis, blogs, tweets, and the list goes on and on.  But, each one of these types of content can be a springboard for malware.

Given the viral nature of social media and the breadth of the social graph, it doesn’t take much for a virus to spread.  A simple, innocent click on a link to your friend’s supposed Morocco vacation pictures may not yield camel pictures, but rather, expletives flowing out of your mouth when you see the Blue Screen of Death.

That’s why you see so many security software and hardware vendors in the marketplace.  They’re there for a reason.  Not the sexiest technology, but definitely critical to your sanity and to the long-run viability of your company, or in the case of this blog entry, the House of Representatives.  Having security systems and policies in place to control the glut of Web 2.0-type applications out there (Skype and ooVoo are just two of the thousands) is downright essential.

Without granular controls of social media, instant messaging, video conferencing, and the like, safely managing that fluid communications channel between government and the constituents becomes that much more difficult.  Throw into the mix potential national security implications and one can see why security breaches aren’t taken lightly in government circles.

So, bravo to the House for giving the green light to Skype and ooVoo.  Now, I can Skype my congresswoman to fix that pothole in front of my driveway.

Twitter Malware: It’s Coming After You

I may need to wear a shirt like this in the office.

Most readers of this blog are savvy social media users. I would include myself in that category. Well, I would have until last Sunday.

Yes, I will come out and admit it for once. I got suckered into clicking on a Twitter malware link that was forwarded to me by one of my ‘trusted’ venture friends. Now that I got that off my chest (and demonstrated that I could be just as naive as thousands of users out in the Internet), I think I can talk about this incident somewhat objectively.

It turns out that this particular malware spreads by getting a Twitter user to click on the shortened t.co URL that’s sent via private message. When an unsuspecting recipient clicks on the link, it automatically sends the same tweet to all of the recipient’s followers as a private message. Very sneaky.

It was quite an embarrassing moment when I realized what just happened (I even had to update the new Twitter app to follow the link on my iPhone). Thanks to a couple of my co-workers and good Twitter citizen @DevonAlderton, I came to my senses only after a few hours had passed. Once a few seconds of disillusionment of my malware ‘detect-o-meter’ had passed, I regained my composure to delete all of my private tweets to all my followers (thank goodness I don’t have Kim Kardashian’s follower base) and took remedial action to shore up my defenses.

Read the rest of this entry »

Social Media and Cloud Security, are they on the new Federal CIO’s radar?

Last week, it was announced that Steven VanRoekel would be replacing Vivek Kundra as the CIO at the Office of Management and Budget (OMB).  It’s a high-profile position that essentially puts VanRoekel in charge of the federal government’s IT budget – currently about $80 billion a year.  A tidy sum of money.

So, as VanRoekel assumes his new role, all eyes will be focused on how he handles the projects he’s inheriting from Kundra as well as new initiatives.  Of the former, issues such as data center consolidation and the “cloud” are top-of-mind.  Recently, much of the buzz, both in the government and in the private sector, has revolved around Web 2.0 and social media.  However, they’re just two components of an overall security strategy.

VanRoekel must also take into consideration other types of application that factor into a comprehensive cybersecurity strategy.  These days, hackers are pretty sophisticated and are quite adept at exploiting encrypted traffic to pass along viruses or other types of malware.  For instance, unified communications (UC) platforms, such as Jabber, Microsoft OCS and Lync, and IBM Sametime, all enable federation, which is the ability to communicate with others who are not members of your UC community.  The danger here is federating with outside networks that may present unknown risks, like viruses, hackers, enemies mining for confidential information, etc.

The same analogy holds for the “cloud” initiative.  Cloud computing is all the rage, but there’s no shortage of companies and government agencies that are incredibly leery of turning over key computing processes and applications to the cloud.  Security is almost always the first issue mentioned when talking to skeptics of the cloud.  Multi-tenancy (i.e., sharing physical appliances that have been logically partitioned), data storage off-premises, and the relatively short history of this computing paradigm send shivers down the spines of the most experienced IT practitioners.

With the Internet being a global resource, the potential scope of security breaches is immense.  Sophisticated hackers might reside in the US, China, Russia, Iraq, North Korea; you just never know.  It is under this backdrop that VanRoekel will have to drawn upon his experience in the private and public sectors to devise a strategy addressing all of these security concerns.  A daunting challenge for sure, but absolutely attainable, given today’s technology.

Wouldn’t you agree?

Defaulting to the closed door. Day Zero protection in a Facebook – Skype world.

Social media is often typecast as a dynamic technology segment where, in the blink of an eye, you can miss the latest viral video on YouTube or the latest casualty of an erstwhile social media darling (RIP, MySpace).  Thus, it’s no small feat to keep up with the continuous feature, product, and service enhancements emanating from the labs of Facebook, Twitter, and their brethren.

This week’s announcement of the Facebook-Skype integration sent shockwaves at typical lightning speed.  And for  those organizations who have embraced not just Facebook but also Skype and other forms of real-time communications now seek to understand what this integration means to their security and communications infrastructure, we have some words of comfort.

Many times, compliance,  legal, and IT security departments need some time to digest the implications of these new features on their business.  So being able to block new features by default is a necessary requirement for enterprise organizations.   Hark back to the early days of the firewall, when it was incredibly important to ensure that the default setting, when you implemented a new system, was to block and then open access.

That’s where we are with social media now.  With more than 530 changes to the major social networks (Facebook, LinkedIn, Twitter)  in 2011 alone, security issues rear their heads with every new feature, especially when we look at the world of P2P communications.  Long heralded as the darling of intrusion detection, Skype’s encrypted nature and ability to tunnel through any open port on a firewall makes it a unique and beloved communications tool.  But at the same time, it’s also a risk for some organizations that cannot – and – will not allow encrypted traffic on their network (unless they know the key).  And when I look at the requirement from the new Facebook Video Calling application to install an .exe file in order to use the plugin, I head back to my roots in the UK IT Security space and think that’s not necessarily something we as security professionals want our end users doing.

Here at Actiance, we were able to provide DAY ZERO protection to our customers – blocking access to the new Facebook Video and Calling capabilities.  As a default, we block new features to ensure that our customers can then decide their policies.  And, with a decade of experience dealing with real-time changes to networks and communications platforms, it comes as second nature to our team to provide these capabilities.

That said, did I install Facebook Video Calling?  Of course.   Am I using it?  Of course.  Do I like it?  I have to say, “Wow, yes.”  Being that Skype and Facebook have been, since I moved to the USA just over a year ago, my primary forms of personal communications with the folks back home, having these two communications modalities in a single login is sweet.  Oh yes, I like it.  I like it lots.

#EPS? #EBITDA? #Cash on hand? #Twitter?

Just five years ago, stringing the words in this blog title would’ve been complete nonsense.  Fast forward to 2011, and they now make perfect sense.  Hopping on the social media bandwagon, investors are now turning to new communications channels like Facebook, Twitter, and blogs to get the latest tips on hot stocks, rumored IPOs, and corporate scandals.

A March 2011 study by CMC Markets, Share Trader Insights Survey, hammers home the point:  social media is being increasingly used by investors to gather trading information, especially among those of us under the age of 45.  The study found that the under-45 demographic had the highest percentage of individuals using social sites like Facebook and Twitter to enhance their investment knowledge.  The 25-34 segment was particularly notable, too.  A whopping 59% of those under the age of 35 use Twitter to acquire trading information.  Interestingly, investors over the age of 45 were more likely to use their iPhone to gather trading information.

In terms of which social media sites were deemed to be most useful, trading websites took the top spot with 57% of investors using this form.  Beyond trading websites though, there was no clear social media site that investors preferred.  Blogs, webinars, Facebook, Twitter, iPhone apps, and even YouTube were all cited by investors as being sources of trading information.

I won’t bore you with any more gory statistics, but the inside scoop is that social media seriously is a viable source of information for investors.  However (deep breath), care must be taken to analyze all this mountain of data objectively (you don’t say…).  It’s easy to post information on any of these sites and even easier for it to spread virally.  Just think what could happen if someone started a false rumor on a company with the aim of sending the stock price soaring.  If written persuasively enough and if that rumor appears on several social media sites, the rumor begins to take on a life of its own.  The phrase “buyer beware” becomes that much more important, with due diligence, background checking, and due care assuming more prominent roles.

Along these lines, companies themselves have to be careful of what’s being posted about them in these social media fora.  That’s why we’re starting to see organizations turn to technology to help them address this flood of social media content.  Protection of the corporate brand and confidential information is top-of-mind for many firms.  Add to that the constant threat of malware and viruses piggybacking on tweets and Facebook posts, and it’s easy to see why solutions have begun to sprout up to manage this social media content and ensure that it’s safely used within the organization.

Actiance Unified Security Gateway (USG) is the only secure Web gateway focused on these Web 2.0 and social media applications, on top of the usual security protections (anti-virus, anti-malware, and URL filtering).  From allowing and blocking access to over 4,700 Web 2.0 applications to granular content and access controls for Facebook, LinkedIn, and Twitter, USG is the platform for making sure that social media doesn’t commandeer your corporate network and throttle your reputation.

It’s the enabler that lets you use social media productively and safely.  Just don’t count on it to tell you whether to buy or sell the 1,500 shares of MSFT you’re sitting on.

Keep It Simple, Stupid

We’ve all heard this saying before and it’s easy to get lost in the bewildering array of communications channels available to us. There’s the usual email, instant messaging networks (Yahoo!, Google Talk), peer-to-peer networks (Skype), enterprise IM applications (IBM Sametime, Microsoft Lync/OCS), and social networks (Facebook, Twitter). And these are just the big boys. There are literally thousands of IM, P2P, and social networks, in addition to those listed above.

To give you an idea of the bevy of tools out there, the US Department of Agriculture (USDA) uses over 21 different email systems, but they’ve recently decided to award Microsoft a contract to provide cloud-based email, Web conferencing, IM, and collaboration solutions. Similarly, the US General Services Administration (GSA) awarded an email contract to Google. What this goes to show is that messaging in large organizations (in this case, it’s the government) is starting to move to the cloud as companies look for ways to streamline their messaging systems, improve efficiency, and cut costs.

What with all these communications options available to end users, it’s all too common for folks to use Facebook, Yahoo!, or Skype while they’re at work on company-issued computers. Oftentimes, individuals use a combination of Web 2.0 (think Facebook or Skype) and enterprise (think Microsoft Communicator or Cisco Jabber) applications. The problem with doing so is that it opens up new vectors for malware to invade the corporate network. In other words, there are far more avenues for evil to infiltrate the corporate network these days than ever before.

Thankfully, platforms like Actiance Vantage make it easier to manage the proliferation of communications tools within the enterprise. From blocking virus attacks to managing file transfers to logging and archiving of all IM activities, Vantages provides end-to-end security and compliance coverage for an organization’s unified communications.

We can all learn a lesson from the government contracts cited above. Long ridiculed for being the poster child of bureaucracy and antiquated computer systems, it must be saying something to have two large agencies moving their communications applications to the cloud. Looks like the US government has taken heed of that old KISS principle after all.

Facebook at Work: The Top Ten Applications

I’m spending the quiet time during the holidays working with my colleagues on FaceTime’s end-of-year analysis of how real-time communications, social media, other Web 2.0 applications – and the malware using these channels – have affected organisations over the last 12 months. We’ll release the full results next week, but I wanted to share some early insights.

 

This year, for the first time, we collected real-world data taken from our Unified Security Gateway appliances deployed across more than 60 participating global organisations. These companies have opted into a program that sends data back to us, so we can analyze Internet application traffic.

 

So what did we learn?

 

Facebook represented the largest single Web 2.0 destination that we tracked, hands down. Maybe not a big surprise, but what I find compelling is that only about one percent of attempts to access Facebook were blocked. It shows that our customers are forward thinking companies that view the use of social networks as positive to their business environment – 99 percent of Facebook visits were allowed by IT policy.

 

These particular employees accessed 890 different Facebook applications over the past few months. Here are the Top Ten applications that were used during working hours on our customers’ networks.

 

1.      Facebook Chat (messaging)

2.      Private Photo Gallery (photo, dating)

3.      Wordscraper (gaming)

4.      Do Not Remember (drinking)

5.      Word Twist (gaming)

6.      Are YOU Interested? (dating)

7.      Bumper Sticker (just for fun)

8.      MindJolt Games (gaming)

9.      Slide FunSpace (messaging)

10.  (Lil) Green Patch (gaming)

 

(Sadly my favourite, WordBubble, didn’t make the Top Ten)

 

This is by no means a statistically relevant sample of the world as a whole, but the data gives us a indication of what’s really happening out there in the Web 2.0 world. And it supports the findings from our annual Collaborative Internet study: The lines between employees’ work and personal lives are increasingly blurred, and employees feel they have a right to download – or access – whatever they choose on their work computers. (I know I wouldn’t feel comfortable working for a company that didn’t let me do this!)

 

Scarily I have two FashionWars invitations outstanding, as I write this – one of them from a seriously unfashionable, tech geek friend.  Si, you’re scaring me. Please don’t do this online, you know neither of us understands Jimmy Choos and the like…