Security Risks in the Age of Social Media

Every one is joining in the social media craze, even the public figures of our times. I was recently watching a program on MTV base, where some youth interview some of the influential people of today, and I remember in two of them where president Kagame of Rwanda and Virgin Group's Richard Branson mentioned using Twitter from time to time.

With hundreds of millions of users, from school going teenagers to presidents, to footballers and musicians, from small and medium companies to large corporations, many people use at least one of the various social media, like Facebook, Twitter, LinkedIn, MySpace, YouTube among others, to either connect with friends, network and make friends, for promotion and public relations and for marketing purposes, among other benefits.

Social Media has changed the way we interact and communicate; we can now stay in touch through Facebook with friends, fans and clients. We can pass on information quickly in a way we have never done before through Twitter. Through social media we can reunite with lost family members and friends. Some might have heard of the famous story, of father-daughter reunion between Tony McNaughton and Frances Simpson of the United Kingdom, who had not seen each other for nearly 48 years. The father had separated with the mother of the daughter, when she was about 1 year old; they reunited via Facebook. I am a user of social media, mostly Facebook, and I would not like to be a killjoy, but as well am aware of the inherent risks it has. So what are these risks that come with social media and how can we guard against them?

For individual users of Social media, the biggest challenge is that People drop their guard and share personal information and secrets on Facebook, including details they would not easily shout out in the streets, share on national TV or Radio. Within their social networks, they feel safe surrounded by people they know, like and trust, like friends and family. This opens possibilities for identity theft and could be used as an avenue for Social engineering - a practice of gathering information on someone for future criminal use. There is also the threat of Cyber stalking, where a user can be electronically harassed or abused, as well as issues of solicitation of minors for sex, or gathering information on an individual in order to harass them later with that information.

There is also a web of trust built between social network users so much that any information posted by "a friend" is taken as gospel truth. Recently a Facebook friend of mine was a victim when his Facebook account was compromised, most probably because he was using a weak password that was easy to guess by the attacker. The perpetrator was able to post some information on his "wall" - claiming how "he" was stranded in a foreign country and how he had lost his luggage and had no money on him. The masquerader even gave details of where and how to send help, needless to say, some people on his Facebook friends list, fell for it and sent some money. This and many other incidents warn us to be a little bit more alert when using social media.

For Enterprises and corporations that have internet access and allow use of social media by employees on the corporate network; the risks could be even bigger. While social networking has become pervasive across organizations, there are very few security restrictions governing its usage. Not only could uncontrolled use of social media lead to misuse of internet resources, but could as well lead to productivity loss, as employees spend more time on social networks, instead of carrying out official work. Social networks could be used to introduce malware like computer viruses, on corporate networks. For example in September 2010, "onMouseOver" the Twitter-based worm pummeled users with pop-ups, spam and pornographic tweets and then re-tweeted them to everyone on their contact list.

Social networks can also be a route for data leakage, where they can be used to leak company trade secrets, and lead to confidential/sensitive data loss or leakage. What's more, there's a disconnect between traditional information security practices and the demands of an increasingly youthful workforce that feels entitled to use personal technology and social networking in the office.
So what can be done to curb the risks of social media usage and enjoy its benefits with fewer worries? To begin with, there is need for social media users, to be vigilant and not share any information they could not easily share with the general public. On top of using stronger password that can't easily be guessed, we should take advantage of the options available within the social media themselves to assist with reducing on the risks. Major social networking sites now support identity management functionality. For example, a security application called mysafeFriend gives Facebook users a way to validate the identity of potential friends.
Parents need to guide their children on safe usage of the internet and appropriate behavior when online. Just like you would not let your children chat with any stranger in the streets, why should you allow them to freely connect with cyber strangers, who could be closer than you think? For Organizations there is need to have an administrative and technical approach to the problem. Companies should come up with internet usage policies at the work place that have a component dedicated to social media usage, for example specifying what time employees can access social network sites, so that employee productivity is not affected. There should be awareness training for staff as well on risks involved. Companies could make use of available technology to assist with web content filtering against malware like viruses and infected links shared through social networks.
As social networks become popular, there is need for individuals and corporations to be aware of the risks, and of the fact that Scammers and cyber-criminals today have their sights trained on users of social networks.

About the Author
Mr. Thomas Bbosa - CISSP, is an Information Systems security Consultant and Managing Partner with BitWork Consult Ltd - ( http://www.bitworktech.com ), an IT security consulting firm based in Kampala, Uganda. He is a certified Information Systems Security Professional (CISSP), with over 10 years Experience in the IT industry. He has been involved in various roles of IT infrastructure management and support, Information systems Security management & solutions deployment.

Protecting Your Company From An Online Data Breach

Why do data thieves attack corporate computer networks? Well, to paraphrase Willie Sutton, it's because that's where the data is. As I said in a previously blog, a data breach is usually done in one of two ways.

A data thief will either employ physical means, such as dumpster diving, social engineering or a simple break-in; or via the internet. No business today can afford to be left behind technologically, meaning that in every corporate environment there are computers, networks and electronically stored information.

Electronic files are highly sought after by would-be data thieves for the wealth of personal information they contain. There are HR files, accounting information, customer and vendor lists; the list goes on and on. All of these kinds of records are full of sensitive information which can be exploited for personal gain by data thieves.

As a business owner, you are already aware of how to protect your company from a break in; however, these electronic attacks are not as well understood or protected against by the majority of companies. The alluring elements for a data thief regarding online data breaches are:

1. The thief need not be anywhere near their victim; they can even be on another continent.

2. Just about any information you would need to commit identity theft can be readily found on the web (We will not tell you what these sites are since we discourage the practice).

3. Most companies keep a large amount of sensitive information on file; much of this data is poorly secured.

4. Computers can be an easy entry point to your data, since thieves only need to find one weak point to get into your system.

Here are some of the more common computer data attack techniques used by data thieves:

1. Phishing emails - These are emails pretending to be form a legitimate company, usually asking the victim to verify personal information.

2. Spear phishing - These are emails which are sent to employees of a company purporting to be from management, asking for passwords or information about projects they may be working on.

3. Zombie computers or networks (zombies) - These are compromised computers and networks which contain software which permits data thieves access to the system. These computers may be linked there together to form what is called a botnet.

4. Botnet - Once linked together, these botnets are used to perform attacks like denial of service, pay per clicks and spam email. In many cases, the owner of the compromised systems may not know that their system is being misused this way.

5. Bogus websites - Websites which pose as legitimate sites and attempt to trick visitors into handing over personal information; this data is then used on the real site by the data thief.

6. Crackers - Programmers and other highly skilled computer experts who use their abilities to break into networks to find weaknesses to exploit.

7. Wireless network snooping - When using unprotected wireless routers, such as are often found in coffee shops, airports and some homes, hackers may be able to pry into your computer.

8. Cookie sniffing - Hackers will use cookie sniffers to examine all of the cookies you have used and will send this information (useful since people generally use the same password for many different sites) to their own systems to use this information.

9. Malicious Software - These are various types of software: hijackers, adware, Trojan horses, etc. which act against specific operating system functions, send your personal information to someone outside your system, direct you to bogus websites or any number of other malicious actions.

10. Web Page Hijackers - A small program which redirects your browser to a site other than the one you wanted to visit. This may be to a bogus website attempting to capture your personal information or an annoyance such as being redirected to a pornographic website.

11. Piggybacking Access - This is the practice of breaking into a poorly secured computer on an external network and using this access to break into another network using a legitimate connection between the two networks.

12. People Research Sites - For a fee (usually $40-$80),you can obtain personal information on nearly anyone.

13. Dictionary attack - One of the easiest ways to guess a password. A dictionary file is loaded and since no language has an unlimited number of words, this can often generate the password with relative ease.

14. Hybrid attack - A more sophisticated variant of the dictionary attack, this takes dictionary words and combines them with numbers and/or symbols in an attempt to crack a password protected system.

15. Brute force attack - A brute force attack is one in which a program systematically works through every possible combination of numbers, letters and symbols. The amount of time need to find the password all depends on the number of characters used in the password.

16. Keyloggers - A type of spyware which records every keystroke made on a computer and sends this information to a remote user. These programs are very difficult to detect with most virus and spyware scanners.

17. Network Sniffers - Applications used to capture network traffic without the knowledge of users on the network. Sniffers are helpful to hackers in finding network weaknesses; which helps them to plan other attacks on a network.

You should be aware of the risk of data breaches, but you needn't be paranoid. There are plenty of steps you can take, such as bringing in outside IT security consultants to work with your IT department to assess your security and work to improve it. You should also make sure that all of your software is kept up to date.

Your sensitive data should be encrypted to better protect it from prying eyes. You can use security tokens in your system, such as smartcards for accessing your network and workstations. You should also make sure that each and every one of your employees is properly trained so they know what to keep an eye out for to prevent data breaches.

Headquartered in Ladera Ranch, California, Access Smart, LLC reduces the cost and burden of network and internet security on employees, IT administrators and business owners. Dedicated to empowering businesses and consumers to securely regain control over their digital information, Access Smart offers low cost, highly secure, integrated hardware and software packages that securely manage important data over wired and wireless networks, computers, Point-of-Sale devices, kiosks, and any other device that can accept and communicate via smartcard technology.

For more information about Access Smart, please visit http://www.Access-Smart.com.

Data Danger: What Does Your Partner Know?

Just imagine for a moment that you died, sorry to be so blunt but this is important, really important. I'm talking here of a sudden unexpected demise, the hit by bus scenario. Can you see the devastated folk that you leave behind, the chaos, the problems? do keep reading I'm not selling life insurance or encouraging you to write a will, I'm assuming that you're sensible enough to have done that, what I am flagging up is something that lots of folk completely forget.

This was starkly brought to my attention a few weeks back when filming the most amazing collection of punk memorabilia, our online music archive. The collection contained many extremely rare items including extraordinary demos, magazines, posters and albums, all of which would have gone straight to the dump, if the proud owner should unfortunately be called to that great punk store in the sky. Apparently his wife had no interest in the collection other than the fact that it took up vast amounts of the house that could be used for other more 'valuable' activities.

What my friend had failed to do was appreciate that what was of value to him and countless others was not necessarily of value to his partner, the consequence could be that the resource could be abandoned because he had never thought to specify how his pride and joy should be dealt with. Of course I offered to be the repository of the items should the worst happen, very fine of me I thought, but I then began to think about all of those things in our life that have a hidden value, that could be lost forever should we die suddenly with or without a will. I'm not really talking about physical goods now, (but if no one realises all those tatty paperbacks are rare first editions they will end up in the bin) no it's all that data tucked away on computers.

Consider for a moment, the importance and indeed value of clients contact details password protected on your laptop or the codes to get into various online accounts, not just at the bank, but investments, clubs, PayPal and the like, indeed even some Facebook accounts can have a substantial value, or something as simple as the password to your computer. These items could be completely frozen or even lost to your heirs or remaining business partners should you die or loose your senses. Scary eh?

There is good news however, as long as we act on it, there are loads of website that provide just the service that is required, whereby you can register all your primary codes, passwords and documents that can be accessed by nominated beneficiaries should something unfortunate happen to you. The idea is that you list all the secret or relevant data and attach the access information to get to that data to your will so that it can be retrieved as necessary. The additional benefit is that you can give instructions for the disposal of precious items, that may not be relevant to record in a will, or indeed have been acquired since the will was made. There are all sorts of clever ways that these websites check that you are actually deceased so that the 'wrong' person can't get to the goodies, so we shouldn't fret about potential loss in that respect.

Of course one could specify that any rock or pop memorabilia be passed straight to Rokpool who will give it a good home, we're kind like that, however if you don't do something (even if it's only telling your nearest and dearest) the recycling centre may be getting that collection you spent years acquiring, whilst your family tear their hair out trying to guess your iTunes password and how sad would that be?

If you love music you just must visit Rokpool, it is an online rock music archive where you can enjoy rare music,see unique photos, read exclusive articles, watch rare videos and footage for free, and find memorabilia from the last sixty years of music history. There are literally thousands of pages to explore, hundreds of artists to enjoy, and many thousands of free videos. http://www.rokpool.com

How to Choose a Cloud Computing Service Provider

With so many cloud computing companies on the market today it means that choosing the right one who understands your business infrastructure is becoming increasingly difficult. It is therefore important that you know what your exact requirements are so that you can do research and evaluate who the best cloud provider is for you. When carrying out your research there will be certain criteria that you should be looking for. Below is a list of the top four fundamental selection requirements for choosing a cloud computing service provider:

1) Reliability and Reputation
To understand a company's reliability and reputation it will be important to understand who the company is and how long they have been in the industry. It will also be important to look into the type of clients that a cloud provider has and what partnerships they have established. To fully understand a provider's reliability and reputation it would be worthwhile talking to some of their clients and partners to see what they have to say about the company. This is often the best way to gauge the reliability and reputation of a company first-hand.

2) Suitability
It will be important to fully understand whether your business has suitability to move into a cloud environment and what cloud computing solution is right for you. To understand suitability of the different types of cloud services you should look to providers who offer no-obligation free trials. This way you can see whether your business is acceptable in a cloud environment and see how the cloud service works before you make a long-term commitment.

3) Support and Service Level Agreements (SLAs)
Support and SLAs are vital to ensure against any downtime of the cloud. When looking at a cloud provider's support commitment you need to ensure that they will work quickly if any issues or downtime arises and that problems are dealt with in the agreed manner and to the agreed timescales. You should look for companies with dedicated support that have the capacity to deal with problems as and when they arise. When you speak to a cloud computing company or meet them at their offices you should ask to see the support department.

4) Security of the Cloud
Any company that moves into a cloud environment needs to ensure security of the environment and their business systems and processes. It is important to ensure that the selected cloud service provider offers a secure infrastructure at all levels and throughout the cloud services that they offer. The data centres that are provided will also need to be understood to ensure a consistent level of security as well.

The Cloud Computing Centre is a cloud computing service provider that has renowned cloud computing knowledge and expertise. The company delivers robust and cost effective cloud computing services to companies across a variety of different business spectrums and industries. The Cloud Computing Centre has experience in delivering solutions that fit your company and work with you every step of the way through the process to ensure business continuity and efficiencies for your company. Free trials are available to new clients to ensure the most appropriate cloud service for your business.

Search Results Redirected - You Have The Redirect Virus

Search results get redirected all the time anymore do to the outbreak of the redirect virus, which carries many names, but is deeply rooted with the more severe Alureon rootkit trojan virus.

When you have this, the first warning sign is as follows. You type in a key phrase to lookup in a search engine such as Google, Yahoo or Bing. Your results come back, and click on one. Your search results are redirected to other pages that are not on topic and usually attempt to promote you something that you are not interested in.
This is the very first warning sign of the redirect virus, and as soon as you notice this you should take action immediately.

This threat can come from many different places, so pointing fingers is not necessary, and it affects many people every day, but more importantly is what you should know next.

If your search results are redirected 1 out of 3 times that you attempt to click through to a site, then you probably have the Google redirect virus. If this is the case then this means that you can potentially have the Alureon threat as well.

This particular rootkit is extremely difficult for anti virus software to stop or sometimes even detect. It can cause a sort of open wound in your computer, and allow a criminal to intercept key data through the internet and your machine.

Search results being redirected are the smaller problem, because this Alureon virus creates an almost undetectable doorway for a thief to steal passwords and financial banking information, and possibly your credit card data if it is stored on your hard drive.

To make matters worse, the redirect virus has been designed to make it as difficult as possible to remove. This is accomplished by causing your anti virus and malware protection programs to stop updating as needed, sabotaging the installing of new programs that might help, and eventually corrupting your keyboard or mouse so that you cannot use it.

Another warning sign is noticing the changing of your desktop wallpaper, which not everyone may experience. Search results can be redirected to other harmful sites that have been pre-established to download more potentially threatening malware onto your machine, and so internet criminals can have a feast.

Next, you can remove it manually, but I suggest that you follow this guide to get the steps right. You can learn more about this virus and the guide at this site on the Google redirect virus.

Cost-Effective Firewall Solutions For Small Business

Whenever firewalls and network security come into play, there is a surprising amount of oversight and lack of attention in the small business world. Many shops are running just the regular router they get from their ISP, with NAT being their sole defense against the outside world, and even that, arguably, is not a defense at all. When asked about this setup, they smile sheepishly and say: "We can't afford a good firewall solution! We'll have to make do with this until we can."

This is a cringe-worthy response: I'm a big believer in proactive IT, and security is one of those areas, along with backups, that get neglected because of cost. Because there is no immediate value-add to security (indeed, the effect of good security is invisible), many companies choose to invest that money elsewhere, reasoning that they can't afford an effective firewall appliance like a Sonicwall or an ASA.

Given today's recession, many small businesses have to cut operating costs, and sadly firewalls are an area that may not be as immediately necessary as others. The saddest part, however, is that there are open-source solutions out there that make perfectly serviceable firewalls for nothing but the cost of an outdated PC or virtual machine.

IPCop - Cost Effective Firewall

IPCop, the example we'll use in this article, is an open-source OS based on Linux that is designed to act as a firewall and router. Unlike a vanilla Linux distro running iptables, IPCop goes far beyond simple add and drop rules; it has features one might expect from a more advanced firewall appliance, including intrusion detection, VPN services, and traffic shaping capability. IPCop was designed for this very application (cost-effective firewall solution) and as such it is made for the small business network admin in mind: The entire OS is run through a stylish web interface, allowing easy administration of the IPCop firewall from any web-accessible machine, and the installation is straightforward and full of easy-to-understand directions.

IPCop is one of a number of distros, like Smoothwall, which aim to be full-featured firewalls for small business. Unlike Smoothwall and others, however, IPCop is completely free, thus making the insertion of an IPCop instance in your network both a painless and extremely cost-effective solution, especially where a dedicated hardware firewall appliance is an expense your business simply cannot afford.

IPCop Disadvantages
IPCop does have its disadvantages, of course, especially when compared to a more robust appliance like a Cisco ASA. It lacks the fine granularity of IOS, for example, and some of the more advanced ACLs and command-line magic the IOS performs is beyond the scope of the IPCop instances. That said, however, IPCop comes very close to the performance of an entry-level ASA, and many of the functions an ASA provides are duplicated effectively in IPCop's web interface.

Linux Distro
The title of this article, however, is not "Best firewall appliance". We're here to talk about cost-effective firewall solutions, and in that regard a Linux-based distro is unbeatable. While it does require some spare hardware, the system requirements are quite sparse, and so the implementation cost is minimal at best (and the software is, of course, open-source and free). In fact, even disregarding the price, I am willing to put forth the semi-controversial idea that IPCop may be as good as a dedicated firewall device in a small business setting; many of the functions it provides are more than suitable for a small business network.

That said, no network should be without security; the cost of a firewall appliance, though prohibitive, need not stop a small business from implementing security solutions. With open-source, free solutions like IPCop, a network admin can insert a firewall into his network infrastructure at little to no cost, immediately making his network more secure and giving him the power and functionality of a dedicated firewall appliance at a fraction of the price.

LearnComputer! (learncomputer.com) offers instructor-led local, online and onsite Networking courses for companies and individuals. Sign up for an upcoming Networking course with LearnComputer! today and learn the skills you need to succeed in your career!

Shield Your Business from Data Damage with a Smart Backup Tactic

Numerous hosting companies give business packages that tout the use of cutting-edge hardware and software, but the simple fact is that any top-notch hosting supplier should utilize the latest and best technology. Business leaders should expect this as a minimum prerequisite but, a far more important question is: Does my hosting provider implement an intelligent backup process to make certain that my data and information are secure from damage?

Are You Protected?

Consult your hosting company if a business continuity solution is offered with your hosting plan. Amazingly, a lot of companies do not incorporate standard data backup as a normal service. Offering high-quality, guaranteed data loss prevention is usually difficult and pricey for the hosting company, but this is protection you should not afford to go without.

Already Guarded? To What Amount?

If your web hosting service provider offers backup services, do some research to prevent unforeseen hassles and future frustrations. Confirm that you can trust your provider to regularly and accurately backup crucial computer data. Evaluate the following:

How long it will take to restore from backup?

Your existing hosting company may offer backup services, nevertheless, you should understand the technology they utilize to safeguard you. If they use tape backup, it might be hours before you get your data back when you need it. Your business could find itself at the end of a long list of clients expecting restoration of servers, programs, and data if a problem develops. Take the steps to be aware of what you can expect of the hosting supplier if repairing from backup is needed to prevent a disruptive business emergency.

What does the backup plan include?

Look into the kind of data and information that is protected. Don't assume all providers enable you to restore individual files or your entire server. If you need to recover speedily, you want a provider that provides you the choice of restoring individual files or the entire server. Furthermore, find out how far back the backup goes. There is a huge difference between 4 days and 4 weeks.

Is there an additional backup off-site?

Check with your supplier if their business continuity solution comes with an off-site component. True business continuity solutions include replication of all data and virtual servers to a production data center in a form enabling them to be booted up there in the instance of a long term outage.

Application-consistent or Crash-consistent?

If you are hosting virtual servers, this can be the most important question. Make sure your hosting company takes application-consistent snapshots of your server. If they don't, you might get a perfectly unusable restore. Crash-consistent snapshots are a point-in-time backup of your server. All Exchange, SQL, and disk transactions are left incomplete, bringing about impaired databases and files. An application-consistent snapshot quiesces or closes all transactions to disk, enabling you to restore the server with zero corruption.

Quick Checklist for Acceptable Backup Provisions

If you're overwhelmed with questions to ask and not sure of the solutions to look for, you can start using this quick reference checklist of minimum provisions:
• The provider should perform a daily backup of your entire server.
• Data needs to be retained for at least 4 weeks.
• You should have the choice to restore anything from a single file to an entire server.
• Data should be duplicated off-site.
• The provider should take application-consistent snapshots.

Lisa Gecko is a staff writer for Infinitely Virtual.

To learn more about cloud services, call Infinitely Virtual at 866-257-8455 or visit: See our Cloud Services hub, Cloud Services with Infinitely Virtual