Monthly Archives: July 2014

Facebook has issued an apology over the controversial psychological experiments carried out on 689,000 users without their consent in 2012.

The experiments, conducted with two US universities, only came to light with the recent publication of the study report, prompting outrage from Facebook users, academics and regulators.

Earlier this week, the UK’s Information Commissioner’s Office said that it planned to investigate whether the experiments broke data protection laws.

Labor MP Jim Sheridan, a member of the Commons media select committee, has called for a parliamentary investigation into how Facebook and other social networks manipulate the emotional and psychological responses of users by editing information supplied to them.

The 2012 experiments filtered the news feeds of users to study the effects of positive and negative emotional content from Facebook friends, prompting concerns about the effect such studies could have.

The study has also raised fears that the process could be used for political purposes or to boost social media advertising revenues.

In the face of growing criticism, Facebook chief operating officer Sheryl Sandberg said the experiments were part of ongoing product research by companies.

“That is what it was; it was poorly communicated,” she said while on a visit to New Delhi. “And for that communication we apologize. We never meant to upset you.

“We take privacy and security at Facebook really seriously because that is something that allows people to share opinions and emotions.”

Sandberg’s statement marks a climbdown by Facebook given the company’s earlier insistence that the experiment was covered by its terms of service, as the Guardian newspaper pointed out.

The social networking firm insisted there had been “no unnecessary collection of people’s data” and that “none of the data used was associated with a specific person’s Facebook account”.

However, the Guardian noted that Facebook changed its terms and conditions to allow data to be used for research only four months after conducting the mood-influencing experiments.

Those changes were made after Facebook settled a complaint from the Federal Trade Commission (FTC) about “unfair and deceptive” privacy practices.

Facebook responded with a statement that said: “When someone signs up for Facebook, we’ve always asked permission to use their information to provide and enhance the services we offer. To suggest we conducted any corporate research without permission is complete fiction.

“Companies that want to improve their services use the information their customers provide, whether or not their privacy policy uses the word ‘research’ or not.”

As Facebook now seeks to quell the criticism, a former employee has revealed that the social network’s data science department operated with few boundaries.

“There’s no review process, per se,” Andrew Ledvina told the Wall Street Journal. “Anyone on that team could run a test. They’re always trying to alter people’s behavior.”

Ledvina, a Facebook data scientist from February 2012 to July 2013, recalled a minor experiment in which he and a product manager ran a test without telling anyone else at the company.

Since its creation in 2007, Facebook’s data science group is believed to have run hundreds of tests, exploring topics such as how families communicate and the causes of loneliness.

But Facebook told the Wall Street Journal that since the controversial study on emotions, the company has implemented stricter guidelines for research and introduced a review panel.

Via: computerweekly

Every once in a while I get an e-mail from a new reader that is very interested in getting into forensics, and wants recommendations on free training resources to help them get up to speed.  The one I’m about to share with you is great!!

From the course description:

WinFE is a forensically sound bootable Windows operating system, developed for forensic analysts in the acquisition of electronic media..

WinFE is much more than just a data collection platform.  WinFE is also a full-featured operating system in which complete digital forensics examinations can be conducted when needed.  WinFE also makes a great training platform in digital forensics training programs in colleges, universities, trade schools, and commercial training program.

The WinFE course shows how to build (several different methods) and use (in every way possible) the Windows Forensic Environment. The course is free, will always be free, as is WinFE tool.

WinFE is a forensically sound, bootable operating system, based off of the Windows Preinstallation Environment. WinFE is useful for booting an evidence computer/laptop to acquire an image of the hard drive, preview/triage data, or conduct a forensic examination on the evidence machine, all without modifying any electronic data.

The entire course is available for FREE at http://courses.dfironlinetraining.com/windows-forensic-environment

Check it out – let me know what you think.

Via: securitymonkey

The next security notifications will go out Thursday ahead of monthly security patches.

Microsoft has backtracked on a plan to stop sending email-based notifications about security bulletins starting this month.

The company informed its customers Friday that beginning Tuesday it would no longer send security-related notifications via email because of “changing governmental policies concerning the issuance of automated electronic messaging.”

The decision would have affected notifications about upcoming security bulletins, security bulletin summaries, new security advisories, and revisions to security bulletins and advisories.

“In lieu of email notifications, you can subscribe to one or more of the RSS feeds described on the Security TechCenter website,” Microsoft said at the time.

Even though the company didn’t reveal what specific governmental policies led to its decision, there was speculation that the reason might be a new Canadian antispam law that goes into effect today and carries penalties as high as $1 million for individuals and $10 million for businesses.

Regardless of the cause, Microsoft seems to have sorted out the problem and has decided to restore the notification service.

The company reviewed its processes after announcing the change and will keep sending the email notices, it said Monday.

Via: csoonline

The growing trend of employees blending their work and home life is opening the door to “hired hackers” who use their own technology despite restrictions put in place by their employer, says Samsung.

Research by the technology firm found that 26% of employees have used a personal device to get round technology barriers put in place by organisations, with the millennial generation leading this trend.

Graham Long, vice-president of the Enterprise Business Team at Samsung UK & Ireland, said: “With the rise of mobile devices in the workplace, it is not surprising that work and life tasks are starting to blend. There is increasing demand for people to be able to do more on one device – whether that is to work remotely or spend time online shopping during their commute. There is a clear challenge for businesses to embrace new ways of working, but ensure all devices are highly secure and efficient.”

The research also found that 29% of employees will use their personal devices in the office for work-related tasks without knowing whether this is part of their employer’s workplace policy.

Some 32% of employees believe using mobility to perform personal tasks in the workplace, and vice versa, makes them less stressed, but this raises a number of security concerns for organisations, especially if IT departments are unaware this it is happening.

Earlier this month, Samsung revealed that UK business are not taking mobile security seriously enough, with less than 10% of IT managers and chief technology officers polled deeming mobile security a priority.

Dr Dimitrios Tsivrikos, consumer and business psychologist at University College London, said: “Samsung’s study suggests that just as people solve problems and improve their personal lives by ‘life hacking’, many workers are using technology for the same ends. Millennials, who have grown up with mobile technology, are natural drivers of this trend, using their digital native intelligence to make IT work for them.

“If they haven’t already, European organisations need to design their work and security policies, and technology strategy, with this employee behaviour in mind.”

Earlier this month, Samsung announced that the next version of Google’s Android operating system will have integration with the Samsung Knox platform, which means the security platform will now be available on other Android-powered devices.

Via: computerweekly

Experts weigh in on detecting malware talking to corporate computers from a cloud service provider.

The recent discovery of command-and-control software sending instructions to malware-infected computers from Dropbox raises the question of how such threats can be discovered.

Interviews with security consultants indicate that the new development in cloud-based malware can be detected by monitoring for particular anomalies in the network, since malware at some point acts differently than legitimate software.

Vendor Trend Micro reported Thursday finding Dropbox-hosted C&C instructions for malware in botnets and compromised systems.

The malicious activity was not the result of vulnerabilities in the file-sharing service. The cybercrooks simply opened up an account to start their criminal activity. The same operation could easily run on another cloud service provider.

The easiest solution to threats from such services is to block employees from using them from the corporate network. As an alternative, companies could then build a similar service internally or provide employees with access to a single, more secure service provider.

“There should be no reason that you would want to have critical data, or the possibility of critical data, being accidentally or intentionally shared or put on a server that you do not have any security control over,” Dave Chronister, co-founder and managing partner of Parameter Security, said.

Fair enough. But companies can provide employees with more choices, if the organizations watch for activity that would indicate malicious code on a service provider talking to malware in the corporate network, Jonathan Thompson, chief executive of Rook Security, said.

Indicators include:

• The opening of previously unused TCP/IP ports, such as 22, 23, 80 and 8080, for data sharing. The Internet Relay Chat (IRC) system should also be watched.
  
• A computer starts reaching out consistently to other computers on the network, one after the other. “This behavior is more indicative of a compromised user computer, where the malware or attacker is using that compromised system to continue attacking other systems in the network,” Thompson said.
  
• A system known only to be active from 8 a.m. to 4 p.m. suddenly has activity outside of that timeframe.
  
• A system that sends out 500 MB of data on an average day suddenly starts sending 5 GB of data after normal working hours.
  

NSS Labs, which tests security products and sells its research on a subscription basis to corporations, recommends the use of a breach detection system.

“We found that most of the products offered very good malware callback detection, often higher than the detection of the actual malware file itself,” Thomas Skybakmoen, an NSS Labs research director, said.

However, there was one weakness with several of the products tested. “If the malware used proprietary protocols or SSL, it would increase the potential for evasion of these products,” Skybakmoen said.

The products tested included AhnLab MDS, Fidelis XPS Direct 1000, FireEye Web MPS 4310 and Email MPS 5300, Fortinet FortiSandbox 3000D, Cisco’s Sourcefire Advanced Malware Protection and Trend Micro Deep Discovery Inspector Model 1000.

Via: csoonline