Back to Microsoft Subnet

Converging on Microsoft
Mitchell Ashley
Parte superior do formulrio

Parte inferior do formulrio

Previous Article Next Article

What Danger Lay Waiting In Shortened URLs?

URL shortening services & Twitter clients need to add security checks before users lose confidence http://www.networkworld.com/community/node/43319
By Mitchell Ashley on Tue, 07/07/09 - 9:55am.

Share Tweet This Email this page Comments (6) Print

Digg Slashdot Fark Stumble Reddit MIXX del.icio.us Newsvine Technorati Facebook Buzz up! Tweet This Close When I first saw a shortened URL I was naturally suspicious. Working seven years for a security startup will do that to you. Though it hasn't become a major security threat, yet, I think that suspicion is warranted. Cnet news has a good article about this. URL shorteners like TinyURL, Bit.ly, Tr.im and many others have come into their own, thanks to short message applications like Twitter and texting. Taking 22 characters for a URL can leave a lot more characters for message content vs. long, unwieldy URLs that could easily be 2, 3, 4 or more times longer . It's certainly useful. But shortened URLs can easily mask nefarious and malicious URLs, from spammers or hackers. All that training we've given to users about not clicking links in emails from unknown senders, or at least first examining them carefully, seems to have gone by the wayside with shortened URLs. My experiences are that Twitter users click shortened URLs from Twitters they don't really know without a second thought. It hasn't happened yet (or maybe it's happening right now, who knows), but I fully expected we'll see some major incidents where hackers create twitter accounts, use

automatic following methods to gain lots of followers, spam them with nefarious links, then shut down and repeat the process all over again, staying one step ahead of any Twitter policy enforcers. Link validation services are beginning to pop up. I'm testing a browser based one now from finjan. But I haven't seen a Twitter client or a plug-in that checks links in tweets. (If you know of one, I'd love to hear from you.) URL shortening services and Twitter clients would be very smart to put in this type of link checking before we experience a major incident that causes IT shops to close down Twitter traffic and users to lose confidence in the security of clients and shortened URLs.

T Security: Who Watches The Watchers?

By Mitchell Ashley on Mon, 03/16/09 - 4:05am. http://www.networkworld.com/community/node/39749

Tweet This Email this page Comment Print

Digg Slashdot Fark Stumble Reddit MIXX del.icio.us Newsvine Technorati Facebook Buzz up! Tweet This Close The situation with D.C.'s IT security is huge mess. Yusuf Acar, acting chief security officer following Vivek Kundra's exit to take the Federal CIO position, is now in the hands of the FBI on bribery charges from an alleged under the table deal with security vendor AITC. Kundra's not been implicated but has taken a leave of absence, presumably until this shakes out and it's clear he wasn't involved. Let's hope Kundra wasn't involved, as that would be a very terrible start for the nation's first top federal CIO. Acar's not being accused of any type of security related malfeasance (at least that I'm aware), but given his level and breadth of access, everyone's a bit paranoid about the potential he has some backdoor access or there may have been others involved in this scam. And if he was in cahoots with one of his IT security vendors, AITC, who knows what other scams they may have collaborated on. When someone in IT security shows very poor judgment, damages or violates their trust relationship, and in this case, commits a crime (allegedly), everything comes into the question. You have to look at everything, because you just don't know. What did they have access to? What level of access did they have? Who might have been participating in the scheme with them? And what did they leave behind, such as backdoors, time bombs, booby traps or already damaged systems? If they were willing to go this far, how much further might they have gone or should we just assume the worst. Just how deep does it go? Often times there's no way of really knowing for sure. As in the District of Colombia's case, you have to be overly cautious and err on the safe side, assuming if it's possibly, they may have done it. Probably the only way to be

sure is to overhaul and re-implement you security implementation. Certainly a thorough, hands on investigation is required. IT security engineers, and often times IT administrators, are giving access to some of the most sensitive internal business and personal information. With that access, which is usually necessary to do some parts of their job, comes trust... trust the individual will only access what's necessary to perform the job, and will maintain strict confidentiality of what they see and access. That trust is directly tied to the integrity of the individual. Violate that trust in any significant way and integrity is questioned as well. The question arises, do we need more than just auditing of the security of our systems and networks? Who watches the watchers, to play on a theme from the graphic novel and recent movie hit, The Watchmen. Are we destined to the compartmentalized structures, like those used to protect sensitive, secret and top secret information in our military and national intelligence? Given the environment of greed and corruption we've all learned about on Wall Street and arrests like Acar's, you start to get paranoid, wondering what does it really take to protect our systems and data. Is the Acar situation the D.C. district's security equivalent of a Wall Street meltdown? Likely not, at least lets hope it isn't. But the process to investigate, re-plan and re-implement security for D.C. "just in case" will take time and could be very costly.

Facebook/Zuckerberg's Greed, Violating Trust, and the coming Privacy Crisis

By Mitchell Ashley on Wed, 02/18/09 - 11:23am. http://www.networkworld.com/community/node/38686 greed. It seems to be the systemic problem of the times, whether it's bandits like Bernie Madoff and Alan Stanford (the latest massive financial fraud), or Internet companies like Mark Zuckerberg's Facebook, or any business for that matter. And it usually happens when things start going really well... executives get over confident and forget about one of the most important relationships in business: Trust. Trust isn't something you can make up by doing business in greater volumes. Just because business is going well doesn't mean customers, partners and employees don't have a choice and will just have to "deal with it". And just because a business has leverage over their constituents doesn't mean greedy decisions don't have consequences... they do. Whether we chose to recognize it or not, trust is a dimension present in every relationship, and when we chose to violate it at the expense of our relationships with our stakeholders, there are consequences. Zuckerberg/Facebook failed on two counts. First, Facebook changed the user agreement, which previously stated Facebook didn't have rights to user's contents, to granting themselves (Facebook) broad sweeping rights to users content, even after they've left Facebook. Secondly, they "snuck" in the change to the agreement resulting in Facebook being "outted", rather than Facebook being up front with users about the change. Of course Facebook can do whatever they want to with their user agreement. It's their service and their agreement. But that doesn't mean Facebook should and this situation demonstrates exactly why. The irony of this situation is attention about the Facebook issue was greatly amplified through the social networking services themselves (Facebook, Twitter, blogging, etc.). I personally learned about the news from a very healthy discussion (and

a lot of outrage) by the users I follow and talk with on Twitter. That amplified outrage resulted in Facebook announcing they would do an about-face (pun intended) and go back to their old policy. I believe we risk a coming "privacy crisis" in social media and online services just like we're dealing with the credit and financial problems of today. We share massive amounts of personal information, which in many ways is the fuel, or value, for users of social networking sites. The community built by social networking services is certainly a big part of their value too, but underpinning all of this is a very strong element of trust. Violate that and it's extremely easy for users to turn away or stop sharing their personal information. Users share a lot more personal information than they should, largely because the damages from doing so haven't yet crossed the "it's not worth risking it" threshold. But you know it can and probably will happen. It may happen because of a very visible identity theft situation or could happen by a company violating users' trust, as Facebook did in this case. When users lose their trust in a social networking site like Facebook, or any other for that matter, those businesses could face some serious business consequences, given their business is built upon the private and personal information shared by users. The result will be diminished business, loss of users, or a possible shutdown all together. A real tragedy would be a company doing it to themselves as Facebook has the potential of doing in this situation. I'm not saying or predicting this is the demise of Facebook, far from it. This is only one incident in Facebook's relationship with users and could (should) serve as a warning sign for all social networking and media sites about the importance of trust with users. Let's hope we all learn some good lessons from Facebook's situation and work to make social media a phenomena that's with us for a long time to come.