Facebook security practices questioned in wake of Anonymous threat

Even as the shadowy hacker group Anonymous threatens to take on the mighty social-networking site Facebook, claiming the group
will ‘kill’ Facebook on Nov. 5, some researchers are criticizing Facebook security, saying it could be better.

More on Facebook: Facebook to pay hackers for bugs

“We started testing the site and reporting vulnerabilities to them,” says Mandeep Khera, chief marketing officer at security
firm Cenzic about Facebook, which in late July started a bug bounty program encouraging researchers to confidentially report
any security issues directly to Facebook. But Khera says Facebook brushed off the issues Cenzic raised in the last few days about some weaknesses the security firm
believes it has identified in Facebook log-in and passwords, among other things.

However, Khera says Facebook yesterday apparently corrected one issue regarding ineffective session termination using Internet
Explorer browser, which occurred when the user logged out using IE and backspaced a few pages, a refresh of the Facebook page
automatically logged you in again. “They said they can’t reproduce the vulnerability but it looks like they fixed it,” Khera
says.

Cenzic is criticizing the password system that Facebook uses, which Khera says is six characters and “takes 30 seconds to
crack.” He also faults Facebook for not having SSL on for the initial user registration. “This can be sniffed by anyone,”
he says. He also complained about Facebook’s auto-password-complete function, saying, “As a good practice, it shouldn’t complete
the password automatically.” He faulted Facebook’s “bad login message” because he says it tells too much in saying you didn’t
enter the right email for example.

But after Cenzic reported these findings to Facebook, “they came back and said, the password and SSL stuff, these are ‘best
practices,’ not ‘vulnerabilities,’” Khera says. “So our response was, shouldn’t you be following best practices since everyone
is hacking you?”

The hacker group Anonymous today allegedly threatened to ‘destroy’ Facebook on Nov. 5, accusing the social-networking site
of spying on users, cooperating with authoritarian governments and abusing people’s privacy. However, because the alleged
Anonymous notification did not originate from better-known sources of Anonymous communiqués to the public, some are questioning
whether this is an authenticate Anonymous threat at all. Anonymous, however, has proven diligent in carrying out threats it has made in the past.

Cenzic is offering developers for social-networking sites a free “healthcheck” vulnerability assessment using Cenzic’s cloud-based
offering, ClickToSecure Cloud.

Read more about security in Network World’s Security section.

Share and Enjoy

Social networks weave uneasy web for workers

The age of rapid digital change. Photo: Michel O’Sullivan

THE phenomenon of social networking through sites such as Facebook, Myspace and the more professional sites such as LinkedIn have become major aspects of e-communication inside and outside the workplace.

The consequences of these new social media tools are being experienced in a wide range of workplace issues. From a productivity perspective the excessive use of these social media tools can have a negative effect as employees become diverted from normal day-to-day activities due to the immediacy of communication on these sites.

In addition, organisational reputation can be damaged when employees make inappropriate comments about their employer. Issues of privacy and security have also been raised.

Training and development aspects of the new media are also being explored as the complexity and geographical diversity of many organisations increases. Social networking sites can be used as a catalyst to connect new employees to build a network to learn from each other and develop mentoring. From these approaches to social networking organisations can develop highly integrated knowledge networks.

However, the risks are also becoming clearer as the boundaries blur between the workplace and employees’ private life. To deal with these emerging issues, organisations’ electronic communication policies and practices need to encompass these developments. However, studies identify a lack of urgency in organisations’ decisions to develop social media and e-communication policies.

A survey in Britain by the Society of Corporate Compliance and Ethics (SCCE) and the health care compliance associations of more than 800 compliance and ethics professionals in the private sector found more than 50 per cent did not actively monitor their employees’ use of social networking. More significant was that the survey found only 10 per cent had policies specifically addressing social networks.

A key issue arising from the rise of social media is how organisations deal with these issues when they occur on external sites. Employees’ off-duty and private social networking about their personal and professional life are increasingly areas for conflict.

This is also an issue from a recruitment perspective, where a survey of more than 260 recruitment managers in Britain found that 45 per cent of these managers used social networking sites to make background checks on potential employees, with a further 11 per cent planning to. This is more than a fourfold increase in three years.

This escalating use of online information highlights the increasing blur between professional and private lives and information that these online sites hold.

In Australia there have been cases where a prison officer has faced disciplinary action after making comments on Facebook about his employer, a corporate bank apparently sacked an employee for using the word recession in a Facebook profile and a teacher was disciplined over comments she made about being bullied.

These cases all illustrate the issues of managing the social networking relationship between private and professional life. What is clear is that organisational polices and guidelines need to state what is accepted use of these media and what safeguards need to be developed – for example, where social networking includes the organisation’s name it needs approval and employers should stipulate that employees include disclaimers with their online postings.

HR managers too must comprehend the challenges and opportunities that new media pose.

There is a wide range of potential benefits and drawbacks that can result from the use of these sites, and a strategic and competent consideration of these is paramount.

The central theme that stands out in relation to information and communication technologies is the importance of making employees aware of the implications of Web 2.0 technology and the development of ”open web services” platforms that facilitate online communities.

This new information age is characterised by complexity and rapid change. Developments in technology and communications will continue to have an impact on organisations and employment relationships. HR managers will be at the forefront of managing and understanding the implications of these technologies in relation to human resource management and the employment relationship.

Peter Holland is from the department of management in the faculty of business and economics at Monash University.

Share and Enjoy