Mark Monroe, from UMSL, started with a discussion of what social media is. He started with Tufts University using YouTube videos as a replacement for application essays – the dean of undergrad admissions didn’t realize how public and followed these applications would be. He talked about other social media missteps, then went into TOS’s of Facebook and Twitter. He then talked about FB’s ownership grab of user photos over 2009’s Valentines day.
He discussed the idea of cyber-bullying and policies – his school has no specific policies, but the activities are covered by code of conduct policies.
Much of the discussion was very educational institution oriented, so I’m skipping a lot…
The upshot of the discussion was that teachers are asking students to post homework assignments on Facebook and this is probably a bad idea. I’m in agreement, but not for the same reasons – Mark said that students uploading writing or photos to FB as part of an assignment are giving up their copyrights to that work. This is not exactly true – but they are putting that stuff up in a much more public place than their teacher’s desk, so there may be issues with privacy that are more pressing than IP issues, really. There were several questions from the crowd about impersonation accounts, but not a lot of advice – FB is notoriously bad about getting back to folks about issues, though they are getting better at getting rid of accounts that impersonate someone.
Tag: MORENet
The Connections conference started with a keynote from SANS about securing the human part of your network. Lance started talking about his background in Info Security, honeypots and work with Sun Microsystems (starting originally with work in tanks in the military). “the simplest way to steal your password is to ask for it – the simplest way to infect your computer is to ask you to do it”. Technology has been very well secured – its MUCH easier to get the human users to do the work for the bad guys. The change began in August 2004 – when Service Pack 2 was release for XP with the firewall being turned on by default. This started the drop of technology based hacking and began the era of human hacking. The human OS – you have Windows, Linux and human OS’s in your network. We’ve done nothing to secure that human OS (my note: why training is so very important – it’s updating and patching the human OS in your network).
90% of malware requires human interaction (Symantec)
100% of successful APT attacks compromised the human (Mandiant)
Humans have to click a link, install a program, insert a USB stick or interact in some way to make the malware work.
Humans are bad at judging risk – we overestimate visual risks (lions and tigers, as opposed to something we can’t see) and overestimate risks when we aren’t in control (flying as opposed to driving).
“If it’s on the news, it’s probably really safe, because it almost never happens – or else it wouldn’t be news”
Social engineering – we surf and feel like we are in control (and the hack is silent and not visual at all), we underestimate the risks of getting hacked because of those two factors. You check into your hotel room, get a call from front desk to clarify a problem with your card, you give them your card number, they’ve hacked you. (real problem at Disney World resorts)
Some worms now check keyboard settings before they send out their phishy emails so that they can send out a virus email to your friends in the language that you usually use (if your keyboard is set to Spanish, they send the spanish version of the bad email to your contacts, in order to increase the likelihood that your friends will click on the link in the email).
Many trojans disguise themselves as anti-virus programs so that you not only infect yourself, but you pay $100 or so for the privilege of doing so.
Twitter and Facebook make malicious social engineering attacks easy – Twitter bots search for keywords and respond to any tweet using that keyword with a “discount” link for that particular item.
Goals of Awareness training – compliance and changing behavior. Lance concentrates on changing behavior (more powerful than mindless compliance).
The Plan: who, what and how? Who do you target for training? (employees, admin staff especially, management, IT staff (privileged access to lots of resources – make sure they don’t post router configs (for example) on public listservs, use the same password for servers that they use for their Facebook account) What do you train about? (You are the target, social engineering, email and IM, browsers, etc.). Teach people that it’s not all just about protecting the organization, it’s about protecting the employee. How to train? Use imagery, videos, newsletters – make it as fun as marketing is these days. He showed an example video that promotes security awareness (social engineering, specifically).
SANS has a video awareness library – info in handouts. Newsletters are like patches – they have to be done regularly or people forget.
Inoculation – used to measure end user awareness, used to get their attention and reinforce training. Launch a phishing email of your own (benign, of course) and see who clicked and how many were fooled. Keep doing it as your awareness campaign continues and see how the numbers go down. Start with basic email and work up to targeted emails to test users.
Presentation and newsletters that can be redistributed are available on Lance’s blog.
Webinar Day!
It’s not up yet, but in the near future, the archived version of the webinar I did for MaintainIT today will be available via Webjunction soon. It was a lot of fun to do and I think it went pretty well. Brenda and Sarah (previously featured on this very blog as dinner companions for Vietnamese food in Anaheim, CA) made everything happen quite smoothly – I didn’t have to deal with any tech issues, they really kept on top of things!
My next webinar of the day (this one as an attendee) is on Social Networking and security. I really appreciated the fact that the presenter, Beth Young of MORENet, was not alarmist about the possibility of predators on the ‘net. She gave some hard statistical facts and showed that our teens are FAR more likely to be drinking this weekend than getting sexually solicited online (that doesn’t even mean that they respond, meet or have sex with anyone – just the solicitation). She then talked about lots of things that kids do that will get them into trouble on the ‘net (self-posted child porn – camera phone pics taken for a boy/girl friend who may not be as careful about who they share those pics with…). Then she discussed the Megan Meier case and the laws that have come to pass because of that case, including the law passed on June 30th of this year targeting stalking and harassment on the Internet.
Beth then switched gears and discussed creating a profile and protecting information online. She mentioned that one speaker at a recent Internet safety night asked that you consider taking anything that you want to post on a social site and imagine writing it on posterboard with your picture attached and putting it up at the mall. Great analogy! Then she discussed the idea of your public life (job) and social profiles. This covered the idea of jobs and hiring managers checking profiles. Something I haven’t heard much about was the idea of respecting the privacy of *others* – the folks in your pictures or videos as well as people you talk about. If your “facts” about someone prove to be incorrect, you can be liable for damages. Cops use these profiles, too…
She then talked about caching – google cache, wayback machine, etc. Even if you take stuff down, it isn’t necessarily gone! She finished with some good tips for students from BlogSafety.com. This was followed by some reporting tips and a dense slide FULL of great resources. This is why we archive these things, I imagine – I’ll have to come back to this one! Oh! She just made it available to download – and it’s now living on my computer! Sweet!
And with the end of those, I’m thinking it’s Margarita time – it’s been a long stressful day and I’m ready for some relaxing “me” time!