Melisa LaBancz-Bleasdale

Social Media Madness - Does Everyone Need It?

Melisa LaBancz-Bleasdale — Tue, 31 May 2011 03:43:36 +0000

In our constant quest for “faster, better, newer,” we have invented, embraced, and quickly discarded social media mechanisms at a blistering rate. In a few short years we went from simplistic Friendster, to the “all me all the time” model of MySpace, to the Twitter temple of the content averse. Our personal selves (Facebook), are now entwined with our professional selves (LinkedIn), and wherever we are (FourSquare), and whatever we do (Twitter), is out there instantly via instant SMS updates.

Business saw the “social” in “social media” as an untapped avenue for advertising, selling and recruiting, and used it accordingly. A number of companies rewarded people for recommending product or services to their circle of friends, by offering account credits or some form of discount. The viral nature of “recommendations” was a perfect opportunity to convert site visits to sales. The most successful vendors seem to actually embody the “social” nature of the medium – Groupon, Living Social, Plum District – by encouraging groups to get together and do things at reduced rates. Other successful vendors have utilized behavioral based tracking to tailor their offerings to a specific demographic – teens, career-oriented individuals, or singles. Yet for all the social media success stories there are an even larger amount of failures.

“It’s amazing the way the market has put an emphasis on just one communication vehicle as if it was the big solution to everything,” says Susan Maxwell Stevens, Conversation Strategist. “It’s still about the mix of messages and communication vehicles, regardless of who or what you are promoting,”

As with many things in this world, just because something exists doesn’t mean that we need to use, buy or own it. There are many cases in which businesses just don’t have a compelling reason to have a Facebook presence or a Twitter account. In fact, there are many businesses that probably shouldn’t use certain social media outlets in a bid to win new customers – gastroenterology practitioners and crematoriums come to mind. Yet because social media mechanisms exist, and seemingly everyone is using some form of it, no one wants to be left behind.

“If these things were not free, people would do a cost benefit analysis,” says Brian Kennedy, Capital Markets Communications Consultant in NYC. “I have wondered if an even shorter version of Twitter - say only 40 characters - became popular, would people rush to populate that site as well?”

Jon Stephenson, Senior Account Executive and External Communications Consultant in Washington D.C., feels that it begins by monitoring the existing conversations and going where the best benefit can be had, “Just telling someone that they shouldn’t have a presence at all on Facebook is going to be a hard sell; telling them what they should expect from their presence on Facebook is a whole different issue. Managing client expectations with social media is always a critical facet of the engagement.”

Just Because You Build It Doesn’t Mean They’ll Come

Every business looking to capitalize on social media madness should examine what they have to offer and what they stand to gain before funneling their marketing dollars into social media programs. They should then carefully consider which channel is best for what they are “selling” and whom they are trying to reach. Companies should also consider the amount of time and energy they have to maintain their social media outreach. A large part of the business-to-public exchange is in the volume, frequency and relevancy of the messages. Twitter is likely a bad place to set up shop if you aren’t prepared to engage daily.

“In reality, who is going to tweet frequently about document management? Such tweets would have to be “planted” tweets — advertising that mimics real informational content. I suppose a company could mandate each employee tweet once about how wonderful the company is. I suppose in the SEO world that works; although the company would have no real control over the quality of the tweets,” muses Christine Rook, an IT Recruiter in Dallas.

Mark Palony, Digital Strategist at Russell Herder, believes that social media is extremely relevant for B2B companies and has used it successfully for several years to achieve both marketing and PR goals for clients, but cautions against a one-size-fits-all mentality, “As it is for all communications channels, it is important to choose the correct vehicle for distributing your message. Vehicles like blogs, podcasts and Twitter have helped numerous B2B companies increase awareness and market share.”

Maxwell Stevens tells the story of a retailer she was working with struggling to start and maintain a Twitter account. Several of the retailer’s customers had been telling him that he should be tweeting some of his pithy thoughts relating to his market. Maxwell Stevens told him that he should only invest the time if it made sense with his larger marketing plan, and the retailer was relieved to hear someone knowledgeable say that he might not have to add something more to his to do list. When she explained to the retailer that he could link his existing Facebook page (something he was already using successfully), with the Twitter account so it would auto-update, he was thrilled. Sometimes it’s not about taking every available avenue individually, but finding their intersections and going the route that garners the best, and least time consuming, results.

Many communications experts believe that part of the problem organizations have in successfully utilizing social media is that they believe it is a separate entity instead of seeing it for the tool that it is – another means of expanding their existing communications and marketing efforts.

“I get the impression that part of the problem comes from looking at social media in isolation, as evidenced by references to ‘social media campaigns’,” explains Daniel McGrath, Communications Manager, CIS & South East Europe at DHL Express Russia, “A big part of PR, for me (a relative newbie in the field) is about creating a narrative around what your company does, which is appealing for a particular target audience and supports the positioning of your brand or products, then using a mosaic of different media to get the narrative/s out to that audience.”

Few argue that a business should avoid social media altogether, but it is entirely possible to build successful PR campaigns without it. McGrath feels that social media is just one possible channel – albeit one with great potential - and whether you’re a B2B organization or not, the degree to which you use it should depend on your audience and what you’re trying to achieve.

Finding the right practitioner to assist an organization in conceiving, executing on and managing their social media goals can be critical to the company’s ultimate success in that area. Many public relations and communications firms now offer “social media experts” and programs as part of their service menu. Ensuring that both the practitioner and the client have the same understanding of “social media outreach” and putting success metrics in place, will help to ensure that good money isn’t thrown after bad to maintain something that doesn’t meet business needs.

Adds Mustafa Stephan Dill, Principal of Ummah Relations, “I’m a firm believer in “just because you can, doesn’t mean you always should.” When prospective clients want a Facebook or Twitter account, I always ask them, “why?” If they can’t articulate it - and they usually can’t beyond ‘well everyone else is doing it’ - then we’ll drill down to identify a specific goal. Social media for me is about user behavior as they seek solutions; if you can offer a content-based solution, then great. If not, wait until you can and in the meantime, keep analyzing customers’ behavior until a solution presents itself.”

Lori Donovan, a contributing member of LinkedIn’s 36,000+ member group, “Communications and Public Relations Professionals,” sums it up by saying, “I think it’s all part of knowing your audience. If you audience isn’t on Facebook , you don’t need to be there.”

Symantec to Acquire Clearwell Systems

Melisa LaBancz-Bleasdale — Tue, 24 May 2011 06:05:18 +0000

Symantec Corp. announced it has signed a definitive agreement to acquire privately-held Clearwell Systems, Inc., a recognized leader in the eDiscovery market. The acquisition of Clearwell enhances Symantec’s position as a leader in security. The move, Symantec says, will provide customers one of the most comprehensive information management solutions available. Under the terms of the agreement, Symantec will acquire Clearwell for a purchase price of approximately $390 million, net of Clearwell’s existing cash balance of approximately $20 million.

“As information continues to grow at unprecedented rates, the biggest challenge for customers is to protect, manage and backup this information as well as have the ability to categorize and discover it efficiently,” said Deepak Mohan, senior vice president, Information Management Group, Symantec. “The acquisition of Clearwell’s market leading electronic discovery solution will further increase Symantec’s ability to get the right information, to the right people, at the right time, while reducing overall legal review costs and limiting risk.”

Clearwell’s eDiscovery solution will complement and enhance Symantec’s Enterprise Vault eDiscovery capabilities and the companies hope the move creates a more complete end-to-end eDiscovery solution. The existing integration of Enterprise Vault with the Clearwell eDiscovery Platform is thought to enable Symantec to quickly help IT and legal users streamline and reduce the cost, time and risk of eDiscovery across the most relevant information sources including email, desktops, file servers, backups and the cloud.

This acquisition will expand Symantec’s addressable market opportunity and the company believes it will position them as a leader in the fast-growing eDiscovery software market, which, according to Gartner, is growing at a compounded annual growth rate of 14 percent and is estimated to reach $1.7 billion by 2014. In addition, this acquisition is expected to provide future cross-sell and product integration synergies across Symantec backup and security, by leveraging Symantec NetBackup, Data Loss Prevention and Data Insight.

“Archiving and eDiscovery are two critical elements of information governance,” said Aaref Hilaly, president and chief executive officer, Clearwell Systems. “By joining forces and combining the industry’s leading archiving solution with the industry’s leading eDiscovery solution, we will be uniquely positioned to deliver a seamless, integrated information governance workflow, benefitting both Symantec and Clearwell customers.”

Organizations are being required to adopt more formal information governance processes to help reduce the costs and risks associated with legal discovery. According to Gartner, through 2012, companies without an information governance strategy and technology for content archiving solutions, will spend a third more on eDiscovery than those with content archiving solutions. Together Symantec and Clearwell are positioned to offer customers the ability to both proactively and reactively manage and discover their information with increased speed, efficiency and scale, both on-premise and in the cloud, while at the same time helping customers reduce costs and risks.

The Bad Behavior of Behavioral Based Advertising

Melisa LaBancz-Bleasdale — Tue, 26 Apr 2011 05:23:48 +0000

Behavioral based advertising—BBA—has been around since at least 2008 (in tech years that essentially makes it a legacy technology). In early 2009 Google announced that they would be employing BBA and Facebook quickly followed. Interestingly, both companies touted its benefits saying that they were aiming to make the overall user experience more personal, useful and meaningful. Privacy advocates were of course alarmed, people lobbied for opt-out features, but no investigations were launched and any real furor seemed to die out quickly.

BBA may be considered a marketer’s dream, but for many it is tracking tomfoolery that borders on digital stalking. I am confused as to why people are so alarmed about the iPhone tracking your location when every time you are on the web, your usage patterns are being tracked using cookies that are automatically downloaded onto your machine. The data is logged, sent to any company that pays for that information (and there are hundreds), they store your data, and then that data is sold to advertisers and you are specifically targeted. To me, that’s a lot more unnerving than the small possibility that someone is going to take James Bond maneuvers to pinpoint where I am at night.

In his 2009 article, “Does Society Benefit from Behavior-Based Advertising?” Ben Parr proclaimed that efficiency cannot come at the cost of privacy. He called for safeguards for protecting privacy and stopping abuse, citing that the absence of safeguards would lead to distrust that may have a lasting effect.

Opt-Out Feature Wherefor Art Thou?

In their Q1 report, Trends in Behavioral and Contextual-Based Advertising 1Q 2011, Research and Markets analyst Heather Way said that paramount to the success of the advanced advertising strategies is self-regulation, which she said includes providing full transparency and opt-in/opt-out solutions and continuing to test consumer threshold for audience-based advertising techniques. To that end, in 2009 the Direct Marketing Association (DMA), the Internet Advertising Bureau (IAB), American Association of Advertising Agencies (4A’s), the Association of National Advertisers (ANA) and the Council of Better Business Bureaus (BBB), got together to enact what they considered to be best practices for BBA. At the time, they predicted that the practices would be in full execution across the industry by 2010. The collaboration was a move by the industry to attempt self regulation in the face of pending legislation.

The associations were joined by representatives from the entire advertising ecosystem, including advertisers, ad agencies, ISPs, Web publishers, search engines, ad networks and software providers. AOL, Disney, Facebook, Google and Verizon were among the participants.

Pamela Jones Harbour, the FTC commissioner at the time responded positively saying, “Consumers deserve transparency regarding the collection and use of their data for behavioral advertising purposes. I am gratified that a group of influential associations—representing a significant component of the Internet community—have responded to so many of the privacy concerns raised by my colleagues and myself.”

The principles comprised seven best practices. The first three, the Education Principle, the Transparency Principle and the Consumer Control Principle, called for more transparency about when behavioral advertising is at work and an educational fact page that explained how behavioral targeting works. It also focused on giving consumers the control to opt-out of targeting.

Linda Woolley EVP, government affairs at the DMA said, “The issue of transparency and consumer control and choice is very important. When a third party ad appears on a Web site, there should be an icon or word somewhere near that ad, that a consumer can click on and then in one click, they can exercise choice.” At that 2009 meeting, the exact icon or word was still being determined. The idea was that once it was chosen, the industry would educate the public about it. Fast forward to 2011.

I have personally never seen an easily identifiable opt-out button and/or phrase attached to an ad in my life. I hold all marketers and BBA aficionados responsible for my ensuing stress every time I try to find out how to “protect my rights.” For instance, last week I visited an online technology publication and they required me to register to see their news aggregation. I know that this really means that as I am registering they are simultaneously adding me to an annoying email list that will spam me even after I die. I knew I needed to opt-out of whatever it was they are trying to collect from me. I began to look at all the fine print to find the opt-out button/language. It was not visible. I actually typed into their search bar, “Opt-out” and was then led to a list of articles about opt-out features, and unhelpful data. I found the company legal disclaimers and that is where I found a link on how to opt-out. I clicked the link and my friends let me assure you that I am not exaggerating when I say that it threw up a page listing more than 71 different data collection organizations. I had to manually click on all 71 to individually opt out. I was horrified. I now clear my cache and browsing history every single evening before going to bed. Whatever ideals and dreams the FTC had back in 2009 of an advertiser-user utopian union, it clearly didn’t happen like that.

In addition to the sheer terror that this nonsensical exercise caused me, I am also severely traumatized by an act of BBA a week later. I went online and searched for a living room lamp. I ended up searching many sites including Lamps Plus. I bought my lamp elsewhere. The next day I logged onto a security site to read about hacking and lo and behold a Lamps Plus advertisement popped up. Coincidence? Maybe. Hours later I was merrily reading a business intelligence blog and Shazaam! Lamps Plus has chandeliers on sale! I logged off for the night. Needless to say I am fearful of lamps collecting under my bed. BBA gone wrong? I think so.

Make It Stop

Irrespective of opt-out features, any company that subscribes to third-party data gathering is going to advertise to you based on what the magic cookies have collected and what they deem your interests are. So if you opt-out of 1, there will be 10 more and then 10 more after that. It’s giving me anxiety as I type this. How do we make it stop? Where is my blanket opt-out and do-no-track list? What is the “Yes We Can!” war cry for over-stalked consumers? I for one am not a consumer that buys anything habitually. I do not need a weekly supply of lamps. I don’t want anonymous organizations knowing what color underpants I prefer. In fact, I believe I am part of a growing number of people that are so irritated by BBA and its frequency that we are purposely avoiding stores and or businesses that employ this feature. I understand that there are many people that disagree. There are many that simply tune it out and many that welcome the convenience. All I want is the assurance that I can continue on my web-tastic ways with the only worry being whether or not I have a good wireless signal.

The Intrigue! The Drama! The Cloud!

Melisa LaBancz-Bleasdale — Sat, 16 Apr 2011 20:20:24 +0000

The headline intrigued and annoyed me, “Court upholds ban on former Microsoft worker taking job with competitor.” I didn’t see coverage of this down here in California or in any other tech pub/blog, but of course, in Washington, anything Microsoft does is news and yet, Joanna Nolasco’s piece for the Seattle Times seemed sort of omnious to me.

Former Microsoft general manager, Matthew Miszewski has been blocked by a King County Superior Court judge from taking a job with Salesforce.com comparable to what he did for Microsoft.

Nolasco reports that the issue arose in January when Salesforce announced that Miszewski would be taking an SVP position in which he would lead the company’s cloud-computing initiatives in the global public sector.

Reading through it, I had an epiphany. Employee non-compete agreements notwithstanding, isn’t Microsoft saying that they disallow anyone that leaves the opportunity to seek gainful employment doing what they do best? Think about it, when you’re hired to do a job, you are usually hired because of the expertise and background you bring to the table. Of course I don’t know any of the back story surrounding Miszewski’s move, so possibly there are other factors at play that would lead a behemoth such as Microsoft to actually sue his new employer to prevent him from getting a paycheck.

Possibly he is so intelligent and powerful that Microsoft fears that Salesforce would be able to dominate the Cloud with him on their team? That’s fascinating! It’s also a strangely amazing compliment to know that you possess so much secretive knowledge that you are prevented from working. On the flip side, it’s just gross. I could understand if he was prevented from sharing internal documents, sensitive slide decks and emails with Salesforce, but using a skillset he honed at Microsoft to move onward doesn’t seem that dangerous (to me).

Why would an organization as diverse and global as Microsoft allow one individual to have so much (apparent) power that his departure and subsequent hire with a competitor would freak them out so much? Food for thought. It also makes me question the hiring docs Miszewski signed when he joined Microsoft’s team. I have signed some very hefty non-compete and intellectual property documents for employers in my day and I throughly understand them when I do. However, I have also challenged some of these same agreements when they appear to limit my ability to use my experience and knowledge to find work in my same field. By definition, isn’t any organization doing something similar to what your current employer does a competitor? Doesn’t that mean that you are actually signing a paper that says you cannot find work in your own field/industry in line with what you are known to do? Why would you sign something that kind of amounts to an indentured servant contract?

I don’t work for Salesforce or Microsoft and therefore these are only my opinions and musings but I find the whole thing really disturbing in a down market where so many people are hurting for work.

At Microsoft, Miszewski was an industry market-development manager in the company’s Worldwide Public Sector group, which is responsible for the marketing and sales of Microsoft customer-relationship management (CRM) software and cloud computing in that sector. He left Microsoft on Dec. 31 and joined Salesforce around Jan. 18, according to court documents.

Okay, so the timing is clearly suspect. I get that. Microsoft subsequently filed a lawsuit against Miszewski for taking the Salesforce job, contending he had breached his employment agreement. That agreement states personnel cannot take jobs in competition with Microsoft within a year after employment, according to court documents.

But here again the definiton of “competitor” needs to be reviewed. It seems to me that Salesforce is only a competitor to Microsoft in a very niche segment that they (MS) have failed to dominate. I have a suspicion though that Microsoft considers anyone doing business in the Cloud a competitor, so again, it’s a Catch-22.

Microsoft went so far as to seek an injunction to keep Miszewski from working at Salesforce, which King County Superior Court Judge Kimberley Prochnau ordered Friday. The preliminary injunction prohibits Miszewski from taking a marketing position with Salesforce that deals with either the private or public sector in the U.S. or globally until Dec. 31.

So how much market share and dominance does Microsoft actually think it is going to be able to capture between now and the end of the year? How did they document their apparent vulnerable position? I am dying to know!

“We are pleased,” David Howard, Microsoft corporate vice president and deputy general counsel, said in a statement Friday. “… This is about safeguarding sensitive and confidential business information and upholding employment agreements designed to protect that information. Today the court entered an order that again affirms the importance of both.”

I can read the above statement many times over and it will make me chuckle every time. It’s not really about safeguarding confidential information. Miszewski will still have that information several months from now, not to mention next year. When you know something, you can never unknow it.

Nolasco pointed out that San Francisco-based Salesforce competes with Microsoft in cloud-based computing and CRM offerings. The two companies are active in the domestic U.S. market, and Salesforce “obviously intends to compete aggressively with Microsoft in the global sector as well,” the court found.

Duh. As they should. It just gets more stupid and sordid by the sentence.

Before the hearing Friday, Salesforce proposed a new position for Miszewski that was intended to avoid conflicts with what had been his purview at Microsoft. The job would have been limited to the private-sector customers in Washington, Oregon and Canada. The court’s preliminary injunction blocked it, too, until Dec. 31.

So here is what did my head in, not only was Miszewski not allowed to work for Salesforce in a perceived competitive role, he was disallowed from working there at all for the current time being and that is a decision I think should be challenged. To me, this doesn’t paint Salesforce as an employee-stealing bad guy but it paints Microsoft as an oppressive and paranoid entity that is basically saying that this one person has the capacity to greatly affect their CRM and Cloud efforts. Wow.

There are many readers out there who would disagree with my opinions, and that’s okay. I am not a lawyer or a Human Resources expert. As I stated, I don’t know the back story but in every story there is a lesson, or a warning. What I took from this was that if people are not already carefully reading and considering restrictive employment agreements, they should. Everything in tech is about first-to-market and competition. How can any one company prevent someone from joining another company doing something they are trained to do? I know the legal jargon exists, and laws were passed and people are signing these documents but I am confused as to why. There needs to be a giant overhaul in which we all admit that everyone is a competitor in some sense.

Behold the Cloud Foundry!

Melisa LaBancz-Bleasdale — Wed, 13 Apr 2011 23:57:35 +0000

As I always say, I am absolutely fascinated with the Cloud—or more precisely, the faith that has been put into something that doesn’t actually exist. I love that! The whole thing makes me feel like I did when a Gartner analyst tried to explain Quantum Cryptography to me. I was starry-eyed!

We could have a year’s worth of conversations about whether or not the Cloud is a separate magical entity that enables businesses to vanquish their enemies OR whether it’s a vast collection of off-site services, people, platforms, and apps. But that wouldn’t be fun and who knows what it will bring you for Christmas?!

Anyway I digress.

To shake things up a bit, VMware has introduced the industry’s first open platform-as-a-service (PaaS) to foster the development of software applications for Cloud-computing environments. Called Cloud Foundry, the platform’s goal is to shorten the time it takes for software developers to take their applications from concept to code and to the Cloud. I want to pause here and reflect on that sentence for a second because I cannot be the only one that worries about how a quicker time-to-Cloud introduces possible messy and unproven code. What’s in place for Cloud quality control? Who is beta-testing the Cloud? I’m sure VMware has already thought of this but I do need to follow up. I can scarcely stand thinking about my Cloud being vulnerable to human error.

On the Cloud Foundry web site, it is described as an open platform as a service project that can support multiple frameworks, multiple Cloud providers, and multiple application services all on a Cloud scale platform. (If something is “Cloud-scale” isn’t it really infinite?). Its primary objectives, as stated on the site, are to foster:

Developer Productivity—Build applications with your choice of high productivity frameworks and application services.
Open System—Choose your framework, choose your Cloud, choose your application services.
Faster Delivery—Shorten the time it takes to take your application from concept, to code, to the cloud using an open platform as a service.

Based on technology originally developed by SpringSource, acquired by VMware in 2009, Cloud Foundry was launched gives software developers a broad choice of frameworks, app infrastructure services, and deployment options. Moreover, the platform isn’t tied to any Cloud environment, nor does it require a VMware infrastructure.

Instead, VMware says that Cloud Foundry is being delivered as a service from enterprise data centers and public Cloud providers.

“VMware is finally ready to put the platform out in the hands of developers to play with and will release the entire stack in open source for anyone to leverage,” said Al Hilwa, director of applications development software at IDC.

Support for Multiple Application Services

“In the initial release, Spring for Java, Rails and Sinatra for Ruby, and Node.js are supported,” wrote VMware Chief Technology Officer Steve Herrod in a recent blog entry. “The system also supports other Java-virtual-machine-based frameworks such as Grails.”

Herrod explains that Cloud Foundry was designed to support a wide variety of application services because there simply is no single solution that meets all application requirements.

Cloud Foundry currently supports MySQL, MongoDB and Redis but Herrod says that they are working on adding support for other application services.

Herrod also says that Cloud Foundry is capable of running on top of VMware’s current vSphere and vCloud infrastructure, as well as other infrastructure clouds. He points to VMware partner RightScale, who recently demonstrated that Cloud Foundry can be deployed on top of Amazon Web Services.

The "State of Application Security Survey" - 88 Percent Spend More on Coffee Than Security

Melisa LaBancz-Bleasdale — Sun, 10 Apr 2011 21:46:17 +0000

Back in February, Barracuda Networks Inc., Cenzic Inc. and the Ponemon Institute released the“State of Application Security Survey,” which found that 73 percent of organizations had been hacked at least once in the last 24 months through insecure web applications. The news that web apps are insecure isn’t really shocking, but the percentage of organizations that fell prey to attacks is certainly eyebrow raising. I chose to address this report now, because it appears that companies just haven’t gotten around to determining the best way to handle the influx of insecure web apps exposing their organizations to increasingly sophisticated and damaging attacks.

In one of those, “It’s so awful it’s funny” findings, the survey notes that even though website attacks are the biggest concern for companies, 88 percent of them spend more on coffee than securing their web apps. Don’t get me wrong, I love me some coffee, but I also love me some secure banking and private medical files. I think it would be illuminating for an IT manager to use this data point in a meeting, “Last June we spent 50K on our Colombian roast and 2K our web security products. We’ve been hacked 187 times but our coffee is really, really good.”

The results of the survey reveal respondents’ perceptions and experiences protecting web applications. It underscores the lack of adequate protection currently in use and overall insufficient resources and knowledge around Web application security in general.

Strangely, (or not?), the report found that 69 percent of organizations rely on network layer firewalls to protect their websites, leaving web applications wide open for attack. Haven’t we all learned that firewalls are like long underwear? They offer some protection but won’t cut it on Mt. Everest. I was mystified to find that organizations still feel this is an adequate defense mechanism.

What wasn’t surprising to me was the finding that 72 percent of organizations test less than 10 percent of their web applications for security holes, some knowing they have been hacked in the past. I don’t actually know of any organization that runs the recommended regular security checks. This frustrates the analysts and security experts but time, resources, and competing priorities usually get in the way of such things as routine maintenance and ensuring the safety of the corporate network. I do think it should be required for all financial institutions, government agencies, medical organizations and any other company that deals with sensitive amounts of customer data—which is pretty much everyone right?

According to 74 percent of respondents, web application security is either more critical or equally critical to other security issues faced by their organizations. Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily web application firewalls and vulnerability assessment.

“While it is encouraging to see that web application security is on the minds of most organizations, there still seems to be a real disconnect between the desire and implementation of security countermeasures required for Web application security,” said Dr. Paul Judge, chief research officer and VP for Barracuda Networks. “The fact that 69 percent of respondents are relying upon network firewalls to secure web applications is like relying upon a cardboard shield for protection in a sword fight—eventually your shield will prove that it’s insufficient and an attack will reach you that can fly past a network firewall.” I agree. It’s probably never a good idea to use a cardboard shield whilst wearing your long underwear to a sword fight.

Mandeep Khera, CMO for Cenzic says it’s a huge red flag that a quarter of respondents could not provide a range for how many web applications they have. He expressed shock that 20 percent of organizations do not test at all and 40 percent test only 5 percent of their web applications, but as I mentioned above, it’s just never really been part of the day-to-day risk mitigation plan (and it should be). It is shocking though that most of these companies have been hacked multiple times through insecure web applications. “If you know that burglars come through a broken door repeatedly wouldn’t you want to fix that door?” asks Khera.

Other key findings in the study include:

Data protection (62 percent) and compliance (51 percent) were the top reasons for securing web apps. Job protection was also a significant reason cited by 15 percent of respondents.

Despite 51 percent listing compliance as a key driver for web application security, 43 percent are not familiar with or have no knowledge of OWASP, a key component to compliance standards like PCI.

With 41 percent reporting they have over 100 web applications or more, the majority (66 percent) test less than 25 percent of these applications for vulnerabilities.

More than half (53 percent) expect their web hosting provider to secure their web applications.

Of those respondents who own a web application firewall, nearly 2 times agreed that a reverse proxy is a better and more secure technology than a transparent bridge technology.

“While IT practitioners recognize the criticality of secure web applications, their organizations do not provide adequate resources and expertise to manage the risk,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Over half of the respondents we polled believe they do not have resources to detect and remediate insecure web applications, and 64 percent said they believe that their organization have inadequate governance and usage policies.”

The results of the survey from the Ponemon Institute are based on responses from 637 practitioners in a variety of industries with an average of 11 years of experience in their profession.

Veracode Vets Mobile App Security

Melisa LaBancz-Bleasdale — Thu, 07 Apr 2011 01:04:31 +0000

In February 2011, Veracode, provider of independent cloud-based application risk management expanded its platform support to include Android and Apple’s iOS. The company points out that security leaders are tasked with implementing enterprise-wide application security policies, despite having lower visibility, expertise, and control over mobile apps and devices compared to other layers of their IT infrastructure.

To mitigate emerging mobile threats, Veracode launched what they are calling “the industry’s most comprehensive mobile app security verification service.” They also announced the “Mobile App Top 10 List” to establish an industry-wide security standard to enable organizations to implement application security policies across their mobile app environment.

Among the suspect or malicious features Veracode points out on its Top 10 list: remote monitoring and surreptitious dialing or texting (usually to premium rate numbers.) Inadequate or insecure data storage and hard coded passwords are among the most common vulnerabilities in mobile devices, the company said.

What really caught my attention about the company and their services was their involvement in “outing” the mobile Pandora app as a stealth data thief. Pandora, the popular free mobile application from online music service Pandora.com is my most favorite app in the world. I was disturbed to learn that they are the subject of a Grand Jury investigation into “loose data privacy practices” in the mobile application market.

Veracode confirmed that the Pandora app silently sends reams of sensitive data to advertisers. The company found that Pandora’s free mobile application for Android phones tracked and submitted a range of data, including the user’s gender, geographic location and the unique ID of their phone. I hate that. I definitely don’t want advertisers to know when I’m close to the frozen yogurt shop because frankly, I have no will power and that kind of technology is high on the creepy chart for me.

Interestingly, Veracode’s analysis followed reports in the Wall Street Journal that a Federal Grand Jury in New Jersey had subpoenaed Pandora, and other mobile application vendors, in an inquiry over the illegal transmission of personal data.

Veracode accepts all mobile app submissions, regardless of platform, for security verification as part of its extensive beta program.

Security Shouldn’t Be An Afterthought

The company believes that secure coding, security testing and basic security precautions are often an afterthought in today’s rapid mobile app development process, as evidenced, they say, by the lack of encryption on bank account access codes in Citbank’s iPhone app last year.

The mobile app malware threat is also quickly progressing from simple “premium SMS and call” attacks that directly monetize by running up the victims bill, to full- blown mobile botnet functionality, such as the Geinimi Trojan for Android phones.

“More and more enterprises are realizing that 2011 is quickly becoming the tipping point for mobile security issues,” said Nigel Stanley, practice leader, IT security, Bloor Research. “For both active and passive attacks ranging from GSM air interface attacks through to the use of Trojan malware to target users, with Veracode I share my intense interest in best practices for mitigating these risks and what steps users, businesses, developers and organizations need to take to secure their smartphones and apps. With this launch, enterprises failing to investigate and act on mobile app security vulnerabilities due to lack of a pragmatic and cost-effective solution are no longer excusable.”

Veracode explains that enterprises are threatened by applications built in-house, off-the-shelf, outsourced and with third-party components that are deployed via the cloud, web and on mobile platforms. To manage the escalating risk, CIOs and CISOs must implement policy-driven application risk management programs and seek independent security verification of all their applications including mobile applications from all their stakeholders across their entire software supply chain.

“CIOs and CISOs are increasingly aware that next generation software infrastructure for their enterprise is increasingly ‘cloud-sourced’ and developed from unknown or untrusted third-party app stores and developers,” said Matt Moynahan, CEO, Veracode. “While the cost and functional benefits of embracing the cloud are many, it is critical to ensure the security risks associated with this model are controlled. Veracode’s broadened platform support will enable security professionals to implement mobile app security policies as easily as they do for internally developed applications.”

Setting New Mobile Security Standards

To increase industry awareness and dialogue about mobile app threats specifically, Veracode established its “Mobile App Top 10 List.” The goal of the list is to serve as an industry standard for categorizing malicious functionalities and to serve as a checklist of vulnerabilities that developers and security teams can collectively utilize to determine what mobile app risks exist and how they can be effectively and efficiently mitigated. While traditional security vulnerabilities can be compounded by mobile use case specifics and new, platform-particular challenges, the same best practices established in other environments should be adhered to.

“While much has been done in terms of setting standards for the security of web applications, we felt it was necessary to extend the same rigorous framework to mobile,” said Chris Wysopal, CTO, Veracode. “In the mobile app market, we see both inadvertent coding errors and intentional, malicious code as security culprits. We strongly recommend industry-wide adoption of the Mobile App Top 10 for the development of apps, as part of an app store vetting process, for acceptance testing of an app, or for use by providers of security software running on mobile devices.”

The Mobile App Top 10 List, Wysopal says, can be adopted by enterprises seeking to gain focus and control, and support well-informed discussions with development teams about the security of their applications. They also hope it will be an important foundation for understanding specific threats such as activity monitoring and data retrieval; unauthorized dialing, SMS and payments; system modification; and sensitive data leakage, which can be magnified in a mobile environment.

Possibly, The Mobile App Top 10 can also serve as the standard to which compliance must be demonstrated through independent testing, much like the OWASP Top 10 or CWE/SANS Top 25 are used for verifying traditional, third-party applications.

Social Media May be Dangerous to Your Reputation

Melisa LaBancz-Bleasdale — Sat, 02 Apr 2011 01:15:44 +0000

Every good thing is tempered by some amount of risk, not to mention a Psalm or two. Social media is no different. For all the good that it perpetrates—connectedness, real-time sharing, creative collaboration, etc.—it comes with its share of unique, annoying, and downright serious problems.

Several months ago I posed a question to my LinkedIn group, Public Relations and Communications Professionals, asking whether or not they felt that every company needs a Facebook page. Overwhelmingly, the 20,000 odd members said no. “There’s a delicate balance in delivering value to the customer and deriving value from the customer,” says Art Hall, manager of customer relations at Altanta-based firm Alvarez & Marsal, “The key in the social arena is whatever content you give has to be of value,” Hall said.

It used to be that a company’s reputation was more important than how many followers they had. You may have 4,000 followers but what are you doing with them? What value are you bringing to the table? In the case of Messaging News, it’s my hope that we foster conversation and debate among our readers as well as expose people to ideas they may not have considered.

Too many organizations have actually done damage to their reputations by annoying customers with their Facebook pages. For me, even thinking about certain companies having a Facebook page annoys me. Diluting your brand by jumping on a bus that isn’t even going in your direction is an awful decision. If you are dead set on launching a page or participating in social media, run a focus group, conduct an extensive survey on the street corner or poll your current and potential customer base to find out why you should or should not have a social media program and how/why they’d use it.

Referring to Stephanie Jordan’s recent piece on privacy, I also think twice before I hand out my info on social media sites—and make no mistake, “friending” an organization is indeed handing out all of your online info to anonymous sources. On top of that, I’m not sure I need anyone to know if I’ve “friended” a feminine hygiene vendor.

The dangers of using social media are well documented but I think we’ve all developed the “invisible sign” syndrome: if you read a sign every day it soon becomes invisible. Most people reading Messaging News are not unfamiliar to technology and thus, know that whatever you put out there is for others to take. However, we don’t often think about it, we just know it.

Michael Shaffer of the Bradenton Herald writes, “When you post your personal information on a social media website, or anywhere on the Internet that is not security encrypted, it is accessible by everyone. Your name, address, e-mail and other personal information can all be accessed and is there to be used against you. Spammers often use social media sites to gather e-mail addresses for their campaigns. More dangerous still are identity stealers who use information gathered on social media sites to identify targets.”

We saw this happen in tandem with the Indonesian Tsunami relief efforts. Bogus pages were popping up, legitimate sites were hacked and kidnapped and Facebook “friending” of fraudulent pages became an issue. With the Japanese earthquake efforts people are a little more cautious, but not everyone is savvy and the criminals know that well-meaning people are their best customers.

Shaffer explains that criminals use social media to steal your identity by asking you to provide information, which is then used to impersonate you online. It’s an up-leveled form of social engineering. You receive an “event invite” asking you to join a good cause and because it requires no effort, you accept the invite. You are then re-routed via URL re-direct to a fraudulent page and a drive-by download of malicious code occurs. “It is human nature to want to help and unfortunately, these thieves are masters at playing to human nature,” Shaffer says.

Legitimate businesses are often the unwitting targets of identity thieves and risk losing their visitors and revenue without even knowing they were targets. eHow has a brief no-nonsense tutorial on what to do about website hijacking. They recommend that all webmasters monitor their sites for the telltale signs of hijacking.

In addition to the risk of infecting yourself or your online visitors with malware and viruses, you may be exposing yourself to career-impacting and reputation-damaging situations as well. Twitter is a prime example of a social media platform that can be used against you. If you are an executive of a well-known organization and you happen to be tweeting on your personal account about an exhausting meeting with a “blow-hard client”, that information may make its way to your peers, or worse, that client. The beauty, and terror of the Internet is that once it’s there, it stays there (usually). You may post some contentious comments on a user group—like LinkedIn—only to find during a job interview that the interviewer is a member of that same group and had opposed your views.

When I consider the “dangers” of social media, it’s not usually in the context of viruses, worms, etc. For me, it’s as much about the risk of being inundated with pointless sites and pages as it is about being turned into a botnet. Computer issues, although difficult and time-consuming to remedy, are easier to fix than a bad customer experience or perception of your organization.

The Never-Ending Spam Story

Melisa LaBancz-Bleasdale — Fri, 01 Apr 2011 00:23:56 +0000

It’s fascinating to me that we are still dealing with spam and all of its inherent issues - overflowing inboxes, possible embedded malware, time wasting, etc. We are a world that can invent a smart phone that essentially replaces our laptops, music players, televisions and email, but we can’t make spam go away? I mean spam is “so 1990’s.” It should be yesterday’s problem but it is in fact, a growing one.

Dennis Fisher writes in his March 2011, article for Threatpost that “Since virtually the dawn of the commercial Web and the advent of widespread email use, spam has been a major problem and it has grown to a point that botnets are now spewing trillions of spam messages every month. But, email spam is just one piece of a much larger ecosystem that now is mainly dominated by Web-based spam pushing users to malicious, or at best, worthless, pages.”

The face of our new enemy is Web-based spam, which is different from the basic email spam you’d get in your inbox. All spam is sent to serve one purpose – money. If even the most miniscule percentage of people fall for a spam scam, it can result in making the spammers many thousands of dollars for absolutely no work.

In Fisher’s article, Sasi Parthasarathy of Microsoft’s Bing explains that the motivation is money, either syndication or ad-based,

What’s interesting to me about the newest batch of Web-based spam is the resourcefulness behind it. Instead of launching unique attacks, the spammers are increasingly hacking legitimate sites (see my post on the Japanese Tsunami) and embedding their illnesses within. The hijacked pages will then use redirect links to take the users to a fraudulent site.

Parthasarathy said that even though we’re aware of the techniques spammers use and have developed tools to combat the problems, dealing with the threats in real time is extremely challenging. With valid keywords embedded in fraudulent sites, it’s not hard to slip past search engines’ security features.

According to Fisher, one of the challenges that Bing, Google and other search engine operators face in this work is ensuring that they don’t mistakenly discount legitimate sites with valid content while still weeding out malicious or spammy links and pages.

Fisher explains that in addition to setting up networks of interrelated link farms and spam pages, the spammers also will add content spam to sites. This can take the form of text set in white type on a white background that’s invisible to the user but is seen by a search engine crawler or machine-generated content such as keywords taken from search engine query logs. This content will often make no sense and look like gibberish on a page, but serves as an attraction for the crawler.

Web-based spam is our new frontier and despite my inability to make peace with the huge amounts of it on my Droid each morning, it looks as if it will always be here in some form. As our technology and needs change, so will the spammers’ approach. Right now, it does appear that they are winning.

Follow Us on Twitter? Yes, Please Do!

Melisa LaBancz-Bleasdale — Fri, 25 Mar 2011 19:28:55 +0000

Seemingly every online magazine in the universe has the “Follow us on Twitter” note up on their sites. Sometimes it makes sense to subscribe to a stream or join the throng of “followers”. Sometimes it doesn’t, and can actually become annoying. I certainly don’t want to be annoying as a journalist - I seem to be very good at it in my personal life thank you.

Since I joined the MN Twitter team I have had more fun than normal finding and posting missives about what’s going on in our very broad and admittedly crazy industry. I might not always post about an actual news item (see: post on how cool VMWare’s building is) but it’s real stream of consciousness. If you’ve followed any of my writings, you’ll know that I’m obsessed with the Cloud, with security breaches, with ridiculous amounts of money being thrown toward hip but not very life-changing technologies. I don’t have a one track mind. A lot amazes me, and I do have the “shiny ball syndrome”, and I know I’m not the only one.

The Twitter stream for MN isn’t just a regurgitation of the news found here on our site or in the print mag, although I occasionally point back to a piece I think is “required reading” for everyone. I sift through press releases, data points, analyst reports, articles, missives on obscure dev and tech blogs - all day every day - to post info. I’d like to know what’s working for you and what isn’t. What you find interesting, funny or worthwhile.

When you “follow us on Twitter”, I want it to be a good choice.

The RSA-EMC Security Breach: What's Really Going On?

Melisa LaBancz-Bleasdale — Thu, 24 Mar 2011 04:49:53 +0000

One of the first things I do each day is check out what’s going on in the world. I have quite a few sites bookmarked and it’s a little ridiculous but I want my Kim Kardashian gossip served up hot right alongside the latest news on cybersecurity. What’s interesting to me is that many people get their news from a single source. It’s also a little frightening. Although most tech news wouldn’t interest or apply to a large segment of the population, sometimes it does. Such is the case with the RSA/EMC security breach. Ever since the company admitted they had been the target of an Advanced Persistent Threat (APT), in an open letter on their site, I’ve had some sleepless nights. It’s not what we know that’s cause for worry, it’s what we don’t know. What the company isn’t telling their customers. I understand that RSA may not even know the extent of the damage quite yet and thus, Executive Chairman Art Coviello’s open letter is both scary and vague:

“Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”

I’ve been avidly reading everything I can on the story and the best comment I read was from an IT Director and RSA customer who, to paraphrase what he said, felt that the “immediate steps” offered to him were akin to lifting the hood of the car to make sure the engine was still there. In other words, even Captain Obvious could have given more helpful instructions than RSA did.

While I was ruminating on the possible implications of this breach with a few of my friends, no one knew what the heck I was talking about. I had to back the bus way up and explain who RSA was and how fraudulently using SecurID tokens to infiltrate systems could impact their lives. In a matter of minutes they went from happy-go-latte-drinking friends to ones that were now afraid of the APT monster living under their beds.

There are numerous experts and analysts quoted in all the stories related to the incident. They all reassure us that depending on what was stolen, there are certain other steps that would need to be taken, or certain amounts of social engineering that would need to be done for anything bad to really happen. Well, as no one knows what was stolen, it’s all just theorizing about what does and doesn’t need to be done. Here’s the thing, if anyone is going to launch an APT (successfully) against an organization like RSA, they’re probably pretty sure of what they wanted to do with the information.

While this is merely my opinion, and not that of Messaging News or its editor and fellow journalists, as a crisis management professional there are several telling clues as to how very serious this whole thing truly is:

The very small and almost innocuous box on RSA’s homepage that says, “Urgent Message to SecurID Customers about their Product Security” that you need to click on to launch the open letter. It should be a really big box that is a bit more noticeable and says something like, “Urgent news on the RSA Security Breach.”
The fact that federal authorities are involved. That’s serious. Always.
That RSA isn’t actually telling their customers anything about what was stolen or what to do next. Can you really layer more security on top of something that is supposed to be incredibly secure?

Coviello goes on to say, ”We regret any inconvenience or concern that this attack on RSA may cause for customers, and we strongly urge you to follow the steps we’ve outlined in our SecurCare Online Note. APT threats are becoming a significant challenge for all large corporations, and it’s a topic I have discussed publicly many times. As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat.”

I can re-read this paragraph many times over and every time it astonishes me. They “regret any inconvenience or concern?” If I’m a major bank with millions in customer accounts I’m inconvenienced? I just have no words for that. I am also mystified as to why it matters that Coviello has addressed APTs before. Is he saying, “Remember that really bad stuff I mentioned, well, it happened to us?” Yes, yes it did.

While it’s probably in everyone’s best interest not to panic and trample our fellow passengers, it’s also mildly annoying that a power as large as RSA would seemingly attempt to downplay something this big. Maybe by doing so, their clients won’t give it another thought, however, I am falling behind on celebrity gossip and checking my news way more than I ever did before.

Demystifying Cloud Forensics

Melisa LaBancz-Bleasdale — Wed, 16 Mar 2011 03:02:44 +0000

I’ve made no secret of the fact that the “Cloud” is like Santa to me. I believe it exists, it does magical things, and somehow just the thought of it is weirdly comforting. I have a lot of questions that still keep me up at night though, such as, ‘How will we ever secure it?’ This despair is followed closely by, ‘Is it possible to forensically investigate it?’

I did a quick search on Google using “Cloud Forensics” as my search criteria and came up with nothing useful. There was an article posted on Brighthub but it seemed to be an excellent example of a whole page that didn’t say anything. Beyond that, I was on my own. Pondering the unsafe-seeming and non-investigate-able Cloud, I felt it best to turn to experts I trust to calm my fears. I contacted Mark Spencer, Principal and CEO of Arsenal Consulting in Boston, MA.

Spencer explains that as we are moving from an on-site-assets model to a cloud-based model, the way we protect, find, store and investigate data is rapidly changing. Arsenal, he says, is seeing an increased emphasis on privacy and adoption of secure protocols (e.g. HTTPS), “Our company and our clients are more reliant on “hidden” metadata, data carving, and network forensics. Most of our clients still think the electronic evidence they seek exists on a laptop, desktop, or server when in fact those locations are just part of the electronic evidence puzzle… particularly with increased use of the Cloud.”

Spencer said that it’s important to demystify the Cloud before getting deep into the concept of forensics though, “The Cloud represents services on the Web that store (and possibly process) your data. The Cloud has been around for a long time (think Webmail), but how we refer to it, and the extent to which we rely on it, has evolved. Computer forensics involves identifying, preserving, analyzing, and reporting on electronic evidence using methods acceptable in courts of law. “Cloud forensics” simply refers to a particular kind of computer forensics and is not a new phenomenon.”

Lodrina Cherne, Computer Forensics Analyst at Arsenal, refers to the National Institute of Standards and Technology’s (NIST) definition of the Cloud , which defines three different service models and four ways to deploy a Cloud.

“According to NIST, no matter what form of the Cloud is in, each has five essential characteristics: On-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. I can get my data when I want, over some kind of network, and even though the data might be coming from different places and my computing power shared with others, somehow the back end is going to scale up or down to fulfill my needs. At a simpler level, accessing your Webmail is using a cloud. On one hand, the Cloud isn’t such a big, scary, nebulous thing. We’ve been dealing with it for a long time. On the other hand, as businesses use Cloud infrastructure for more computing power, storage, or needs we haven’t even imagined, we’re going to have to account for where that data physically sits.”

I worry how investigative best practices are going to be affected by the Cloud and whether forensic methodologies will still apply. Cherne says that questions of jurisdiction are going to become more important to investigators but best practices should remain the same—making sure they perform preservation, analysis, and reporting in a legally defensible manner.

Spencer adds that computer forensics methodologies apply to electronic data whether it exists on a hard drive in your laptop, a backup tape at a warehouse down the street, or in the Cloud spread across multiple servers around the world.

“Once a computer forensics practitioner knows where electronic evidence exists, he must create a plan to preserve that data in the most complete, but least invasive way possible. Best practices regarding preservation of electronic evidence in the Cloud are specific to each [Cloud] service, so it’s important a practitioner perform thorough research and testing before implementing a preservation plan.”

I wondered about the early adopters—organizations that already do most or all of their business “in the Cloud” such as start-ups with few on-site assets and/or people? Could they be forensically investigated?

“Of course,” Spencer reassures me, “Remember, the core tenets of computer forensics still apply to the Cloud. The format, volume, and other variables related to the data may be different than what we’ve dealt with in traditional computer forensics, but it’s data nonetheless.”

Asked whether Spencer believes in the Cloud, he politely declines to elaborate on whether or not he thinks it’s a good thing, but he does point out that it’s not without benefits, “In some ways it lets corporate IT staff off the hook. Basically, companies are able to shift responsibility for storage, maintenance, monitoring, and more to a service rather than having to perform these functions themselves.”

What he finds troublesome though, is that many companies will not know exactly where all their data exists in the Cloud. Worse, he feels, is that many companies won’t even know what data they put “out there”.

“What about the policies of the service providers when it comes to things like auditing (logs!) and monitoring for security incidents, subpoena compliance, disaster recovery, background checks on their employees, etc.? My concern as a computer forensics practitioner is that some companies have been lulled to sleep by pretty Web interfaces.”

Among the challenges organizations will face in relation to computer forensics in the Cloud, says Spencer, will be the need for more subpoenas, more legal motions and more work for lawyers.

Cherne adds that jurisdiction is currently the biggest issue investigators are focused on so far, “I think some of the more interesting issues could come out when looking beyond who the custodian of data is and where they are. What about when someone forgets to pay the data hosting bill and their service provider holds hostage or deletes client data? How about subscribing to a Cloud service that claims to back up customer data but doesn’t, or does so incorrectly?”

With so much at stake, what should companies be doing to prepare? Spencer feels that when it comes to reacting to an incident, information security staff should know what their limitations are and what resources are available to them, “Learning on the job (in the traditional sense) is not acceptable in computer forensics, and it’s even less acceptable when dealing with the customization needed to properly address electronic evidence in the Cloud. Once information security staff confirms they have an incident, they should get computer forensics practitioners (whether in-house, consultants, or law enforcement) involved immediately.”

The Newest Kids on the Group Chat Playground

Melisa LaBancz-Bleasdale — Mon, 14 Mar 2011 03:37:44 +0000

Unable to join the hordes of lucky attendees at South by Southwest (SXSW), the Austin, Texas technology and music festival, I decided to placate myself by looking into news of what new must-have things I am missing out on. I now know that I need a group chat app. There is no shortage of upstarts developing ever-cooler apps to help us simplify our always-connected world. This is good. Too many communications choices end up overwhelming everyone and undervaluing the technology. Group chat is simple, it allows multiple people to participate in the same conversation on a mobile phone, like a group chat room or text only “conference call”. The most promising apps have already garnered national coverage. Among the free and nearly free standouts are: Beluga, Kik, TextPlus, FastSociety, PingChat, GroupMe, and Yobongo.

Each is different and which one you choose will depend on your preferences for usability, speed, and functionality. Beluga, Kik, GroupMe,TextPlus, and PingChat enable you to create a chat session and invite the people who will attend. Yobongo allows its users to join a group chat with nearby people, say, if you are actually at SXSW and don’t want to eat dinner alone. This would be great at a conference when you want to arrange an impromptu collaborative knowledge dump or debate over the hottest new whatsit.

San Francisco-based Yobongo, released their app the week prior to SXSW to ensure maximum exposure and leverage because everyone knows that if you are looking to be the next best thing, you have to see and be seen at SXSW. The company says it already has tens of thousands of users so it seems to be on its way to becoming part of our cultural lingo.

On the About page, Yobongo is described as a new way for people to communicate with people nearby. They believe connecting with people in the real world is much harder than it should be and I agree! Actually, I think it’s way too easy to connect with too many people. That’s my real issue. By giving people the opportunity to connect with other like-minded people Yobongo hopes to help foster authentic communications about everything and anything. Do you see the gleam in the eyes of the marketing department over at Big Brands? GroupMe is open to allowing advertisers to show user-specific ads that veer toward local activities or coupons. The company is angling to be the app of choice for Coachella and Bonnaroo. Who wants to be out of touch at a big music festival? There’s nothing worse than losing Bonnie in the nacho line!

Don’t think that big boys aren’t paying attention to these scene newbies, because you know they are. In fact, seems that Facebook was paying attention before we even knew there was something to pay attention to. They acquired Beluga (which is the brainchild of former Googlers), in March. The different group chat sessions are called “belugapods” and a cheery whale is the logo. Do you think it’s the same whale that Twitter birds are seen carrying away in a net when their system gets bogged down? Although that whale is not cheerful. The iconography of it all is very confusing to me!

Anyway, Salesforce.com’s Chatter is the same in theory, but totally different. By the very essence that it’s big company it’s not “cool”, despite the spend on Will.i.am at the Superbowl. However, they, too, could tweak their product and if Bieber uses it, you know I’m downloading!

Why would you need group chat when you can just mass post to Facebook or have a meaningful Twitter-stream of consciousness with all 800 of your followers? Exactly. That’s why. You have too many friends and followers. Groupme limits your fellow conversationalists to 25 at a time. You can be 1 of the 25 in 600 different convos if you like, but they try to keep it simple.

Oh I can’t wait until see what will happen next in the group chat arena!

Japanese Earthquake - How to Give Without Being Taken

Melisa LaBancz-Bleasdale — Mon, 14 Mar 2011 00:36:46 +0000

Paul Roberts of Kaspersky Lab’s site Threatpost reminds us that in our quest to do right by those that are suffering from a natural disaster, we too can become victims. Roberts writes that following the January 2005 tsunami in the Aceh Region of Indonesia, a wave of spam followed soliciting donations for “charities” that turned out to be fraudulent.

With the near ubiquitous nature of social media tools, perpetrating fraud has gone viral (no pun intended). In my opinion, one of the best uses of technology for aid is the ability to text in your donations. It’s simple, quick and pain free. Checking my MySpace account after the Indonesian tsunami, I got a friend’s post about the Red Cross Text2Help campaign. It took about two seconds and I had donated. This same ease of use is what is so appealing to the criminals that use this method to set up a similar service and post a link to Facebook or Twitter that appears legitimate—we want to help, but we want to help in the most convenient way possible. If you are going to be using your phone to provide aid, be sure you are making a donation to a known organization. Bear in mind that it’s entirely possible if you “favorite” or “friend” a relief page on Facebook, it may not actually be one.

The SANS Internet Storm Center (ISC) says that scams will also be coming in the form of e-mail and Web pages that will be hiding malware, viruses, bots and other forms of malfeasance. The ISC issued a formal warning on its web page this past Friday to be on the lookout for threats and noted that the site spamwarnings.com had already detected tsunami-related spam in spam filters.

Roberts writes that jumping on major and breaking news stories is a tried and true method to trick unsuspecting, curious or concerned Internet users into opening malicious attachments or clicking malicious links they might otherwise avoid. Scammers have become adept at using search engine optimization (SEO) strategies to place scam Web pages high in the search results of major search engines like Google, though the company has recently made changes to its search algorithm that weed out bogus pages and other kinds of low-value Web sites generated by so-called “content farms.”

Speaking of the search engine giant, Google reacted quickly to the Japanese crisis by setting up an Online Crisis Center that provides emergency numbers and disaster information. You can also look for loved ones who may be affected using the search features.

The ISC recommends donating only to established organizations that exist regardless of the circumstance instead of those that pop up around a specific situation. The IRS maintains a list of tax exempt charitable organizations that can be used to verify the status of charities that are soliciting donations.

It’s also important to use caution when viewing videos of the disaster as over the past year many security organizations have reported a significant rise in the implantation of malware and viruses in downloadable video. Viewing footage from local news stations, national news sites and reputable sources helps to greatly minimize your risk.

My thoughts and prayers go out to all who were affected by the recent disaster.

Barracuda Labs Releases 2010 Security Report Alongside New Profile Protector

Melisa LaBancz-Bleasdale — Mon, 07 Mar 2011 18:36:03 +0000

Tis’ the season for security reports! Leading up to the February RSA Conference, many organizations prep and release their 2010 findings. Interestingly, fewer than half find the same trends and/or security flaws. This can be confusing and overwhelming unless you look at the context. The types of attack vectors and trending a vendor finds are almost always directly related to the type of vendor - and that makes sense. An email spam defender is going to write a report focused on email attacks (mostly) and a storage vendor will write about data leaks, loss, and breaches. That said, all of the reports taken together can provide an organization with a good sense of where the priority trouble spots are for them in relation to the way they do business.

Barracuda Networks, provider of content security, data protection and application delivery solutions, recently released the findings from their 2010 Annual Security Report, and it wasn’t surprising to see the dramatic shift from email attacks to targeting the Internet. Barracuda saw email spam drop by half during 2010. That’s huge, but spam itself is not a P1 threat but it’s definitely a P1 annoyance. They also found that search engine malware doubled and the Twitter Crime Rate increased 20 percent, signifying a concentrated focus on the more lucrative social networks and search engines as attack vectors. With the use of social networking tools such as Twitter as part of the modern sales and marketing programs, this is definitely news to pay attention to.

In light of their findings, and a perceived market need, Barracuda designed what they hope is a strong solution to the problem. To help combat social network-driven attacks, Barracuda released Profile Protector, a free service that protects social networking users against malicious threats on Facebook and Twitter.The application analyzes user-generated content posted to profiles and is able to block or remove malicious or suspicious content. This includes malicious URLs, embedded photos and/or videos on Facebook and Twitter pages and news feeds.

“Attackers focus on where they can get the most eyeballs and profit, and today that means social networks and search engines,” said Dr. Paul Judge, chief research officer at Barracuda Networks. “As a community we often point to the need for user education as the missing component; however, the levels of social engineering involved in today’s attacks suggest that we must continue to elevate our technological approaches. The research community must continue to build innovative defenses and the industry must make efforts to increase the deployment rates of those defenses.”

Dr. Judge has a good point. Social engineering is increasingly savvy. Nearly every day I get a chat request from an unknown (and fictional) “friend” that wants to add me to their directory so we can get back in touch. With names like Kelly, Todd and Mike, I do find myself pausing to think about whether I’ve connected to friends with the same names. Unequivocally, I delete the requests. If it truly is my friend, they’ll drop me an email asking why I didn’t accept their invitation.

Searching for Malware

Barracuda conducts periodic studies across Bing, Google, Twitter and Yahoo!, analyzing trending topics on popular search engines in order to understand the scope of the problem and to identify the types of topics used by malware distributors. The most recent study was conducted over 153 days. The analysis reviews more than 157,000 trending topics and nearly 37 million search results. Overall, the research found that attackers have increased the amount of search engine malware as well as expanded targeted efforts beyond Google.

Key highlights from the search result analysis include:

In June 2010, Google was crowned as “King” of malware, turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. As malware spread across the other search engines, the ratios were distributed more evenly by December 2010, with Google producing 38 percent of overall malware; Yahoo! at 30 percent; Bing at 24 percent and Twitter at eight percent.
The amount of malware found daily across the search engines increased 55 percent from 145.7 in June 2010 to 226.3 in December 2010.
One in five search topics lead to malware, while one in 1,000 search results lead to malware.
The top 10 terms used by malware distributors include the name of a Jersey Shore actress, the president, the NFL and credit score.

The Dark Side of Twitter

Barracuda Labs analyzed more than 26 million Twitter accounts in order to measure and analyze account behavior. The analysis enabled researchers to model normal user behavior and identify features that are strong indicators of illegitimate account use.

Key highlights from the Twitter research include:

In general, activity continues to increase on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.
The number of True Twitter Users increased to 43 percent, up from only 29 percent in June 2010.
For every 100 Twitter users, 39 have between one and nine followers, while 50 percent of Twitter users have more than 10 followers.
Approximately 79 percent of Twitter users tweet less than once per day.
After decreasing at the end of 2009, the Twitter Crime Rate increased 20 percent from the first half of 2010 to the second half of 2010, going from 1.6 percent to 2 percent.
Attackers are distributing malware and exploiting vulnerabilities to achieve their malicious goals.

You can view the complete report at Barracuda Labs 2010 Annual Security Report .

Profile Protector is available for download at http://profileprotector.com/