FB Business Records

Facebook Records

Update:   I have published fresh ideas on how to record Facebook messages when employees use them for official company or government business.  Social networks are becoming a more commonly-accepted tool of commerce.

They are also the source of many records needed for lawsuits, investigations and conflict resolution.  http://www.google.com/sidewiki/entry/benwright214/id/lr8I0ChURBgd6x6HWKssukeRgWo

–Ben

Forbid Twitter at Work?

Selective Internet Blocking as Employment Policy and Warning

Twitter can be a distraction in the workplace.  Oprah, who boasts almost a million followers on Twitter, caused mob scenes at KFC stores by tweeting about a free chicken coupon download-able from her web site.  News spread as other Twitter authors repeated the message.

To be sure:  much of the Twitter traffic and downloading attending to this stampede happened in the workplace, on office computers.  What a waste of employee time.  What a tax on business computers.  What a threat to security.

As Twitter, Facebook, Myspace and other social media swarm the workplace, they’re almost impossible to block entirely.  The channels of communication (web pages, widgets, instant message and more) are too numerous.

Update:  A large percentage (24%!) of all Twitter Tweets are generated by robots (“bots”), not individual people, which suggests Twitter contains a lot of junk and spam.

So should management surrender control of company networks? No.

Selective blocking is a strategy.  Selective blocking can remind employees that they are expected to be responsible adults.  For example, here is a screen that Cyberpatrol could produce when employees visit web sites like Twitter or Facebook:screenshot

(Note: I created the custom message to employees by editing the html in one of the blocking screens available in Cyberpatrol. )

A screen like this cautions employees that social networking at work is a bad idea.  Will it stamp out wasteful e-chat in all of its forms?  No.  But it does respectfully display management’s concern and authority.  It reinforces an employee acceptable use policy.  And it hints that management may be able to monitor what an employee is doing on company computers.

–Ben Wright

At the SANS Institute Mr. Wright teaches IT administrators how to avoid going to jail.

Youtube and Facebook: Workplace Morale and Internet Addiction

Should Management Monitor Employee World Wide Web Surfing?

Should an employer tolerate computer social networking on the job, or prohibit it? An Australian study suggests office workers are generally more productive if they relax every so often online, by reading news, shopping or chatting with friends on Bebo, Hi5, AIM, FriendFeed or Yahoo Messenger.  The study’s author, Dr. Brent Coker, argues that often employer blocking of web sites like Youtube or Amazon is counterproductive.  Employees need a break, he says.

But beware Internet addiction.  Dr. Coker sees signs of addiction in 14 percent of Internet users.  Addiction means the users overdo it.  They browse to excess; they can’t act responsibly.  From the perspective of an employer, 14 percent is a huge number.  How can an employer afford to idle 14 percent of its work force?  Dr. Coker warns that for these 14 percent, casual surfing can become a waste of time and worse .

So what is an employer to do?  Internet access in the workplace is not a black and white issue.  Different work environments – and different employees – need different rules and different degrees of guidance.  For example, while on duty, maybe an air traffic controller should not be watching comical videos.  But such videos are probably okay — and maybe even wise and recommended — when she’s on break.

Responsible Internet monitoring by supervisors and even blocking have a place in the modern job site.   If an employer does monitor access to the Internet, it is wise to inform employees in advance.

–Ben Wright

At the SANS Institute, Mr. Wright teaches IT administrators how to stay out of jail.

Facebook In-security

Warning for Business, Corporate and School Computer Networks

Is Facebook safe enough for access by office computers?  For many organizations, the answer is no.  The bad news about the popular social network grows with each passing week.  Facebook has been plagued with the Koobface worm (some call it a virus), which has through Facebook infected (or attempted to infect) work PCs.

Now Facebook faces the scrooge of the Dancing Girl.  The Dancing Girl exploit arrives as an e-mail appearing to be a typical notification from Facebook, saying someone has left you a Facebook message.  The rogue e-mail directs you, the victim, to click to see a video of a sexy dancing girl.  If the victim clicks, he is taken to a fake, Facebook lookalike page, which instructs the victim to download a software upgrade so that the video can be viewed.  But in truth the software to be downloaded is a group of damaging, malicious programs.

If an employer were to prevent (forbid) access to social network sites, then employees would not be tempted to fall for tricks like this.  To say it a different way:  failure to prohibit Facebook and Myspace can promote a lax computing environment in the office.

Local chapters of the Better Business Bureau (such as the Hawaii chapter and the Chicago & Northern Illinois chapter) have issued warnings about the transmission of malware and the propagation of other threats through social networks, especially Facebook.  Among other scams, bogus posts to a victim’s “wall” can link to dangerous external web pages, which might try to install malicious software through the victim’s web browser.

The Maryland General Assembly blocked its network users from access to social networks, especially Facebook.

Update:  Recent research compares the success rates for propagation of malware via e-mail and via social networks.  Hacker are ten times more successful on social networks sites.

–Ben Wright

At the SANS Institute, Mr. Wright teaches IT administrators how to stay out of jail.

FaceBook & Myspace Identity Theft

Fake Buddy Requests Endanger Office Computers

Protect Education & Corporate PCs

A disturbing trend threatens the security of computers in small organizations like schools, libraries and businesses. Users of social networking sites (such as Myspace, FaceBook and Friendster) are receiving buddy or friend requests from the profiles of fictitious people, or people whose identity has been stolen.

According to “MessageLabs Intelligence: 2008 Annual Security Report,” the rogue profiles are concocted by hackers seeking to propagate spam, spread viruses or steal private information. “The buddy requests appeare genuine as they originate from the real social networking site and consequently their headers [are] intact and correct.” Further, says the Report, the e-mail address associated with the fake profiles are real, though they were created automatically by software that enables the hacker to create many outlaw e-mail accounts automatically, with little effort on the part of the hacker.

A fake profile may purport to belong to a celebrity, a real friend or even a reputable business person.

The goal of these deceptive buddy requests is to trick the victim into clicking on something unwittingly. The click may deliver spam to the victim, steal personal information or slip malware (like a virus) onto the victim’s personal computer. If the victim is operating from a network at an office or a school, the malware might infect not only the victim’s laptop, but other PCs on the network as well.

Hackers seek personal information about victims so that (among other things) they can manipulate the victims (“phishing them”) into trusting the hackers and disclosing passwords or downloading malware like botnet software. (A botnet is a robotized army of infected computers that does the hacker’s evil bidding.)

Social networks are exploding in popularity.  But they are relatively new computing environments, constantly adding new functionality.  As “Web 2.0,” they emphasize interaction among users and the sharing of multimedia content like video.

All this makes the social nets fertile ground for hackers and scammers. According to the MessageLabs Report, Web 2.0 “toolkits” now empower hackers easily to create boobytraps that look like appealing media but actually deliver something unexpected and sinister to the victim’s machine.

These dangers can motivate businesses and libraries to block, restrict or at least closely monitor social sites visited from their computers.  The Maryland General Assembly, for instance, has blocked Facebook and Myspace from its computers.

–Ben Wright

At the SANS Institute, Mr. Wright teaches IT administrators how to stay out of jail.

Security Threat: Facebook and MySpace at Work

Koobface Virus Spreads among Office Workers

Employees (workers) visiting social networking sites are infecting workplace computers with viruses (or they are subjecting their computers to attempted infections).  Facebook and MySpace are known as breeding grounds for Koobface (technically classified as a “worm”).  Security is a reason for businesses, libraries and schools to block or limit access to social media web pages.

These are documented examples of Facebook being implicated in Koobface infections (or attempted infections) in the workplace or related to the workplace:

  • Richard Larmer, chief executive of RLM Public Relations in New York, had to replace his computer.
  • “[H]undreds of Boston journalists, ad execs and public relations professionals [such as Scott Farmelant of Mills and Co.] who use the popular social networking service have received a Facebook message that purports to link to compromising video of its recipient.”
  • A journalist at Washington City Paper haplessly clicked on a link purporting to be from a colleague at the paper, only to discover that the link caused an infection.

Koobface thrives in social networks because users think they can trust their friends.  The victim believes a trusted friend has left on her “Wall” a link to a video.  Her guard is down, so she clicks the link and then follows Koobface’s diabolical instructions to download a software update.  The worm infects the victim’s computer with malware that seeks to control the computer and steal personal information.

In addition to Facebook and Myspace, Koobface is reported to have infected other social networks, such as Bebo, Friendster, MyYearbook, Classmates.com and Blackplanet.  Experts predict more virus attacks through social web sites.

Although Koobface is not the first virus to spread through Facebook, it is the one that is reputed to have inflicted the most harm.

Update: Local chapters of the Better Business Bureau (BBB) are issuing warnings about the insecurity of Facebook and MySpace.

One strategy for employers is selective blocking, where only certain suspect sites are blocked, with a screen that reminds employees they are responsible for getting their work done.

–Ben Wright teaches computer security law at the SANS Institute.

Ban Facebook and Myspace from Work?

Social Network Security Risks

Human Resources (HR) Meets Generation Y

Update:  The US Marines are banning social network sites like Facebook, Myspace and Twitter.

Does banning employees from Facebook, Myspace, Bebo and Hi5 stifle the younger generation? Web 2.0 economist Don Tapscott argues that bosses should not block social network sites.  He says that by blocking them managers alienate young workers, denigrate the technology that defines them and prevents them from collaborating productively.  Tapscott (author of the book Grown Up Digital) almost makes the prohibition of social media sound like the violation of a civil right.

Although I agree that interactive media can promote an esprit de corps among employees and empower them to work more efficiently, I question whether pop sites like Facebook and Myspace are the best for doing that.  I suggest managers open a dialogue with employees about the topic.  If employees believe that access to pop sites is consistence with the purpose of their employment, then let them prove it.

For example, access could be enabled on a provisional basis, subject to daily time limitations and review after two or three months.  Managers could invite employees to report their experiences.  Employee advocates might be asked to explain why pop sites are better than other options, such as straight-laced blogs, special-interest social sites like The Internet Protectors (specializing on computer security) or private (password-only) social sites created on platforms like Ning.com.

When it comes to productivity, there’s nothing magical about pop sites that would render them more effective than their many alternatives.  Pop sites place emphasis on games, advertising and entertainment like music and video. Filtering that stuff is much like forbidding an older technology – television – from the office.  Few would suggest that forbidding TV is tantamount to encroaching on a civil right.

What’s more, open social network sites like Myspace are a security risk.  The virus Koobface has been infecting Myspace and Facebook visitors for months.  Malware like Koobface can infect company PCs and the company network.

One strategy for employers is selective blocking, where only certain suspect sites are blocked, with a screen that reminds employees they are responsible for getting their work done.

Update:  Now Koobface is spreading through Twitter.

–Ben Wright, IT security law instructor for the SANS Institute