Facebook Safety - 1

I'm very interested with web 2.0. I red a lot of papers about the security challenges and Identity Management or what some call Identity 2.0

But I haven't finished my research yet. What I'm going to do is sharing some of the information which I have. I think this one will be first of coming Facebook security issues which I will try to raise here.

I choose a Facebook for reasons which are:

* Active users: 47 million (as of October 2007)
* Monthly new user average: 4 million
* Daily new user average: 150,000
* Page views: Over 15 billion per month
* Searches: Over 500 million per month
* Search index size: 200GB
* Largest networks: London, UK 1,268,000 and Toronto, Canada 859,000
* Traffic rank: 7th
* Photos: 1.7 billion (which averages to about 44 photos per user)

Also, on March 2, 2007, a poll conducted by eMarketer.com of American youths in the United States discovered Facebook was the most viewed site among all respondents with more females aged 17-25 (69%) visiting the site than males (56%). Try to check this and this also.

The fact here it become important to look at this service from security prospective. Alot of concerns such as Facebook Privacy Policy, Facebook opens profiles to public, Facebook Safety and Facebook Query Language.

My going articles will be just giving an example about security issues in Facebook. We will start by Facebook Safety.

Chris Kelly is Facebook's Chief Privacy Officer. He wrote on Facebook blog two days ago.

But right now, we want to make clear some of the things we are working on to prevent abuse from happening through Facebook. We are automatically moving complaints about nudity or pornography, and harassing or unwelcome contact to the top of our queue for Customer Support to address within 24 hours. We are limiting certain search functionality as it applies to minors. We are making sure that minors know explicitly when they are in contact with someone who is an adult.

Also, he added

As we continue to build out our proactive and reactive systems, we still believe that this is a partnership with you, our users. Practice smart internet safety; get to know our privacy options. Whether you're a minor or an adult, you should learn how to be smart online. No one wants anything bad to happen as a result of something on Facebook; we can all do our parts to make sure it doesn't.

So, I have decided to be smart online and made some google search on how to hack Facebook and I found a lot of links explain how to hack Facebook video application as an example. As facebook claims, the Facebook Video Application does not allow sharing videos outside of Facebook. Users will not be able to export or download videos from Facebook. But, the fact you can bypass this with a piece of cake. Userscripts.org has a very good article on how you could do this,you could check it. I tried it with my self and I downloaded my friends clips and some others. That means if bad guys got these clips he could modify it put some embarrassing things on it and resend to your friends.

That is explain you can't trust what Facebook claims, please watch this presentation.

BC & DR Planning Tips

• What’s the difference between disaster recovery and business continuity planning?

Disaster recovery is the process by which we resume business after a disruptive event. The event might be something huge-like an earthquake or the terrorist attacks on the World Trade Center-or something small, like malfunctioning software caused by a computer virus.

Given the human tendency to look on the bright side, many business executives are prone to ignoring "disaster recovery" because disaster seems an unlikely event.

Business continuity planning suggests a more comprehensive approach to making sure the business can keep making money. Often, the two terms are married under the acronym BC/DR.

• What does a disaster recovery and business continuity plan include?

All BC/DR plans need to encompass how employees will communicate, where they will go and how they will keep doing their jobs. The details can vary greatly, depending on the size and scope of a company and the way it does business.

The critical point is that neither element can be ignored, and physical, IT and human resources plans cannot be developed in isolation from each other. At its heart, BC/DR is about constant communication. Business leaders and IT leaders should work together to determine what kind of plan is necessary and which systems and business units are most crucial to the company. Together, they should decide which people are responsible for declaring a disruptive event and mitigating its effects. Most importantly, the plan should establish a process for locating and communicating with employees after such an event. In a catastrophic event (Hurricane Katrina being a recent example), the plan will also need to take into account that many of those employees will have more pressing concerns than getting back to work.

• How do I get started?

A good first step is a business impact analysis (BIA). This will identify the business's most crucial systems and processes and the effect an outage would have on the business. A BIA will help companies set a restoration sequence to determine which parts of the business should be restored first.Here are 10 absolute basics the plan should cover:

1. Develop and practice a contingency plan that includes a succession plan for your senior management.

2. Train backup employees to perform emergency tasks. The employees you count on to lead in an emergency may not be available.

3. Determine offsite crisis meeting places for top executives.

4. Make sure that all employees-as well as executives-are involved in the exercises.

5. Make exercises realistic enough to tap into employees' emotions so that you can see how they'll react when the situation gets stressful.

6. Practice crisis communication with employees, customers and the outside world, for example spoken person to the media.

7. Invest in an alternate means of communication in case the phone networks go down.

8. Form partnerships with local emergency response groups such as firefighters and police to establish a good working relationship. Let them become familiar with your company and site.

9. Evaluate your company's performance during each test, and work toward constant improvement. Continuity exercises should reveal weaknesses.

10. Test your continuity plan regularly to reveal and accommodate changes. Technology, personnel and facilities are in a constant state of flux at any company.

• Is it really necessary to disrupt business by testing the plan?

Read this example which gives you an example of a company that thinks walk-through and paper simulations aren't enough. Preparedness test usually the cost effective test for your BC/DR plan.

• What kinds of things have companies discovered when testing a plan?

- Some companies have discovered that while they back up their servers or data centers, they've overlooked backup plans for laptops.

- One company reports that it is looking into buying MREs (meals ready-to-eat) from the company that sells them to the military. MREs have a long shelf life, and they don't take up much space.

- The issue of where employees go immediately after a disaster and where they will be housed during recovery should be addressed before something happens, not after.

- USAA discovered that while it had designated a nearby relocation area, the setup process for computers and phones took nearly two hours. During that time, employees were left standing outside in the hot Texas sun. Seeing the plan in action raised several questions that hadn't been fully addressed before: Was there a safer place to put those employees in the interim? How should USAA determine if or when employees could be allowed back in the building? How would thousands of people access their vehicle if their car keys were still sitting on their desk? And was there an alternate transportation plan if the company needed to send employees home?

• What are the top mistakes that companies make in disaster recovery?

1. Inadequate planning

2. Failure to bring the business into the planning and testing of your recovery efforts.

3. Failure to gain support from senior-level managers. The largest problems here are:

a. Not demonstrating the level of effort required for full recovery.

b. Not conducting a business impact analysis and addressing all gaps in your recovery model.

c. Not building adequate recovery plans that outline your recovery time objective, critical systems and applications, vital documents needed by the business, and business functions by building plans for operational activities to be continued after a disaster.

d. Not having proper funding that will allow for a minimum of semi-annual testing.

• Can we outsource our contingency measures?

Disaster recovery services-offsite data storage, Hot site, Warm , Cold site, mobile site are often outsourced.

The type of offsite determined by recovery point objective (RPO) & recovery time objective (RTO).

• How can I sell this business continuity planning to other executives?

The advice is to address the need for disaster recovery through Business Impact Analysis (BIA). Work with your legal and financial departments to document the total losses per day that your company would face if you were not capable of quick recovery. By thoroughly reviewing your business continuance and disaster recovery plans, you can identify the gaps that may lead to a successful recovery. Remember: Disaster recovery and business continuance are nothing more than risk avoidance. Senior managers understand more clearly when you can demonstrate how much risk they are taking."

• How do I make sure the plans aren’t overkill for my company?

By implementing Business Impact Analysis (BIA) you could build effecitve and effecient BC/DR plan because the driven factor here is how much the copmany loss in case disaster or intruption of normal business processes. companies have to weigh the risk versus the cost of creating such a contingency plan.

Reference: CSO Online

Cyberwar race

I wanted many times to write about Cyberspace ware but I didn't have enough time to do this.

Lets review what happened for two months ago. On the BBC I red that the United Nation site hacked from hacktavism group. The speeches of the Secretary-General Ban Ki-Moon has been replaced with the following lines:

Hacked By kerem125 M0sted and Gsy
That is CyberProtest Hey Ýsrail and Usa
dont kill children and other people
Peace for ever
No war

After that I red also on the BBC's site about Estonia attack. It is consider the first Cyberwar.

For month ago I red on FT's site that Chinese military hacked into Pentagon.

Also, the last Black Hat USA 2007 in Las Vegas. The speech of Jim Christy was on Cyber Crime and he asked cooperation between Black Hat community and Governments.

And since 3 days ago the The Air Force Association (AFA) unveiled their report "Victory in Cyberspace".

have you noticed some thing from all of these events?

Yes, It is moving fast and became Hidden ware and that will have a lot of consequence things:

such as, selling security exploits as Wabi-sabi's auction site.

Security researchers/expert once find security vulnerability they prefer to sell it and I red story before I couldn't find its link again,once I get it I will post, for security researcher found IE vulnerabilities in IE and he tried to sell it and he did under condition which is this vulnerability applicable to certain version of MS Windows and IE. He didn't know the buyer but he guessed it is military agency.

He sold it with $80,000 upon his speech academic career will not make him gain this a mount of money.