Another detection tool you can use has been made available by Russian antivirus firm Kaspersky. Meanwhile, Apple has issued a statement indicating that it is continuing to work on an offical detection and innoculation tool.

It’s not just individual Mac owners who ought to take heed. Network security firm Lancope says companies with employees who use Macs would be wise to check for infected Apple computing devices.

Kissling

“Enterprises should also bolster their defenses,” says Lancope vice president Jody Ma Kissling. “As the market share for Macs continues to increase, end users, corporations and Apple itself must all be prepared for a subsequent rise in attacks targeting Apple’s Mac OS X.”

Neil Roiter, research director at Corero Network Security says “cyber criminals now consider Macs profitable targets. Mac users should protect their computers with antivirus software, encrypt sensitive information and follow the common-sense advice not to click on links or open email attachments from unknown sources.”

Roger Thompson, chief emerging threats researcher at vendor-neutral testing and certification firm ICSA Labs, explains the significance of the emergence of a major botnet comprised entirely of Macs.

He observes that Mac infections were considered rare for much of the past two decades “as a natural consequence of relative market opportunity for the bad guys. Put another way, there were way more PCs than Macs, so there was simply more opportunity for a return on their development and marketing effort.”

What the existence of a massive Mac botnet highlights, Thompson says, is that “Mac malware is not just a reality, but is now a genuine problem. The issue is that for a decade, Apple has made a point of telling users that they had no malware problem, and the result of that is that Mac users have no antibodies, when it comes to malware. They don’t expect it, and too many people will click on, and install, anything.”

The bottom line for Mac users: they will have to install and keep current antivirus programs and make sure all application updates, for things like Java, iTunes and Adobe Flash are quickly installed, just like Windows users.

“There will soon be a name for Mac users who are not doing this: victims,” says Thompson.

Those cool mobile devices beloved by consumers carry deep-rooted security flaws that are only now being discovered and addressed.

That’s the upshot of two recent deep examinations of popular mobile devices. The findings highlight how designers of the current generation of smartphones and tablet PCs failed to fully account for the security and privacy implications.

“Today’s smartphones and tablet devices perform the same functions as a PC,” says Dan Hoffman, chief of mobile security at Juniper Networks.“However, the vast majority of devices lack security software and mistakenly rely upon the operating system to keep people safe.”

In one study, Cryptography Research showed how it is possible to eavesdrop on any smartphone or tablet PC as it uses cryptographic keys to protect sensitive operations, such as when a mobile device is being used to make a purchase, conduct online banking or access a company’s virtual private network.

The secret keys can be deciphered, enabling a criminal to use them to access a financial account or a company network, says Benjamin Jun, Cryptography Research’s chief technology officer.

Jun

“These type of attacks do not require the device to be modified and there is usually no observable sign that an attack is in progress,” Jun says.

Cryptography Research is “working with one of the major smartphone and table companies right now to put countermeasures in,” Jun says. No known actual attacks have occurred, he says.

In another theoretical study, researchers at security firm McAfee, a division of Intel, demonstrated several ways to remotely hack into Apple iOS, the operating system for iPads and iPhones.

McAfee’s research team remotely activated device microphones and recorded conversations taking place in the vicinity of the hacked device. They also stole secret keys and passwords, and were able to pilfer sensitive data, including call histories, e-mail and text messages.

“This attack method shows ways that advanced attackers can compromise and control devices indefinitely,” says Ryan Permeh, McAfee’s principal security architect. “This can be done with absolutely no indication to the device user.”

Apple spokeswoman Trudy Muller declined comment.

Security experts and law enforcement officials anticipate that cybergangs will accelerate actual attacks as consumers and companies begin to rely more heavily on mobile devices for shopping, banking and working.

“Responsibility for addressing these security concerns is far reaching,” says Hoffman. “The broader security community needs to assist in providing all users the highest-level of protection.”

SAN FRANCISCO – When Randy Kortering decided to upgrade computer network defenses at Haworth, a $1 billion-a-year office fixtures manufacturer, his chief of security warned him about social-networking use.

“He laid out what was coming through a Facebook connection and how it could very quickly spread a virus that we weren’t prepared to block,” recalls Kortering, vice president of global information services for the Holland, Mich., company.

Kortering began reviewing new security systems designed to closely monitor or restrict, as needed, employee use of Facebook, Twitter, Google, LinkedIn and other popular online services. Because of a surge of headline-grabbing database breaches, many companies attending the massive RSA security conference here this week are following suit.

“The problem is pervasive,” says Jeff Wilson, principal security analyst at Infonetics Research. “Companies of all sizes are definitely re-evaluating what they have installed for IT security.”

Verizon’s annual Data Breach Investigations Report supplies a benchmark. Its 2011 study examined patterns in 800 corporate intrusions, up from 761 in 2010. By contrast, Verizon’s forensic experts were called in to solve 900 database break-ins in the previous six years combined, 2004 through 2009.

This is new terrain. The tech industry’s marquee players are intensifying the collection and sharing of personal information in order to sell more advertising. Yet the implications of companies acquiring beefier security systems to restrict employee access to popular services are difficult to discern.

Security analysts and criminologists say this much is clear: “Spear-phishing” attacks, crafted to get unsuspecting employees to inadvertently seed computer viruses and infections at targeted organizations, are jumping. And the surge of attacks on corporations correlates to the rise in unfettered use of social networks, search engines and Web apps on company networks, analysts say.

These popular free online services have turned out to be a boon for spear phishers, who prowl social networks and use search engines to gather intelligence. “Just like online marketers and advertisers, criminals see a tremendous value in knowing more about their targets,” says Rob D’Ovidio, a criminology professor at Drexel University.

Spear phishers are adept at inhabiting social networks to troll for victims. And they have proved endlessly inventive at crafting e-mails and social-network postings that appear to arrive from a trusted source, while stealthily delivering a malicious payload to gain them access deep inside company networks. The desired booty: customer lists, design documents, patents, financial statements — anything that can be sold in the cyberunderground.

“In most of the high-profile breaches we’ve seen in the past 12 months, hackers used social engineering to get an initial foothold inside the company,” says Hugh Thompson, RSA conference program committee chair. “It isn’t a generic stranger trying to deceive your employees; it’s someone who knows them through online reconnaissance.”

Dark side

Recent studies illustrate this dark side of social networking. Firewall maker Barracuda Networks analyzed Web traffic of 5,500 PC users in 20 nations and found one in 60 Facebook postings, and one in 100 Twitter tweets, carried malicious code.

“The dangers associated with social networking have climbed exponentially,” says Barracuda chief research officer Paul Judge.

Meanwhile, an analysis of Web traffic at 1,636 companies by firewall supplier Palo Alto Networks found a marked increase in employees’ use of Facebook to run Web apps and games, not just read wall postings. In December 2011, employees used Facebook apps three times as often than they did in October 2010; and they used Twitter seven times as often.

Those increases tracked with an uptick in corporate use of Facebook and Twitter for marketing and recruiting, says Palo Alto senior security analyst Wade Williamson.

However, new Web apps are being pumped out so swiftly that many organizations aren’t able to fully grasp the security risks introduced by their employees trying out every cool new app that comes along, Williamson says.

What’s more, companies now routinely permit employees to connect their personally owned smartphones and tablet PCs into company systems, creating myriad fresh pathways into corporate networks.

Apple recently had to quell a furor over disclosures that social network Path and several other makers of apps for iPads and iPhones routinely collected and stored the contents of users’ address books — without asking permission.

The Path revelation underscored how intrinsically porous services delivered to PCs and mobile devices from the Internet cloud can be. Cybercriminals, of course, long ago realized this and continue to take full advantage.

A recent Juniper Networks survey of applications available for all mobile device operating systems, except Apple’s iOS, tallied 28,472 malicious mobile apps in 2011, a 155% increase from the 11,138 malicious apps that existed in 2010. (Apple does not make iOS apps available for independent inspection.)

“Companies are going to have to learn exactly which applications are on their networks, who is using them, why they’re being used and make sure they are being used securely,” Williamson says.

Some companies have already begun doing just that. Haworth’s Kortering was persuaded to upgrade to a next-generation firewall from that can distinguish traffic going to and from specific applications, and block very specific types of traffic deemed non-productive or too risky.

“The easiest thing would be to block everything,” says Kortering. But “we block what we feel is outside of our policies and values.”

Waqas Akkawi, director of information security at global moving company SIRVA, is keeping much closer watch on his company’s network, too. Last fall, SIRVA purchased cutting-edge network access control (NAC) technology from ForeScout Technologies to meticulously manage who gets to log into its networks and to block any malicious programs trying to load from specific devices.

Many of SIRVA’s 3,000 employees, and most of its customers, log in to the company’s network remotely. “I could not say no to anybody because they’d say, ‘Hey, you’re limiting revenue generation,’ ” Akkawi says. “So I said, ‘No problem, you can bring it in.’ ”

Sales of next-generation firewalls and NAC systems are expected to grow robustly over the next five years as more companies come to grips with rising security threats. Many will discover that limiting employee access to social networks and Web apps can also directly help the bottom line, says Chris Rodriguez, network security analyst at Frost & Sullivan.

Haworth, for instance, has used its new firewall to restrict employees from watching streamed videos in the lunchroom because that activity was consuming bandwidth needed on the production side at the fixtures manufacturer. “There’s a lot to be said for the value security tools offer operational-wise, such as the ability to automate tasks and reduce lost productivity,” Rodriguez says.

Unforeseen threats

Even so, it is the capacity for new tools to help corporations protect against as yet unforeseen threats likely to arise from employees’ escalating use of social networks, Web apps and mobile devices that’s generating buzz at the RSA conference.

Some security experts worry about the chronological nature of Facebook’s new Timeline interface, which went live for most users this month.

No evidence has surfaced that spear phishers have begun mining Timeline. And Facebook spokeswoman Meredith Chin says that Facebook essentially works the way it always has and that Timeline surfaces no new information, nor does it change any privacy settings.

However, a cottage industry appears to be taking shape to more systematically broker stolen Facebook account logons. Aviv Raff, chief technology officer at threat alert service Seculert, tracked down a criminal server set up to continually harvest data from tens of thousands of infected PCs. Raff found an unusual program running in the background.

“They created specific code to extract just the Facebook credentials,” Raff says. “We found logon credentials for over 45,000 different Facebook accounts.”

Criminals use stolen logons to pose as a trusted source in attempts to dupe employees into clicking a poisoned link or opening an infected document, says Anup Ghosh, chief scientist at browser security firm Invincea. “With Timeline,” he says, “literally years worth of status updates, photo uploads and links can be pored through to create convincing personalized messages.”

“We urge the Administration to ensure that it carries out this process in a fair and transparent manner, and that consumer voices are heard and acted on,” Susan Grant, Director of Consumer Protection at Consumer Federation of America, adds:

In an unusual move, the White House convened a press conference at 4:30 p.m. Eastern on Wednesday to announce the details, imposing an embargo – which all media outlets accepted without question – to midnight. Here are the seven rights:

• Individual Control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
• Transparency: Consumers have a right to easily understandable information about privacy and security practices.
• Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
• Security: Consumers have a right to secure and responsible handling of personal data.
• Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
• Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
• Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

Watering down

Simpson

“The real question is how much influence companies like Google, Microsoft, Yahoo and Facebook will have intheir inevitable attempt to water down the rules that are implemented and render them essentially meaningless,” says John Simpson, spokesman for Consumer Watchdog. ” I am skeptical about the ‘multi-stakeholder process’, but am willing to make a good faith effort to try it.

Simpson and others remain concerned about the Commerce Department’s role in shaping consumer privacy protections. ” Commerce’s job — quite correctly — is to promote the interests of business, not protect consumers,” he says. “If nothing else, the report demonstrates the growing concern about online privacy. Perhaps this is one of the few issues where true bipartisan action will be possible this year.”

As proposed by the White House, the bill of recognizes the need to for heightened protections for children and teens on the Internet.

“If we want to ensure that the Internet economy continues to be strong and vital, consumers need to be able to trust that the information collected about them will not be misused. This announcement sets the stage for that to begin to happen,” says Ellen Bloom, Senior Director of Federal Policy for Consumers Union, the policy and advocacy arm of Consumer Reports.

Power moves

The next steps will entail Washington D.C.-style power brokering, says Jeffrey Chester, executive director of the Center for Digital Democracy.

Chester

“The new framework largely depends on the development of voluntary codes of conduct, to be negotiated between consumer groups and companies like Google, Facebook, Microsoft, Yahoo and others, Chester says. “Consumers groups will engage in these negotiations in good faith. But we cannot accept any ‘deal’ that doesn’t really protect consumers, and merely allows the data-profiling status quo to remain.”

Another part of the White House privacy framework calls for the Digital Advertising Alliance to add to its efforts to self-police its members by improving  an existing Do Not Track mechanism many of its members already make available to consumers.

” The plan by the DAA to add Do-Not-Track to its self-regulatory system could derail a promising privacy effort by the Worldwide Web Consortium standards group (W3C) that is being designed to give consumers greater control over data collection,” contends Chester. “The new DAA scheme will enable companies to continue to collect profiling data on users, and merely prevent the delivery of targeted ads. DAA members are terrified about the development of a DNT system with teeth, which would stop so much data collection, profiling and tracking.”

California cracks down

On a parallel track, the Associated Press reports that  California is cracking down on invasive mobile apps.

California Attorney General Kamala Harris is calling for the tech giants vying in the mobile space — Apple, Google, Microsoft, Amazon Research In Motion and Hewlett-Packard  — as well as thousands of mobile app developers to give people advance warning before extracting and storing sensitive information from smartphones and tablet PCs.

Harris began discussing the need for better privacy protections with six powerful companies that have shaped the mobile computing market, spawning nearly 1 million applications over the past four years, the AP reports.

“We are assuming everyone is going to cooperate in good faith and not get cute,” Harris told AP reporter Mike Liedtke.

Harris , a Democrat, is taking her stand out west, at the same time fellow Californian, Mary Kay Bono, a Republican Congresswoman, and several other Republican lawmakers are clamoring for more details about Google and Facebook conduct online tracking. The tech giants put themselves in the spotlight by recently announcing new initiatives to extend how they index and cross-reference data about what consumer do on their PCs and mobile devices.

Google has begun rolling out a new user privacy policy that will make it easier for the search giant to correlate information about anyone who uses multiple Google services, such as Google search, plus Gmail, Google Apps, YouTube, Picasa or Google+.  Facebook is rolling out a new user interface — Timeline — that makes it easier to search and digest chronologically-assembled data about a person. Each is trying to out do each other in a race to sell more online advertising. Each insists  they  provide consumers with ample choice and control over such tracking data.

The White House on Wednesday unveiled a strongly worded “Consumer Privacy Bill of Rights’’ as the linchpin for a drive to get Congress to pass new laws protecting consumers privacy as they surf the Internet.

The announcement came as Maryland Attorney General Douglas F. Gansler and attorneys general from 35 other states sent a letter to Google complaining about a new privacy policy which will give the search giant greater latitude to track people using computers and mobile devices, with no way to opt out of being tracked.

One of the seven privacy rights, unveiled at a press conference by Commerce Secretary John Bryson guarantees consumers the “right to exercise control over what personal data organizations collect from them and how they use it.”

The Commerce Department will now commence a series of meetings inviting privacy advocates, consumer groups and key players in the tech and online advertising industries to hash out “enforceable privacy policies,” Bryson said.

In a statement, President Obama said, “American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online. As the Internet evolves, consumer trust is essential for the continued growth of the digital economy. “

Meanwhile, the Digital Advertising Alliance an industry trade group, announced it has begun work on a more visible and effective Do Not Track mechanism to add to a self-policing system in effect for all of the consortium’s members. The Federal Trade Commission separately has backed a call for a Do Not Track system buttressed by new federal laws.

Daniel Weitzner, the White House deputy chief technical officer, said the Obama Administration’s goal is to get Congress to draft and pass new privacy laws using the privacy bill of rights as a framework.

“We now have a much more focused blueprint” Weitzner said. “We’ll use our bully pulpit to get legislation passed based on these principals.”

The push comes as Google, Facebook and Apple have come under fire from some members of Congress and the FTC for tracking consumers as they use their PCs and mobile devices on the Internet, often without asking permission.

The Attorney Generals are seeking a delay is implementation of Google’s new privacy policy — which is set to take full effect  on March 1. The AGs now join several members of Congress and numerous privacy advocates and consumer group in protesting the fact that anyone who uses multiple Google services can not opt out of the new policy, which makes it easier for Google to cross reference activities across its most popular services, including search, Gmail, Google Apps, YouTube, Picasa and Google+.

The Obama administration recognizes that “we need to make meaningful changes to preserve consumer trust and confidence,” says Craig Spiezle, executive director of the non-profit Online Trust Association. “At the same time, we need to preserve innovation. Balancing the two is a challenge.”

Getting a divided Congress to pass any hard-edged privacy legislation is another challenge.

“The real question is how much influence companies like Google, Microsoft, Yahoo and Facebook will have in their inevitable attempt to water down the rules that are implemented and render them essentially meaningless,” says John Simpson, spokesman for Consumer Watchdog. ” I am skeptical about the ‘multi-stakeholder process’, but am willing to make a good faith effort to try it.

Simpson and others remain concerned about the Commerce Department’s role in shaping consumer privacy protections. ” Commerce’s job — quite correctly — is to promote the interests of business, not protect consumers,” he says. “If nothing else, the report demonstrates the growing concern about online privacy. Perhaps this is one of the few issues where true bipartisan action will be possible this year.”

The sanctions stem from privacy setting changes Facebook made in December 2009, without asking users’ permission.

The company told users they could keep full control of who could access their content on Facebook when, in fact, the company repeatedly allowed information to be shared and made public, as outlined in the FTC’s 19-page complaint.

The order is expected to give technologists and privacy advocates a new, more effective tool to monitor Facebook’s privacy practices, says Jeff Chester, executive director of the non-profit Center for Digital Democracy.

“We will have to come in and show how Timeline and the ever expanding data targeting practices violate the order,” says Chester. “This order does put the burden on privacy groups to make any safeguards stick. We have a chance to force the company to change the way it does business. ”

Bono Mack

And Federal lawmakers focusing on privacy issues will also be closely monitoring the aftermath of the FTC’s order, says Rep. Mary Bono Mack, R-Calif.

“In many ways this settlement clearly demonstrates that the privacy debate in Washington remains unresolved,” says Bono Mack. “Privacy policies should be transparent and understandable to everyone, and consumers should have an easy-to-understand way to opt out of sharing information, if they choose to do so.”

Facebook CEO Mark Zuckerberg insisted in a blog posting that the company has “a good history of providing transparency and control over who can see your information,” but admitted that “we’ve made a bunch of mistakes.”

IPO, Do Not Track form backdrop

The FTC’s sanction comes as Facebook readies itself for a high-profile initial public offering of stock, expected next spring. Today, co-incidentally on the same day the FTC’s sanction was announced, the Wall Street Journal reported Facebook’s IPO may ring in at $10 billion.

Meanwhile, the company has come under rising criticism in the U.S. and Europe for using Like buttons embedded on millions of websites to monitor Web surfing.

Facebook compiles tracking logs of the webpages viewed by each of its 800 million members, and millions more non-members, the company recently  disclosed in exclusive USA TODAY interviews.

Rockefeller

New federal laws are needed to help consumers “protect their personal information from companies surreptitiously collecting and using that personal information for profit,” says Sen. Jay Rockefeller, D-W. Virg, sponsor of a Do Not Track law that would restrict online tracking.

Rockefeller commended the FTC’s action. “Consumer privacy is a right, not a luxury,” he says. “This action against Facebook is just the first step toward protecting consumer privacy.”

Jules Polonetsky, Director and Co-Chair, Future of Privacy Forum, noted that the FTC order sends a message to other Internet-based companies the they need to get express consent from consumers to alter privacy practices.

“And if you are a custodian of user data, you need to have a formal program in place that ensures that data use and product development are overseen by privacy staff,” says Polonetsky. “These are guidelines that any company that interacts with consumer data would be wise to consider baseline requirements.”

What Facebook shall do

Included in the  8-counts of unfair and deceptive practices outlined in the FTC’s  complaint are charges that Facebook improperly disclosed information to advertisers and continued to display photos and videos even after they accounts were deactivated. The consent order, which must be approved by a judge, requires Facebook to:

• Obtain express consent before overriding users’ privacy preferences.
• Cut off access to a user’s material within 30 days after deletion of an account.
• Establish a comprehensive privacy program covering new and existing products and services.
• Submit to privacy program audits within 180 days and every two years after than for the next 20 years. Monitoring would be handled by an independent professional yet to be named.

Even after the consent order takes effect, Facebook users may not notice anything different. It’s not clear how the FTC’s order could affect Facebooks plans for new services, including “Timeline” pages that digitally map everything a user has ever done on the popular social network, and “Open Graph” applications designed to broadcast a  user’s surfing patterns widely across Facebook.

Chris Conley, a tech and civil liberties attorney at the ACLU’S Northern California affiliate, notes that Facebook’s privacy settings make no reference to Like button tracking.

“There’s no setting for a user to control that,” says Conley. “It’s questionable if something that doesn’t have a privacy setting today is covered by the FTC’s settlement proposal, or how the FTC would respond if Facebook started using this data in unexpected ways.”

A call for opt-in

Marc Rotenberg, executive director of the non profit Electronic Privacy Information Center, noted that the FTC stopped short of ordering Facebook to restore the more rigorous privacy settings that were in effect prior to December 2009.

EPIC and nine other groups filed the complaint that triggered the FTC probe. “If it was unfair to change the privacy settings, then the right response would be to change the settings back,” Rotenberg says.

Steyer

James P. Steyer, CEO of Common Sense Media, added: “It’s incredibly encouraging to see an industry leader like Facebook held to a higher standard of privacy protections. It’s our hope that this decision and its focus on the necessity of opt-in will lead other companies to follow suit. Until large tech companies start listening to the public, this kind of action from the FTC is critical. Government regulation and leadership is essential in order to help protect our privacy – and that of our kids – online.”

A poll by Common Sense Media conducted late last year found 75 percent of parents do not believe social networks were doing enough to keep their kids safe online.

Says Steyer: “With more than 7.5 million kids on Facebook, and even more using digital devices like smartphones and tablet computers, it’s imperative that other leaders in this industry hear the FTC’s message loud and clear: the concept of privacy is definitely not dead – especially for parents – and opt-in must become the standard all other companies employ.”

– By Byron Acohido

Reacting to details of Facebook’s tracking practices disclosed in LastWatchdog’s page 1A story in print editions of USA TODAY, Sen. Jay Rockefeller, D – W. Virg., said he intends to invite Facebook and others to a hearing to explain how they are using personal information.

“The USA Today story is disturbing,” says Rockefeller, sponsor of a Do-Not-Track bill that would empower consumers to limit ad networks from tracking where they go online. “No company should track customers without their knowledge or consent, especially a company with 800 million users and a trove of unique personal data on its users.”

Facebook spokesman Andrew Noyes noted that Facebook tracking systems are used to personalize content and help boost security. He also said that the company’s tracking practicies are spelled out in its Privacy Policy and Help Center web pages. “We appreciate Sen. Rockefeller’s interest in protecting consumer privacy and look forward to discussing this with him,” Noyes says.

Meanwhile, Rep. Mary Bono Mack, R-Calif., who chairs the House Subcommittee on Commerce, Manufacturing and Trade, directed her staff to bring in Facebook officials next week for a briefing to learn more about the wave of pornographic and violent images that spread through Facebook’s automated content-sharing systems. “The Chairman is very concerned about what took place and wants to make certain – to the extent possible – that it doesn’t happen again,” says spokesman Ken Johnson.

Bono Mack

Among the questions Bono Mack wants answered: How many people were impacted? What actually happened? How did it happen? Could the vulnerability be used to gather users’ personal information? What is Facebook doing to prevent future intrusions?

Noyes pointed out this CNN news story praising how Facebook responded to the systemic attack on its content-sharing technologies. “Protecting the people who use Facebook from spam and malicious content is a top priority for us,” says Noyes. “Our team responded quickly to eliminate most of the spam caused by this incident. We are now working to improve our systems to better defend against similar attacks in the future.”

Joseph Steinberg, CEO of Green Armor Solutions, says that the porn and gore spam attack is another reason users should not rely on Facebook’s security and privacy settings.

“Facebook has never been the poster child for security,” Steinberg says. “This situation reinforces that concept. If some form of beach occurred and information that you configured to be viewable by only your friends became viewable by the entire world it is unlikely that Facebook is going to compensate you. But they can gather information about you and advertise to you. In many ways, you are Facebook’s product, not its customer.”

The 1998 COPPA law bans website publishers and social networks from collecting or using information from children under 13. Enforcement, however, has been spotty.  And it’s common practice for website operators to  do the minimum to meet the letter of the law.

Among other things, the FTC has proposed updating the definition of “personal information” to include geolocation information and certain types of persistent identifiers, such as tracking cookies. And it  has  also proposed new methods and rules for obtaining verifiable parental consent.

In this LastWatchdog guest post, Paul Lipman, CEO of Total Defense, argues why he thinks the FTC’s proposed revisions fall short.

Lipman

By Paul Lipman.

On September 15th, the Federal Trade Commission  issued a long-awaited request for comments on proposed revisions to the Children’s Online Privacy Protection Act (COPPA), which gives parents control over what personal information Web sites may collect from children under the age of 13. While the sentiment behind this act is the right one, the proposed revisions don’t go far enough to protect children and families.

COPPA was enacted on October 21, 1998 and took effect April 21, 2000. At the time, the legislation was created to address the growth of online marketing techniques targeting children. Web sites were collecting information from children without parental knowledge or consent and children didn’t understand the risks of revealing personal information online. As a result, the public pressured Congress to legislate.

Current rules

COPPA details what Web sites must include in a privacy policy, when and how to seek verifiable consent from a parent and what responsibilities a Web site has to protect children’s privacy and safety online, including restrictions on marketing to those under 13. COPPA requires websites to  do one of the following:

• Attain a signed form from the parent via postal mail or facsimile
• Accept and verify a credit card number
• Take calls from parents staffed by trained personnel
• Require an email accompanied by digital signature from a parent
• Require an email accompanied by a PIN or password

While the COPPA regulations were timely and forward thinking, the Web has come a long way since 1998. It’s unbelievable that it’s taken the FTC more than 10 years to look into amending the decade old act.

Consider that in 1998,  Mark Zuckerberg, co-creator of Facebook was a child himself, at only 14 years of age. Facebook and MySpace did not exist.  Instant messaging, online shopping and Internet auctions were in their infancies. And few parents feared the possible repercussions of their children dropping personal information into the Web-o-sphere, because there was no real reason or way to do so.

The FTC proposed amendments to COPPA  expand the definition of “personal information” to include a child’s location, along with any personal data collected through the use of cookies. The FTC also suggested that parental consent be obtained by getting scanned versions of signed consent forms or via videoconferencing.

Parent engagement

The revisions come in light of the increase in children operating mobile devices, using online social networking sites and participating in interactive gaming. Unfortunately, these revisions come at a time when it’s almost too little too late. The proposed changes are not enough to keep kids safe online or to keep up with the ever evolving Web.

Like in other aspects of a child’s development, the parent should be actively engaged. Online behavior, both on the PC and mobile device is no exception. The repercussions of digital actions are not apparent as to how personal data is actually used and monetized by corporations.

COPPA legislation should help parents become more involved. Laws such as the state child restraint law help ensure adequate protection is offered to children while riding in a vehicle by requiring the parent to use age and size specific child seats. In a similar way, COPPA legislation should act as the restraint law for children when they are online by requiring a parent or legal guardian to register the child for any and all online services.

When it comes to social networking, the government must find ways to discourage youth from openly and freely sharing personal information. Mobile Internet use should also be more clearly addressed by outlining restrictions for mobile applications, browsing capabilities and more.

Marketing tilt

Current legislation provides too many registration options allowing the parent to be circumvented too easily. To avoid this, I recommend authenticating the parent or guardian by tying the transaction to the parent’s credit card. While this is a documented option in today’s COPPA standard, it’s just one of the options and not a requirement.

We must note that most child friendly Web sites offer plenty of interesting and valuable content without requiring any registration whatsoever. Still, these Web sites encourage registration via tempting sweepstakes and coupon offerings thus, should require parental consent or a ban of tempting sweepstakes on child friendly sites altogether.

Today’s legislation still tilts the scale in favor of the online marketer. Parents should be aware and legislation must change to better protect children, our future leaders, online.

About the essayist. Paul Lipman, CEO of Total Defense, was previously Chief Strategy Officer at Webroot. Prior to Webroot, Lipman was General Manager of Global Services at Keynote Systems, joining Keynote via the acquisition of Enviz. Lipman holds an MBA from the Stanford University Graduate School of Business and a Bachelor’s Degree in Physics from Manchester University in England.

Traditional perimeter firewalls are still in wide use as a fundamental defense mechanism.  But a group of security vendors are pushing for wider use of so-called Next Generation Firewalls, or NGFWs, that integrate firewall, intrusion detection and prevention, application monitoring and authentication and policy-use  controls.

These vendors include NSS Labs, Barracuda, Check Point, Cisco, Fortinet, Juniper, Palo Alto Networks and SonicWall. In this LastWatchdog guest post, AlgoSec’s CTO, Professor Avishai Wool, of Tel Aviv University, makes the technical argument for more pervasive use of NGFWs. (Clarification. 02Nov2010. NSS Labs tests security products, including firewalls,  and publishes the results.)

Wool

By Avishai Wool

The last few years have brought us arguably the most significant change in firewall technology in decades. Ever since “Stateful Inspection” was introduced by Check Point in the late 1990’s, firewall administrators and information security officers have been defining security policies based primarily on a connection’s source IP address, destination IP address, and service.

Now, with the so called “Next Generation” firewalls (NGFWs) promoted by Palo Alto Networks and Check Point R75, policy can also be defined based on the “application”.

To understand why this technical detail is an exciting development for organizations, we need a bit of background. Almost all organizations let their users browse the net. From a firewall point of view, this policy is implemented by allowing the “http” service (technically, tcp on port 80) from the internal net, to anywhere.

The trouble is that application programmers have realized this policy, and have adjusted: Almost every web-application now communicates over tcp/80. Since this port is practically certain to be open, there is no need for the application users to ask for a new rule through the firewall; the application will “just work”. This is very convenient for application developers, and also for application users.

But it is a serious concern for information security officers, because not all web-applications are born equal. While many web-applications are important business tools, others are not: some are inappropriate (think file-swapping applications), some are vectors for sensitive data loss (like personal network storage), and others are bandwidth hogs (like streaming video apps).

And lurking among all these we have the real nasty apps: cyber-warfare tools, corporate espionage trojans, identify-stealing ‘bots, viruses and worms, etc. And all these apps use tcp/80 – the good, the bad, and the ugly.

This leaves the information security officer with an unpleasant choice: Either block all the applications that use tcp/80, and disrupt business in a major way – or allow all apps, and assume the risk. Practically every firewall policy I have seen chooses business continuity over safety, and keeps tcp/80 open – with the associated heartburn for CISOs everywhere.

Now enter NGFWs. Through some pretty impressive technological advances, these devices can discriminate between applications that share the same port. NGFWs can enforce fine-grained policies like “block file-swapping applications”, or “allow Facebook but not its game applications”, or even “block the super-sneaky Skype application” – while allowing benign http traffic through the firewall.

The sales-pitch is indeed very compelling for many security-conscious organizations, and lots of organizations are indeed embracing the new technology.

However, once we are past the excitement over the cool new technology (and it is indeed cool!), we have to realize that NGFWs need to be managed. This will require some thought and planning. I’d like to raise two points you should think about when you are considering NGFWs.

The first point is policy granularity. For many years firewall policies were defined at a crude “service” granularity – lumping thousands of applications into a single “service”. And still, many corporate firewall policies have ballooned into monsters totaling thousands of rules.

Such giant policies are extremely difficult to keep secure – and invariably contain a surprisingly high number of errors. In fact, my research has demonstrated that there is a clear correlation between policy complexity and the number of errors in the policy; For firewall policies, “small is beautiful”.

Now imagine what will happen if instead of a single (albeit crude) rule allowing http, the policy will include 10,000 new rules, one per application… Without some careful design, the new policy could be even less secure just because of all the new errors that will creep in.

The second point is about “blacklisting” versus “whitelisting”. Fifteen years ago there was a raging debate among firewall administrators about how a good firewall policy should be structured. The “blacklisting” proponents suggested to “allow everything, and block the traffic you don’t want”, while the “whitelisting” aficionados argued to “block everything, and only allow the traffic you need”.

This debate was won by a landslide in favor of the more secure “whitelisting” approach: Today practically every firewall policy has a “default drop” rule and a great number of “allow” rules. Further, most regulations require such a structure to be in compliance.

However, this more secure approach has a cost: whitelisting causes a significant workload on firewall administrators. This is because every new connection potentially requires yet another firewall rule – which has to be planned, approved, implemented, and validated. Some organizations I’ve spoken to process hundreds of such rule-change requests every week, and as a result, suffer turnaround times of several weeks between change request and implementation.

With the advent of NGFWs, I think the blacklisting/whitelisting debate deserves a fresh look, and a conscious choice. Consider this: If you decide to whitelist at the application level (i.e., block outbound tcp/80 and only allow those web-applications you know about) – how many more change requests per week will you be processing? Can your existing team handle the extra load without degradation to turnaround time? Will you require additional headcount?

Furthermore, perhaps CISOs will find it easier to define policy via blacklisting, via rules like “block social networks, file sharing and video streaming, and allow all other web traffic”?

As anecdotal evidence, compare how filtering web-proxies and web-application firewalls (that do a similar job using different technologies) are configured. As far as I can tell, blacklisting is the more common approach for web-proxies, although I have spoken to some organizations that whitelist. Should NGFWs follow the web-proxy blacklist style – or should they follow the classical firewall’s whitelist approach?

So far most of what I’ve read about NGFWs has been about the technology. But what about the management challenges? We should be arguing about them! What do the regulators (PCI-DSS, NERC, NIST) say? What should the internal audit guidelines be (CobiT)? How about Managed Security Service Providers (MSSPs)? What are the vendors teaching in their NGFW configuration classes?

I think we’re going to have a few interesting years until the dust settles.

LW: Cyberattacks, especially so-called advanced persistent threats that drill deep into corporate systems, continue to accelerate. How come?

Kaspersky: Unfortunatly for enterprises, the bad guys behind Stuxnet and DigiNotar and other such cyberattacks are extremely professional. They devote time and resources to what they’re doing, making them extremely difficult to stop.

LW: What should the good guys be doing?

Kaspersky: Enterprise networks need to be redesigned to where the digital certificate is just one layer. They need much more strict rules about who can get access to internal systems and they need to consider switching off access to certain assets.

LW: Security vendors have been preaching these same best practices for years. What’s different today?

Kaspersky: Today there are so many more attacks than even just two years ago. Companies are getting compromised everywhere, in the United States, Europe and Japan. Thousands of corporations have been attacked in Russia, so now Russia has finally joined the club of victims.

LW: So what’s next?

Kaspersky: We are now in a much bigger arms race. Enterprises will pay more attention to security and have stricter rules for security systems. The bad guys won’t stop. They’ll invest more into new attack technologies. It’s a new level of the arms race.

TL: What does this mean for employees who bring their personal touch tablets and smartphones to work, and spend time during the workday on Facebook and other social networks?

Kaspersky: I’m afraid there’s going to be no more freedom for social network use in certain kinds of strict work environments. Instant messaging and e-mail for personal use needs to be limited. Employees will have a front line computer, with full access, but any personal-use devices mst be disconnected from the corporate environment.

LW: Doesn’t that scenario run counter to the rising popularity of cool mobile devices and our increasing reliance on Web apps and cloud services?

Kaspersky: Yes, it is a big step. But for critical environments, very, very strict rules are needed. It is the only way to fight effectively with the bad guys. Enterprises don’t need to be paranoid. But they must pay attention to security and understand the different scenarios of how the bad guys can get in. They need to understand how much damage can be caused. Risk management must be much more strict.