Security

Facebook users are too willing to give out their personal information, security firm Sophos has found.

According to Sophos' Australian team, which conducted a study to see how likely Facebook users were to offer up personal information, 41 to 46 percent of the 100 people Sophos contacted "blindly accepted" friend requests from two fake Facebook users created by the security firm.

After becoming friends with Sophos, the security firm was able to access up to 89 percent of the users' full dates of birth, all of their e-mail addresses, where they went to school, and more. Half of all the users Sophos befriended displayed the town or suburb where they live. They even offered up information on family and friends.

Younger users were "more liberal" with their workplace or school information than older users. "Both groups were very liberal with their e-mail addresses and with their birthdays," the security firm wrote in a blog post Sunday announcing the results. "This is worrying because these details make an excellent starting point for scammers and social engineers."

The security firm added that "10 years ago, getting access to this sort of detail would probably have taken a con-artist or an identify thief several weeks, and have required the on-the-spot services of a private investigator. Sadly, these days, many social networkers are handing over their life story on a plate."

Sophos' concerns over the way Facebook users are keeping information private comes on the heels of a statement released last week by Facebook founder Mark Zuckerberg discussing why Facebook users need to use the privacy tools his company has created. On Sunday, Facebook also announced the formation of a safety advisory board, comprised of five Internet safety groups.

ORLANDO, Fla.--OK, IT managers, it's time to loosen up.

That's how analysts advised Gartner Symposium attendees here Monday, arguing that corporate computing departments shouldn't block social networking and that security shouldn't completely lock down communications with the outside world. And even if information technology authorities want to shut down such activity, they can't.

Carol Rozwell, a Gartner vice president

(Credit: Stephen Shankland/CNET)

"Banning access to social media from the corporate network is futile," said Carol Rozwell, a Gartner vice president. "The world we live in is digitally enabled and socially connected."

The advice reflects the transformation of the information technology world as the Internet steadily pervades more and more corners of everybody's life. Although the Gartner event historically has concerned itself with matters such as justifying the expense of a new enterprise resource management computing system, the broadening show reflects the growing scope of work that IT managers face.

Overall, companies must acknowledge that not everything is under control of their own top-down administration, said Peter Sondergaard, senior vice president of research at Gartner.

"We're moving from control to greater autonomy," Sondergaard said. Managers also must find an appropriate place on the spectrums of in here vs. out there and owned vs. shared.

I'm not an employee of MySpace, but I was able to join its Facebook network.

(Credit: Facebook)

I do not work for MySpace. But my Facebook profile now says I do, thanks to what appears to be a sneaky little flaw in MySpace's recently launched e-mail client.

Professional networks on Facebook are intended to be limited to employees, and require a corporate e-mail address to which Facebook sends a confirmation e-mail to verify accuracy. But when MySpace launched MySpace Mail this summer, it made e-mail addresses with the myspace.com domain--which is also used internally for corporate e-mail--available to any members of the News Corp.-owned social network.

A reader tipped off CNET News to the hack, which requires a little bit of HTML know-how. We're not going to give detailed instructions out of the interest of MySpace employees' own security--and it looks like Facebook has put a fix in place, because when a CNET colleague used a MySpace Mail address to register around 2:40 p.m. PT on Wednesday, he was informed that the address was invalid.

See what happens?

(Credit: Facebook)

In vague terms, it looks like MySpace was aware of the fact that members might try to register for its network on Facebook, because the confirmation link to Facebook does not work in MySpace Mail, nor does copy-pasting it. Basically, it's mangled somehow. But, the tipster explained, the real link is still in the page's HTML source. And indeed, I was able to join MySpace's network on Facebook.

This does have security implications, because many Facebook members limit some of their profile data to people who went to their schools or work for the same company--Facebook first launched corporate networks in the spring of 2005. Many may display their cell phone numbers, photo albums, or home addresses only to college alumni or co-workers.

It's an issue for Facebook as well because the massive social site does have an obligation to make sure that its restricted networks don't lie fallow. If there's a change in corporate e-mail structure at a company with a Facebook network, particularly a big one, that can mean something big with regard to potentially thousands of Facebook members' security.

A MySpace representative told CNET News that the company was looking into the matter and would be able to comment soon.

This post was updated at 2:44 p.m. PT on Wednesday to note that the problem appears to have been corrected by Facebook.

The Conficker Internet virus has infected important computerized medical devices, but governmental red tape interfered with their repair, an organizer of an antivirus working group told Congress on Friday.

Rodney Joffe, one of the founders of an unofficial organization known as the Conficker Working Group, said that government regulations prevented hospital staff from carrying out the repairs.

Joffe, who also is the senior vice president for the telecom clearinghouse Neustar, told a panel of the House Energy and Commerce Committee that over the last three weeks, he and another Conficker researcher identified at least 300 critical medical devices from a single manufacturer that have been infected with the computer virus.

The devices were used in hospitals to allow doctors to view and manipulate high-intensity scans like MRIs and were often found in or near intensive care unit facilities, connected to local area networks with other critical medical devices.

"They should have never, ever been connected to the Internet," Joffe said.

Regulatory requirements mandated that the impacted hospitals would have to wait 90 days before the systems could be modified to remove the infections and vulnerabilities.

Joffe's testimony and earlier reports of infected medical devices show the risks involved in efforts to reap the economic benefits of a networked world. President Obama's stimulus package has allocated billions of dollars for digitizing medical records and networking the nation's electric grids.

"The open Internet, one of its great values is it allows you to connect fairly cheaply and fairly easily to other computers," Joffe said. He added, however, that "the Internet was never designed to do the things it's doing today."

That includes connecting control systems to the Internet to manipulate and coordinate the nation's electric grids.

"The future of widespread (electric) meter-to-meter communication does have me concerned," said Dan Kaminsky, a technology consultant who last year discovered a critical flaw in the Internet's core infrastructure. "I would like to see more security for those meters."

It was recently reported that Chinese and Russian spies had infiltrated the grid networks. Politicians introduced a bill on Thursday to give the Homeland Security Department and other federal agencies more authority over utilities in order to protect the "smart" grid from cyberattacks.

Joffe and other witnesses said that, at an operational level, the DHS is the appropriate government agency to improve cybersecurity. He called the U.S. Computer Emergency Readiness Team, which is operated by the DHS, "woefully understaffed and woefully underfunded." As part of its mission, USCERT acts as a liaison between the public and private sectors.

Gregory Nojeim, senior counsel for the Center for Democracy and Technology, also said DHS should naturally hold jurisdiction over cybersecurity, as long as it makes its actions more transparent and receives policy guidance from the White House.

Policymakers need to be clear and open in their work with the private sector, Nojeim said, and should avoid giving anyone in the government--even the president--too much power over private networks. He urged the congressional panel to reject legislation from Senator Jay Rockefeller, D-W.Va., that would give the president power to shut down any critical network--federal or otherwise--in an emergency.

"Any such shutdown could also have far-reaching, unintended consequences for the economy and for the critical infrastructures themselves," he said. "To our knowledge, no circumstance has yet arisen that could justify a presidential order to limit or cut off Internet traffic to a particular critical infrastructure system when the operators of that system think it should not be limited or cut off."

This story was originally published on CBSNews.com.

It's clear that the line between work and play is blurring. Many people check work e-mail accounts in their off hours as much as they check their personal e-mail accounts. And who isn't occasionally distracted by something on Facebook or YouTube during the work day?

Security specialist FaceTime Communications commissioned a survey of nearly 530 IT managers and end users to find out exactly how people are using the Internet at work and what impact those activities have on their IT departments.

Ninety-seven percent of end users surveyed reported using one or more Internet applications at work, up from 85 percent last year, and 82 percent say they use Web conferencing, according to the survey due to be released on Monday.

All that Web use has a downside, though. Seventy-three percent of IT managers reported having had to deal with at least one Internet-related attack at work, with viruses, Trojans, and worms being the most common type, followed by spyware.

On average, IT managers reported 34 incidents per month. A typical incident takes 22 hours to fix and can cost a company as much as $50,000 based on an hourly IT worker wage of $70, according to the report.

Social networks and social media sites are particularly popular in office settings. More employees use social media sites at work for personal reasons (82 percent) than for business reasons (79 percent), the survey found. LinkedIn is the most commonly used site for professional purposes, while YouTube, Facebook, and MySpace are the top three social media sites used for personal purposes.

But the most common personal use of a corporate PC is for e-mailing friends and family. Then people like to Web surf; bank; shop; visit music, photo, or video sites; IM with friends and family; and connect with friends via social networks.

Corporations also continue to keep a watch on employee activities on the Web. Nearly 80 percent said they monitor corporate e-mail, 65 percent monitor Web browsing, 40 percent monitor peer-to-peer file sharing, 38 percent monitor IM messages, and 36 percent monitor social-networking activity.

FaceTime's survey found that personal e-mail is the most popular non-work Internet activity for corporate workers, followed by Web surfing, banking, and shopping.

(Credit: FaceTime Communications)

Earlier today, Microsoft did something unusual. The company made an exception to its normal security processes and issued an "out-of-band" urgent update. The update applied is classified as critical for Windows XP and older versions and is considered important for Windows Vista.

After speaking with Microsoft earlier today, I strongly suggest that users understand the importance of this update and begin emergency patching procedures immediately. While exploits around this Windows vulnerability have been limited thus far, Microsoft concedes that it could be exploited by old-school Internet-based worms a la 2004 and do massive amounts of damage. In addition to patching Windows systems, I also encourage users to install the latest security signatures from endpoint and network security vendors.

Microsoft's "out-of-band" reaction speaks to the seriousness of this threat, but I can't help but be impressed with the behind-the-scenes effort that led to this action. It is noteworthy to point out a few things:

1. Microsoft security researchers discovered this vulnerability themselves with the aid of some customer data. In other words, this vulnerability was not brought to Redmond's attention by a third-party researcher, Black Hat Web site "chatter," or a series of massive malicious exploits. This is a good proof point to those who still believe that Microsoft does not take security seriously.

2. In preparation for the urgent update, Microsoft has been sharing data and patches with other endpoint and network security vendors as part of a number of security partnering programs. This means that notification from Microsoft will likely be followed by new security signatures and support by leading security vendors.

3. It is worth mentioning that the vulnerability in Windows Vista is not as pronounced as older versions of Windows. To me, this speaks to the effectiveness of the Security Development Lifecycle (SDL) process. Lessons learned from this vulnerability will be integrated into future revisions of SDL as part of a constant improvement cycle.

Some will point fingers at Microsoft and claim that this "out-of-band" security bulletin is further proof that Microsoft remains an anathema to security. I don't share this view. Complex software will always contain vulnerabilities and bugs. The trick is to fix as many as you can during the development and testing process, continue security research once software is released, and respond to problems with professionalism, industry collaboration, and haste. In my view, Microsoft is doing a good job at following this model.