When Helpful Doesn’t Help

There is a new hack in town well it will be in Las Vegas next week and it’s simple - create a file that looks like one thing to one application and something else to another. Types of file have always been helpful to the OS, it means that you can ‘click’ on a file and it knows what application to use to open it. In this case, this ‘feature’ is what is being used as the exploit. 

Here they have created a file which looks like an innocuous GIF to a web server but is actually a Java applet. The ‘image’ is downloaded but then run by the browser as it thinks it is an applet - result… your machine has just been compromised.

Because it looks like an image, it can be readily uploaded to any and all sites which allow such things (by checking that the upload is a picture), mainly social networking sites - once there, it can then be downloaded by others (who think it is an image) and therefore the infection spreads…

You need to pay a little more attention to what you are downloading - perhaps those latest pictures of Britney are less attractive now?

August 1, 2008 | Filed Under data-loss, security | Leave a Comment 

Halt. Who Goes There?

Reputation - both made and lost in cyberspace. A man is suing a ‘friend’ for allegedly setting up a fake Facebook account with incorrect and damaging details on. Herein lies the problem - it is so easy to do. You don’t need any proof of identity to set up a web page on any of the social networking sites, so you can frame anyone and everyone if you really want to.

I have written before on whether you should or shouldn’t join social networking sites - if only to ensure that others can’t impersonate you. As well as on ither forms of impersonation on the Internet.  But… let’s face it, these things are popping up all over the place, OK, so there are a few really popular ones, but you could never cover them all. The problem is that a damaged reputation can takes years to recover if you are a company, and sometimes never recovers if you are an individual - as there is always a nagging doubt.

We don’t have any specific legislation to cover this issue and I’m not sure if any of the legislation we have that skirts the topic (impersonating others) can be brought to bear as it is not being done for personal gain. Perhaps liable - but then again the site is purporting to be ‘you’ rather than someone else saying defamatory things about you. I would welcome any other peoples thoughts in this rather grey area.

Perhaps it is time for social networking sites to grow up, after all their success is based on accuracy - the person you find, is the person you know. It looks like this is an other example supporting the decline in Implicit Trust.

July 2, 2008 | Filed Under Reputation | 2 Comments 

Where’s The Boundary?

A man has been accused of stealing clients using LinkedIn. In this instance, the person involved is a recruiter and he allegedly ‘linked’ to clients while working at one company and then left to start a rival firm - with his contacts from LinkedIn.

Is this data theft? Or is this something that people used to do all the time but because it wasn’t on the ‘web’ people couldn’t find out about it? I think it is the latter. We all create contacts while at work, and some are more organized than others and file them, others, like myself, have a large pile of business cards with notes on them. I guess that if you are a recruiter, you too would have a large pile of business cards - and if you invite people on LinkedIn, well, isn’t that also something we all do?

Should companies look at banning LinkedIn, in the same way as they did with FaceBook? Only to find it wasn’t practical, people would spend more time finding a way around the system, than they would using it - so we have seen a reverse of this trend. So, no, it shouldn’t be banned. Should it be subject to (yet another social networking) policy? Something that defines the boundary between work and not-work. Perhaps… but I would think that people would just add the contacts while at home. I don’t think you can be banned from doing that after all it’s what LinkedIn is all about - keeping up with friends and colleagues in a business context. Maybe companies need to create their own ‘company’ LinkedIn accounts - so that, if nothing else, they have a copy of the information as well.

The way to look at this is that when someone new joins your company, they bring with them their contacts - rather than when they leave, they take them away.

June 9, 2008 | Filed Under data-loss | 1 Comment 

Do You Join… Or Not

I seem to have been inundated with requests to join a new ‘Business Social Networking’ service. It appears that a quite a few people I know have joined up… they have then had their address book savaged and emails sent to everyone they know. So… here’s the dilemma, do you sign up or not? I belong to one business social networking site already, do I really need another?

I think the answer is no - I don’t need another, especially as the one I belong to is well established and does what I need it to (basically keep email addresses up to date - people change jobs all the time, so keeping up with a valid address can be a real task.) Having said I don’t need to sign up to another service, I have joined this new one… why? Just so no-one else can join as ‘me’. I have posted my picture but that is all - and I didn’t let the system look through my address book!

Internet based reputation is just around the corner but it isn’t here yet - and when it does arrive it needs to be guaranteed and user friendly. In the mean time, if someone has put my details out on the web and I need to have an account to correct them, or to keep someone else from signing up as me, then I will. This isn’t foolproof, far from it, there are so many ‘free’ email providers, social websites and the like, if you want to be someone else, it is very easy to do, perhaps a little too easy?

June 2, 2008 | Filed Under Reputation | Leave a Comment