The LinkedIn social networking site is being used to find victims to target with malicious phishing emails
Prospective employers and job applicants are not the only ones using LinkedIn for research. Cyber-criminals are increasingly using the social networking site for professionals to identify potential victims, according to security experts.
Security firm Trusteer uncovered spam messages designed to look almost the same as legitimate notification messages from LinkedIn, Trusteer CEO Mickey Boodaei wrote in the company blog on June 2. When users click on the link in the message, usually an invitation to connect with someone, they are redirected to a malicious server in Russia serving up malware.
Through LinkedIn, cyber-criminals can build a profile of targeted enterprises and locate key people within the organisation. The spam messages sent to those people could be used to install malware which could steal login credentials or other confidential information.
The fraudulent LinkedIn messages take users to a salesforceappi.com domain. Despite the name, the domain has nothing to do with Salesforce.com. It was registered May 31 and the server associated with the IP address is based in Russia.
The users are then hit by drive-by-download attacks based on the BlackHole exploit kit to install Zeus 2 Trojan on the computer, according to Trusteer. This Zeus variant transmits the stolen data to a server in Zhejiang, China.
While commonly associated with banking fraud, Trusteer’s Boodaei said Zeus has other capabilities and can allow attackers to access workstations and other data stored on the corporate network.
“We’ve recently seen evidence of Zeus targeting enterprise networks in order to steal proprietary information and to gain unauthorised access to sensitive systems,” Boodaei said.
A recent Trusteer survey found that 68 percent of enterprise users who receive a fake LinkedIn message are likely to click on it. It is not entirely their fault, as LinkedIn and other social networking sites “educate us to click on links “, Boodaei said. The sites regularly send out calls for actions to encourage users into going back to the site.
“This is extremely dangerous as many users almost automatically click on these links without trying to verify their authenticity,” Boodaei said, especially considering that LinkedIn hides the link behind a button, which makes it even harder to check the URL.
It is increasingly becoming harder to identify phishing and malicious email messages as attackers get more creative. Trusteer recommends users to train themselves to never opening emails from social networking sites, let alone clicking on the links in those messages. Users should access the social networking Website by typing the address manually, and handle all the notifications from the site directly, Boodaei said.
Recent attacks against RSA and Oak Ridge National Laboratory tricked employees into opening attachments or clicking on links in malicious messages. “Cyber criminals are putting a great deal of effort in these attacks and are unfortunately successful,” Boodaei said.
There have been several variations of the LinkedIn scam, with researchers at Cisco Systems reporting a similar campaign last autumn.
The BlackHole exploit kit locates vulnerabilities on a computer and prepares a customised payload depending on operating system and installed software, according to Bitdefender. It used to sell for $1,500 (£900) back when it appeared on the black market a year ago, but nowadays can be obtained for free.
The security software market rebounded well in 2010 following a disappointing 2009, Gartner has claimed.
The market grew 12 per cent last year as total revenue hit $16.5 billion - up from 2009 revenue of $14.7 billion.
"Products within the security market are undergoing rapid evolution, in terms of both new delivery models — with security as a service showing increasing popularity — and new technologies being introduced, often by startup companies," said Ruggero Contu, principal research analyst at Gartner.
"Key vendors continued to expand their product portfolios, buying companies where appropriate and expanding their reach into emerging markets."
Symantec remained the dominant force in the industry, although experienced below average growth over the year.
It achieved 18.9 per cent market share in 2010, compared to McAfee on 10.4 per cent in second place.
Out of the top 5 players, Trend Micro in third saw the lowest growth with 5.8 per cent.
IBM was in fourth, followed by EMC, which achieved an impressive 25.6 per cent growth over 2010.
As for a breakdown of the different segments of the market, Gartner noted more mature areas like endpoint security and web access management showed single-digit growth.
In comparison, areas including security information and event management (SIEM) and secure web gateway products experienced double-digit growth.
Microsoft has announced general availability of its major software-as-a-service (SaaS) play Office 365, which will launch on 28 June.
Office 365 brings together online versions of Microsoft's Office applications Excel, Outlook, PowerPoint and Word along with online versions of email platform Exchange and the SharePoint and Lync collaboration technologies.
The news was broken on Twitter by corporate VP of Microsoft's worldwide partner group Jon Roskill.
Although a Microsoft spokeswoman wouldn't confirm the launch date, she told silicon.com there will be a press event held on 28 June "to hear the latest news about Office 365".
Office 365 launched in beta in October 2010.
Microsoft's SaaS offerings have been relatively piecemeal until now. The company made online versions of Office apps available with Office Web Apps in June 2010 and offered email and collaboration tech as Business Productivity Online Suite in April 2009.
Office 365 updates the applications - most notably replacing Office Communications Online and Office Live Meeting with Lync - and brings them under a single banner.
By bringing these SaaS technologies together in Office 365, Microsoft is hoping to take on the likes of Google Apps and Oracle Cloud Office to boost its share of the SaaS applications market.
The Microsoft spokeswoman confirmed Roskill's comment that there are now more than 100,000 customers taking part in the limited beta programme of Office 365, which was first announced in April.
As Victor pulls up at Howling Wind Farm, rain pelting down, he finds the farmer, Harry Bellweather, leaning on the five bar gate, waiting for him.
Harry doesn't look pleased.
The call came in first thing that morning, Harry venting a string of expletives into poor Magda's ear, until he stopped, breathless.
'I cleaner,' she said. 'No fix computer.'
Of course, Victor should have been there to take the call - after all, he is on earlies. But a pair of Nike Air Max 90 Premiums took his fancy the previous weekend and, even at ninety-five quid, he couldn't wait to have them. Besides, Touchwood is only a couple of miles out of his way. It wouldn't take more than ten minutes.
If only the shop wasn't crammed for the sales . . .
'Forget desk duty,' said his boss. 'You can go and sort Mr Bellweather's little problem. He gave me an earful this morning.'
'What's the matter?'
'Problem with internet connectivity. I wanted to run some questions by him but I didn't get the chance, the air was that blue.'
'About bloody time, son. I'm losing money hand over fist, thanks to you. C'mon, follow me.'
Harry swings open the gate with a meaty hand, then storms off across the yard in the direction of the byre. Victor looks down at the ground, a mush of mud and cowpats, and curses. Why did he leave the Nikes on? Now he'll have to spend hours picking out the unmentionable from between the treads with a matchstick.
Inside the byre, Harry is holding a netbook in his hand. 'Here, have this before I take a hammer to it.'
Victor takes the netbook (he's never seen a pink one before), balances it on top of a bale of hay and fires it up.
Except it can't find a wireless network.
'Well?' The farmer's face is inches from Victor's. His breath smells of fried egg mixed with whisky.
'Where do you keep the router?'
'The router. It's like a box with aerials. Connects to your telephone socket.'
'If that's an excuse to flog me something, you can beggar off right now.' He clenches his fists. The vein in his neck is standing out like a rope.
'No, no . . you can't access the internet without a router. Didn't they tell you that when you bought the netbook?'
'They never mentioned anything at IT IS US. I said I wanted a cheap laptop and they said this fitted the bill. Look,' he points at a label Wireless Enabled. 'That means it connects to the internet, doesn't it?'
It can seem the only time politicians mention IT is as the target of the latest swingeing cuts needed to steady an ailing economy.
A difficult time, then, to be a public sector CIO in charge of a department expected to sacrifice its budget to save more visible front-line services.
But rather than battening down the hatches and running for lucrative private sector bolt-holes, public sector CIOs are surprisingly confident that the drive to reduce the cost of government will put IT-led reform centre stage.
Glyn Evans is corporate director of business change at Birmingham City Council, where he heads the largest business transformation programme ever undertaken by a local authority in the UK - changing everything, from the way the council procures goods and services to how it administers the collection of council tax.
"If you are redesigning your service and IT is not playing a more significant role than it has done so far in the delivery of that service, then your design is probably wrong," he said.
"I think we are at a tipping point now, where we are close to CEOs and politicians beginning to understand the role that IT can play in service delivery, because there are lots of good examples out there," he said.
"That's quite a positive message for a CIO to be saying to his or her staff, 'We've got challenges now but in the future we are going to be playing a much more central role in the organisation'."
How technology will transform public services
Perhaps the most visible way technology can help reform government is by enabling services to be delivered online.
By offering services via the web or mobile apps, government bodies hope to tailor those services more precisely to people's needs and reduce the cost of delivery.
Leeds City Council chief officer for ICT Dylan Roberts said many local authorities, his included, are considering shuttingsome face-to-face services and pushing them online, so "the e-channel becomes the channel of choice".
Form-filling and other "low complexity" tasks are well suited to being carried out online, he said, giving the example of a Leeds care needs assessment form, which at present is often completed with the help of a social worker.
"If we can get people to do that online, even if we can only get 50 per cent, then we will save their time," Roberts said.
When moving services online the challenge for local authorities is not isolating their most vulnerable customers, he said.
"It is a dichotomy because most of our customers are people who are in need, and in many cases the people in biggest need do not want to go online but would rather speak to someone," he said.
"We have to be wary of that but also aware that we haven't got the money to do all these things."
Public sector CIOs are also conscious that authorities need to change how they engage with citizens online and move from websites designed for computers to offering more apps for smartphone and tablet devices.
"Most of what we do is based on the idea of someone sitting at a PC at home," Birmingham's Evans said.
"If you accept the prediction that by 2014 most online access will be from mobile devices, then clearly we need to respond to that."
More important than using technology to change how people access services is the way authorities can use CRM technology to track an individual's needs and to personalise services, Evans said.
At Birmingham, for instance, each customer service rep can draw on a record of an individual's dealings with the council to speed up response times and often avoid the need to pass the query on.
Using Birmingham's website, individuals can access the same information about their dealings with the council that is available to the customer service reps, providing the information and services they need in one place online.
"You get a consistently high-quality response to customer service irrespective of the channel you use and irrespective of the service you're after," Evans said, pointing out its advantages over the traditional method of contacting each council department separately.
Rather than reforming public services in the dark, business analytics systems can help government bodies to figure out what they are doing right and where they need to change, Evans said.
In Birmingham, the council uses SAP CRM and BusinessObjects software to examine how its services are being delivered.
"It is about looking into why people are contacting us - for example, why a particular service has failed - then trying to redesign the service areas to improve that delivery," he said.
"Take bin collection as an example. We can look at whether it's a particular team that's a problem or something to do with people forgetting to put out their bins on a certain day."
While these tweaks might seem like a luxury, there is a financial incentive to get services right, Evans said, as "there is a big cost whenever a service does not deliver".
IT departments will also have to get smarter about measuring what particular technology-enabled projects actually achieve, according to Jos Creese, head of IT at Hampshire County Council and chairman of the Local CIO Council.
"In the past, we [the public sector] have sometimes invested savings on a wing and a prayer," he said.
And in the age of user-generated content, there's no need forgovernment to do all the hard work of reform by themselves. Socitm's Planting the Flag strategy document encourages all public service organisations to publish data online to allow third parties and community groups to build their own apps and services around it.
Squeezing savings from staff
It's not just the public that authorities should expect to do more for themselves. Evans said IT has the potential to take a lot of the administrative legwork out of running government.
"We mandate that our employees move towards a self-service model. For example, transactions can only be carried out online in many areas, so you can only raise an order or book leave online," he said.
Staff can also reduce equipment costs, according to Hampshire's Creese, who said he wants to make it easier for staff at Hampshire to work using their own computers and smartphones.
"Working from home and using your own equipment means we don't have to provide or support so much equipment - those are the sort of things that keep costs down," he said, while adding that there are security and control issues that have to be addressed when letting consumer tech into the workplace.
Where to find cash
It takes time and money to perfect technology-led business transformation.
In Birmingham, Evans said, the council undertook more than 18 months of work, including introducing an internal shared services centre, before it was able to begin bringing in changes such as mandatory online booking for holidays.
Given financial pressures, public sector CIOs need to choose carefully which projects they put in front of the executive committee, Creese said.
"The pressure we [the public sector] are under is to, on average, cut by between 20 and 30 per cent over the next two to three years," he said. "This is not a time to go to the board and ask for money."
But while there is little new money for projects, Creese said, funds can be unlocked by drawing up a compelling business case for reinvesting earlier savings.
And Leeds' Roberts said local government executives are funding projects where they can see a longer term return.
"The more forward-thinking authorities are saying, 'What we need to be doing is investing in IT because for every £1 investment it can give £3 back'," he said.
Moves by Seagate and Western Digital to acquire hard-drive companies are being probed by European regulators because of "competition concerns", the European Commission said on Monday.
The proposed acquisitions will "further reduce competition", the EC said in a statement citing concerns about a significant consolidation in the hard-drive market.
"Hard drives are the backbone of the digital economy," Joaquin Almunia, vice president of competition policy at the European Commission, said in the statement. "The Commission will carefully examine if effective competition is preserved and innovation encouraged."
Western Digital said in March it would acquire Hitachi's hard drive business for US$4.3 billion. Competitor Seagate said a month later it would acquire Samsung's hard drive business for $1.38 billion.
Seagate and Western Digital are currently the top two hard-drive vendors in the market, according to market research firm IHS iSuppli.
Western Digital's acquisition of Hitachi's hard-drive business could make it the largest hard-drive vendor with about 50 percent of the worldwide market, according to iSuppli. Seagate's acquisition of Samsung's hard-drive operations could give the combined company a 40 percent market share, said Fang Zhang, an iSuppli analyst, in a blog entry in early May.
The remaining market share would belong to Toshiba, which in 2009 acquired Fujitsu's hard drive business.
The Commission has until Oct. 10 to determine whether the transactions impede competition and are detrimental to business customers and consumers. The investigation of the proposed transactions will include a look at whether the deals could affect pricing and supply of hard drives. The merger deals with be assessed separately, the EC said.
Western Digital is proceeding with plans to complete the acquisition of Hitachi's hard drive business, the company said in a statement. The acquisition is now expected to close in the fourth quarter of this year, a postponement from the planned closure in the third quarter that the company announced in March. Seagate did not immediately respond to a request for comment.
The hard-drive market is slowing down as sales of flash storage and solid-state drives grow. Hard-drive sales totaled $27 billion in 2010, and are expected to grow by 4.1 percent to $28 billion this year, according to iSuppli. Hard drive sales will grow, albeit at a slower pace, through 2015, it said
Social media platforms such as Twitter, Facebook and LinkedIn increasingly are being used by enterprises to engage with customers, build their brands and communicate information to the rest of the world.
But social media for enterprises isn't all about "liking," "friending," "up-voting" or "digging." For organizations, there are real risks to using social media, ranging from damaging the brand to exposing proprietary information to inviting lawsuits.
Here are five of the biggest social media security threats:
5. Mobile apps
The rise of social media is inextricably linked with the revolution in mobile computing, which has spawned a huge industry in mobile application development. Naturally, whether using their own or company-issued mobile devices, employees typically download dozens of apps because, well, because they can.
But sometimes they download more than they bargained for. In early March, Google removed from its Android Market more than 60 applications carrying malicious software. Some of the malware was designed to reveal the user's private information to a third party, replicate itself on other devices, destroy user data or even impersonate the device owner.
And all because this new game is supposed to be even better than Angry Birds!
4. Social engineering
A favorite of smooth-talking scammers everywhere, social engineering has been around since before computer networks. But the rise of the Internet made it easier for grifters and flim-flam artists to find potential victims who may have a soft spot in their hearts for Nigerian royalty.
Social media has taken this threat to a new level for two reasons: 1) People are more willing than ever to share personal information about themselves online via Facebook, Twitter, Foursquare and Myspace, and 2) social media platforms encourage a dangerous level of assumed trust. From there it's a short step to telling your new friend about your company's secret project. Which your new friend really might be able to help with if you would only give him a password to gain access to a protected file on your corporate network. Just this once.
3. Social networking sites
Sometimes hackers go right to the source, injecting malicious code into a social networking site, including inside advertisements and via third-party apps. On Twitter, shortened URLs (popular due to the 140-character tweet limit) can be used to trick users into visiting malicious sites that can extract personal (and corporate) information if accessed through a work computer. Twitter is especially vulnerable to this method because it's easy to retweet a post so that it eventually could be seen by hundreds of thousands of people.
2. Your employees
You knew this was coming, but even the most responsible employees have lapses in judgment, make mistakes or behave emotionally. Nobody's perfect all of the time.
But dealing with an indiscreet comment in the office is one thing; if the comment is made on a work-related social media account, then it's out there, and it can't be retrieved. Just ask Ketchum PR Vice President James Andrews, who two years ago fired off an infamous tweet trashing the city of Memphis, hometown of a little Ketchum client called FedEx, the day before he was to make a presentation to more than 150 FedEx employees (on digital media, no less!).
The tweet was discovered by Fedex employees, who emailed angry missives to Ketchum headquarters protesting the slight and wondering why FedEx was spending money on a snooty New York PR firm while employees were dealing with a 5% salary cut during a severe recession. Andrews had to make a very public and humiliating apology.
Remember, this wasn't some low-level employee not tuned into the corporate mission. This was a high-level communications executive who damaged his company's brand and endangered an account. Imagine what a disgruntled low-level employee without as much invested in his job might be able to do with social media tools and a chip on his shoulder.
1. Lack of a social media policy
This one's totally on you. Without a social media policy for your enterprise, you are inviting disaster. You can't just turn employees loose on social networking platforms and urge them to "represent." You need to spell out the goals and parameters of your enterprise's social media initiative. Otherwise you'll get exactly what you're inviting - chaos and problems.
Who is allowed to use social media on behalf of the organization and what they're allowed to say are the two most obvious questions that must be addressed in a social media policy. You need to make all this clear or employees will make decisions on their own, on the fly. Does that sound like a good thing?
Two more imperatives related to social media policy: 1) Organizations must conduct proper training for employees, if only to clear up issues regarding official social media policies, and 2) A social media initiative needs a coordinator and champion. And that means a social media manager.