CYBERSECURITY - Social Networking Hacking

"Twitter Hackings Put Focus on Security for Brands" by TANZINA VEGA and NICOLE PERLROTH, New York Times 2/24/2013

Excerpt

While most Americans were winding up their holiday weekends last Monday, the phones at the Vancouver headquarters of HootSuite, a social media management company, began to ring.

Burger King’s Twitter account had just been hacked.  The company’s logo had been replaced by a McDonald’s logo, and rogue announcements began to appear.  One was that Burger King had been sold to a competitor; other posts were unprintable.

“Every time this happens, our sales phone lines light up,” said Ryan Holmes, the chief executive of HootSuite, which provides management and security tools for Twitter accounts, including the ability to prevent someone from gaining access to an account.  “For big brands, this is a huge liability,” he said, referring to the potential for being hacked.

What happened to Burger King — and, a day later, to Jeep — is every brand manager’s nightmare.  While many social media platforms began as a way for ordinary users to share vacation photos and status updates, they have now evolved into major advertising vehicles for brands, which can set up accounts free but have to pay for more sophisticated advertising products.

Burger King and Jeep, owned by Chrysler, are not alone.  Other prominent accounts have fallen victim to hacking, including those for NBC News, USA Today, Donald J. Trump, the Westboro Baptist Church and even the “hacktivist” group Anonymous.

Those episodes raised questions about the security of social media passwords and the ease of gaining access to brand-name accounts.  Logging on to Twitter is the same process for a company as for a consumer, requiring just a user name and one password.

Twitter, like Facebook, has steadily introduced a number of paid advertising options, raising the stakes for advertisers.  Brands that pay to advertise on Twitter are assigned a sales representative to help them manage their accounts, but they are not given any more layers of security than those for a typical user.

Ian Schafer, the founder and chief executive of Deep Focus, a digital advertising company that also fielded a few phone calls from clients concerned about the Burger King attack, argued that Twitter bore some responsibility.

“I think Twitter needs to step up its game in providing better security,” Mr. Schafer said.  In a memo to his staff about such attacks, he called on social networks like Facebook, Twitter, Pinterest “and anyone else serious about having brands on their platform” to “invest time in better understanding how brands operate day to day.”

“It’s also time for these platforms to use their influence to shape security standards on the Web,” he wrote.

The risk for Twitter is in offending potential business partners as the company tries to build its advertising dollars, which make up the bulk of its revenue.  In 2012, the company grew more than 100 percent, earning $288.3 million in global advertising revenue, according to eMarketer.

On Wednesday, it introduced a product that would allow advertisers to create and manage ads through third parties like HootSuite, Adobe and Salesforce.com.  Advertising is estimated to account for more than 90 percent of the company’s revenue.

“This is not something we take lightly,” said Jim Prosser, a Twitter spokesman, in an interview last month.  (The company declined to comment on the Burger King hacking, saying it did not discuss specific accounts.)  Mr. Prosser said Twitter had manual and automatic controls in place to identify malicious content and fake accounts, but acknowledged that the practice was more art than science.

Mr. Prosser said Twitter had taken an active role in combating the biggest sources of malicious content.

Last year, the company sued those responsible for five of the most-used spamming tools on the site.  “With this suit, we’re going straight to the source,” it said in a statement.  “We hope the suit acts as a deterrent to other spammers, demonstrating the strength of our commitment to keep them off Twitter.”

But security experts say, and the recent hacks of Burger King, Jeep and other brands have demonstrated, that Twitter could do more.

“Twitter and other social media accounts are like catnip for script kiddies, hacktivists and serious cybercriminals alike,” said Mark Risher, chief executive at Impermium, a Silicon Valley start-up that aims to clean up social networks.  “Because of their deliberately easy access and liberal content policies, accounts on these networks prove irresistibly tempting.”

CYBERSECURITY - Executive Orders vs CISPA

"Obama's Cybersecurity Executive Order vs. CISPA: Which Approach Is Best?" by Chloe Albanesius, PCMag.com 2/13/2013

As part of his State of the Union speech last night, President Obama tipped an executive order that is intended to improve the security of Internet-based critical infrastructure.  But what does that order include?

Obama's plan would allow federal agencies to notify private companies if they detect any sort of cyber intrusion that would harm operations or the security of company data.

Specifically, the plan expands the Defense Industrial Base (DIB) information-sharing program to other federal agencies.  The DIB was put in place in 2011 and allows the Defense and Homeland Security Departments to share non-classified information about cybersecurity-related threats with DIB partner companies, like contractors.

But as we've seen with hacks of the Federal Reserve and the Department of Energy, defense-related agencies are not the only ones being targeted by hackers.  So the executive order "requires Federal agencies to produce unclassified reports of threats to U.S. companies and requires the reports to be shared in a timely manner," the White House said.  It also allows for "near real-time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts."

Obama has also ordered the National Institute of Standards and Technology (NIST) to develop a framework for handling cyber-security threats.  "NIST will work collaboratively with industry to develop the framework, relying on existing international standards, practices, and procedures that have proven to be effective," the White House said.

Given the rapid pace of technology, the recommendations will be technology neutral, the administration said.  Once they've been developed, DHS will work with other agencies to reach out to companies for voluntary implementation of the framework.

While sharing details about cyber attacks might seem like a no brainer, a major concern is how the data is handled.  If these threats deal with a credit card company or major social network, will your personal information be protected?

The White House insisted that the executive order includes "strong privacy and civil liberties protections."  Any type of information sharing will be based on the Fair Information Practice Principles (FIPP), a set of information-sharing principles developed by the FTC, as well as other applicable privacy and civil liberties policies, principles, and frameworks.

"Agencies will conduct regular assessments of privacy and civil liberties impacts of their activities and such assessments will be made public," the White House said.

Executive Order vs. CISPA

Last night, Obama called on Congress to do even more on cyber security.  Two members of the House, in fact, plan to re-introduce the controversial CISPA information-sharing bill today, but it has not secured the support of the White House.  A bill backed by the administration was introduced in the Senate last year, but did not make any major headway.

The main difference between the White House executive order and CISPA is that CISPA would allow private companies (like Facebook or Google) to share details about cyber attacks with the government, whereas the executive order is a one-way street, with the feds sharing information with the private sector.  CISPA opponents were concerned about immunity clauses that they said would incentivize companies to hand over customer information without hesitation.

As a result, the White House threatened to veto CISPA if it made it to President Obama's desk.  The White House Office of Management and Budget (OMB) released a statement that said the bill "departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres."

In a statement last night, the ACLU issued its support for the executive order and warned against CISPA.  "The president's executive order rightly focuses on cybersecurity solutions that don't negatively impact civil liberties," said ACLU Legislative Counsel Michelle Richardson.  "For example, greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information."

Broadband trade association USTelecom said the executive order "takes some important steps toward achieving policy goals that will help protect our nation from harmful threats," but said the issue should ultimately be handled by Congress - via bills like CISPA.

GAMING BUSINESS - From Valve Co-Founder

"Watch Gabe Newell Talk For An Hour About Making Video Games" by Kirk Hamilton, Kotaku 1/31/2013

Earlier this week, Valve co-founder Gabe Newell gave a talk at University of Texas at Austin about the business and art of making video games.  Today, the school has posted a full video of one of the talks.

Sit back, relax, and watch one of gaming's visionaries talk about how he does what he does, and how his company operates.

(1:02:53)

COMMENT:  When Steam first 'hit the streets' back when Half-Life came out, I and many others, ranted about it.  That was because you actually had to be online to run a Steam game EVEN FOR SINGLE-PLAYER games.

Finally, Valve/Steam listened to what users were saying and Steam now has an Off-Line Mode.  So we can play Seam games WITHOUT being online.

CYBERWAR - New York Times Hacked by China

"New York Times Computer System Target of Lengthy Chinese Hacking Attack" PBS Newshour 1/31/2013

Excerpt

SUMMARY:  The New York Times fell victim to a four-month cyber attack by Chinese hackers who cracked passwords to more than 50 email accounts, including those of top reporters.  Ray Suarez talks with Times reporter Nicole Perlroth and Grady Summers, vice president of the cyber security company hired to investigate the attacks.