BitDefender Study – Your Facebook and Twitter Link Clicking Habits Suck!

Earlier this month, I wrote an article Twitter, Tweets, Cyber-Criminals And You, in which I set out the potential security pitfalls associated with Facebook and Twitter, and described the type of wonky security behavior (based on personal anecdotal evidence), generally demonstrated by social networking users.

Realistically, one of the problems in using anecdotal evidence is – while the conclusion may be true, (in this case it is true), it doesn’t always follow directly from the evidence.

A few days ago, when BitDefender passed along the results of its new study on Facebook and Twitter users’ link clicking habits, which revealed that 97% of respondents will click on links shared within social networks without checking them for malware, which confirmed my anecdotal evidence, I must admit, I got that “Cheshire Cat” grin.

A quick overview of the test methodology:

BitDefender created Facebook and Twitter test profiles and built a circle of 1,900 friends interested in reading about the latest news from various domains covering an assortment of hot topics such as accidents, security news, entertainment industry news, and scientific discoveries.

In the span of one week, three URLs leading to malware were shortened and modified to make the malicious pages unavailable and harmless, then sent out to the list of friends.

Despite countless awareness campaigns aimed at  warning users about the possible dangers behind shortened links, ninety-seven percent of the test profile’s friends admitted to clicking the bad links.

More details on this study are available at MalwareCity.com

I’m by no means a luddite when it comes to social networking sites; quite the opposite in fact. On balance, social networking is a good thing – it’s opened new doorways of opportunity to stay connected.

But here’s the rub – with those positive opportunities, comes a new set of opportunities for cyber-criminals. So now, more than ever,  social network users need to be aware of the risks. And, quite obviously, reassess their link clicking practices.

If you are a Facebook user, you can you can increase your safety margin by using the free BitDefender safego application designed to keep social network accounts from being exposed to malware, and spam.

Update: Cosme, brought to my attention that there is a Firefox add-on designed to expand shortened URLs – Xpnd.it!

From the Mozilla site: Automagicallly expand and analyze any tiny URL so to avoid clicking on potentially harmful, malicious links! It supports more than 500 services and it is very fast, thanks to local caching plus three layers of remote caching on the server-side. Download here.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

SMB Social Media Risk Index – Panda Security’s Surprising Findings

The success of the email delivered “Here you have” worm that clogged email systems on Thursday, despite the usual misspelling, grammatical, and punctuation errors, seemed to bewilder many in the security community. Frankly, I’m surprised that the community was surprised.

It seems to me, that any security honcho worth his salt (someone who makes a point of getting out in the field occasionally to observe user behavior), would be more than aware, that despite constant warnings NOT to click on embedded links, the majority of users blithely ignore this critical advice.

The following are a few comments I heard at a meeting over the weekend, during which “here you have”, was a topic of much discussion.

“Social scientists need to sit down with a group of these dumb dicks who clicked on the link in this email, and study their behavior.”

“Most users continually show that they are morons. They can’t follow the most basic instruction – DON’T CLICK ON EMBEDDED LINKS!”

“Users who fell for this, and who caused so much disruption in their organization, should be restricted to a pocket calculator on the job.”

The comments might sound slightly edgy, but when perceived stupidity cost money, “edgy” might be at the lower end of the spectrum. And, there are costs –direct monetary costs that a company will be forced to deal with, following penetration of a company system caused by irresponsible employee behavior.

So, what do you think the costs to an organization might be, where employees fail to follow common sense rules when interacting with the Internet, particularly social networking sites?

Panda Security, which released the results of its 1st Annual Social Media Risk Index today, for small and medium sized businesses, may well have one answer.

In this survey of 315 US small and medium businesses (up to 1,000 employees), which focused on the month of July, 2010, Panda found that more than a third of surveyed  companies which had been infected through employee interaction with social networking sites, reported losses in excess of $5,000.

I was not at all surprised to see that Panda found that Facebook was cited as the top culprit for companies that experienced malware infection (71.6 percent) and privacy violations (73.2 percent).

I was however, surprised to see this – “we were pleased to see that the majority of companies already have formal governance and education programs in place. These types of policies combined with up to date network security solutions are required to minimize risk and ultimately prevent loss.”

A confused observation in my view, given that the facts show – these “education programs”, are NOT working.

Additional survey facts:

Thirty-three percent of SMBs have been infected by malware propagated via social networks; 23 percent cited employee privacy violations on popular social media sites.

Thirty-five percent of SMBs infected by malware from social networks have suffered financial loss.

Facebook takes top spot for social networking-related malware infections, followed by YouTube and Twitter.

You can find the complete survey here. Or, you can view a slideshow on the study’s results here.

About Panda Security;

Founded in 1990, Panda Security is the world’s leading provider of cloud-based security solutions with products available in more than 23 languages and millions of users located in 195 countries around the world.

Panda Security was the first IT security company to harness the power of cloud computing with its Collective Intelligence technology.

For more information, visit Panda US.

Is Your Internet Neighborhood Overly Risky?

In the real world, the neighborhood in which you live can have some impact on the chances of you been victimized by a crime. In the virtual world, the same principal is in operation – if we can, for the sake of discussion, call the country in which you live your “neighborhood”.

In a recent study (released August 26), by AVG, attack data from 100 million PCs in 144 countries during the last week of July, 2010, was analyzed. From the data, AVG was able to develop a security threat risk factor assessment based on the country in which a user resides.

I was not surprised to see Japan proved to be the safest Internet neighborhood. Nor was I surprised to see that North America (all three countries taken together), is the riskiest, with a user facing a 1 in 51 daily chance of being attacked. Europe, on the other hand, is somewhat safer, with a user facing a 1 in 72 daily chance of being attacked.

Selected survey results:

Turkey leads the league table for risky surfing, with AVG’s software having to step in to protect on average, one in 10 users of the Internet. Web users in Russia (1 in 14 were hit), Armenia (1 in 24), and Azerbaijan (1 in 39) also suffer high rates of attacks

Other areas where Web surfers are disproportionately at risk include Bangladesh (1 in 41), Pakistan (1 in 48) and in Vietnam and Laos in Southeast Asia, where the chances of facing an attack are both one in 42.

What about other major Western countries? The United States ranks number nine when it comes to the riskiest places to surf the Web (1 in 48), the United Kingdom ranks 31st (1 in 63), Australia comes in 37th (1 in 75) while Germany comes in at number 41 (1 in 83).

Leone had the fewest attacks with, on average, one in 692 Web surfers facing an attack. Niger also fared well, with just one in 442 Web surfers on average experiencing an attack. It is important to note however that these countries have a low level of internet access, with low broadband penetration.

It is because of its high internet use and broadband penetration that Japan, where there is an average of just one in 404 facing an attack, is arguably the safest place to surf the net.

Meanwhile Taiwan (1 in 248 attacked), Argentina (1 in 241 attacked), and France (1 in 224 attacked) all came in the top 20 safe list.

It’s important to remember that this survey, like all such surveys, is a one time snapshot. Internet threats are not static. Threats, in both the number and complexity, can fluctuate wildly.

A common sense tip worth repeating:

Be proactive when it comes to your computer and your connected device’s security; part of that is making sure you have adequate software based protection to reduce the chances you will fall victim to cyber crime.

Recommended reading: Principles of Security: Keeping it Simple – by guest writer Mark Schneider, and – An Anti-malware Test – Common Sense Wins.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Screwed On A Social Network? – Who’s Fault Is It Really?

Not a day goes by, it seems, when Facebook and the opportunities it presents for cyber criminal activity, isn’t in the News. Not mainstream News, of course, since cyber crime rarely involves sex, or violence.

Mainstream media, where salacious and violent news reports rule the airwaves, determined, it seems to me, it had nothing to gain by advising you of the following, very unsexy, non violent, Facebook threats – all from this week incidentally.

‘LOL is this you?’ spam spreading via Facebook chat

Facebook scam: “I may never text again after reading this”

How to Spot Facebook Scams Like ‘Dislike’

Facebook Fires Back at ACLU’s Criticism of ‘Places’

Facebook Warns of Clickjacking Scam

But, throw Facebook and sex into the equation, and mainstream media are out of the gate as if shot from a cannon.

The discovery, that a pedophile ring which used Facebook as their communication channel had been broken up, and the perpetrators arrested, made headlines around the world, just yesterday.

And why not? This is the kind of news event that allows the media to exhibit their moral outrage and indignation. But, when it comes to occurrences that can effect you, if you are a Facebook subscriber, for example – no outrage; no moral indignation. Curious, no?

Maybe I’m missing something here. Could it be that there’s consensus, in the mainstream media community, that Facebook users who become victims of cyber criminals are getting exactly what they deserve?

At one time, I gave the benefit of the doubt to Facebook users, since most typical computer users (I believed), made assumptions that sites like Facebook, and other social networking sites, were essentially safe, and harmless – that Facebook, and others, were looking out for their users interests.

I’ve long since given up on this rather naive view of Facebook users lack of culpability in any harm they were exposed to though. I find it difficult to be supportive of people who throw common sense out the window, and behave irrationally on the Internet.

Despite my hardened view that Facebook users who fall victim to cyber criminals are not entirely innocent, I was still taken aback by the results of a  study conducted, and just released, by BitDefender.

For study purposes, BitDefender asked the participants to “friend” a test profile of an unknown, attractive young woman.

Selected stats from the study:

More than 86 percent of the users who accepted the test-profile’s friend request work in the IT industry, of which 31 percent work in IT Security.

The most frequent reason for accepting the test profile’s friend request was her “lovely face” (53 percent).

After a half an hour conversation, 10 percent disclosed personal sensitive information, such as: address, phone number, mother’s and father’s name, etc — information usually requested as answers to password recovery questions.

Two hours later, 73 percent siphoned what appears to be confidential information from their workplace, such as future strategies, plans, as well as unreleased technologies/software.

Study methodology:

The study sample group included 2,000 users from all over the world registered on one of the most popular social networks. These users were randomly chosen in order to cover different aspects: sex (1,000 females, 1,000 males), age (the sample ranged from 17 to 65 years with a mean age of 27.3 years), professional affiliation, interests etc.

In the first step, the users were only requested to add the unknown test profile as their friend, while in the second step several conversations with randomly selected users aimed to determine what kind of details they would disclose.

Additional details on this study are available here (PDF), as well as on the MalwareCity blog post.

Given the state of the current, and increasing cyber criminal activity on the Internet, it’s almost certain that exposure to cybercrime on Facebook will continue to escalate, and with it, the dangers that this presents. Given the type of behavior reveled in this study, cyber criminals are sure to have a field day.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Panda Security’s Latest Survey Shows Small Business Fails At Data Security

I’ve been working on an article for some time, investigation whether small business is up to the task of protecting your personal information; particularly your financial data (credit card, debit card, details), following a consumer transaction.

The background research has revealed a sobering reality – many small and medium sized businesses really suck at protecting their customers’ critical financial information.

So, when I had the opportunity to read Panda Security’s study (released yesterday), of security in SMBs (including 1,500 US SMBs), which showed that a startling percentage of US based SMBs just don’t get the security equation, I was not in the least bit surprised.

Look at these stats from the survey:

The infection ratio at U.S. companies has slightly increased since last year (46 percent in 2010 compared to 44 percent in 2009). It has dropped in Europe (49 percent in 2010 compared to 58 percent in 2009).

Viruses are the most popular threat SMBs are encountering (45 percent), followed by spyware (23 percent).

Thirty-six percent of US SMBs use free consumer security applications.

Unbelievably, 13 percent have no security in place!

Thirty-one percent of businesses are operating without anti-spam

Twenty three percent have no anti-spyware.

Fifteen percent have no firewall.

Participants: The survey consisted of companies with between 2 and 1,000 computers. 1,532 in the United States participated in the survey, and nearly 10,000 in total across the U.S., Europe, Latin America and North America.

The next time you use your credit/debit card at your local Butcher, Baker, or Candlestick Maker, consider carefully the risks involved. It might be prudent to inquire whether the business operates in a twenty first century security environment.

Yes, I know, you might see this as an overreaction – but it’s hardly that. Unless we, as consumers, force the issue, many SMBs will continue to operate with their heads up their in the cloud – unfortunately, not in the security cloud.

I’ll tell you a little secret – I never use my credit, or debit card, when transacting business with a small local merchant. It’s not the small monetary loss that concerns me, since the card issuer sets my liability limit at $50. Instead, it’s the more critical information that can be stolen and used in identity theft.

About Panda Security;

Founded in 1990, Panda Security is the world’s leading provider of cloud-based security solutions with products available in more than 23 languages and millions of users located in 195 countries around the world.

Panda Security was the first IT security company to harness the power of cloud computing with its Collective Intelligence technology.

For more information, visit Panda US.

A PDF version of the full report is available here.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.