Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »
Public Council Teleconference: Application Rationalization — Hidden Costs and Smart Decisions
November 17 at 11:00 am US/Eastern (GMT-5)
Join Honorio Padrón, of The Hackett Group, who will share the drivers for companies to tackle application rationalization and the results of research that define the hidden cost of complexity. Additionally, we will discuss key decision milestones—to start or not, holding the course steady and fulfilling expectations.
Virtual Desktop Cost-Benefit Analysis — Michael Jacobs, Catlin Group
The analysis contained in this presentation measures the cost of everything from the machines and licenses to the infrastructure for virtual vs. traditional desktop environments.
Honor your best senior team members - Apply for the CIO Ones to Watch Award
Get well-earned public recognition for your top up-and-coming team members, your IT organization and your enterprise. Award winners will be announced, publicized and feted in May 2010, great timing to help attract new IT recruits to your company.
Learn more about the CIO Executive Council »
What "Secret Crush" Widget Can Teach Business About Managing Facebook
Facebook widget "Secret Crush" installed malware on as many as 1.7 million PCs last week. First lesson: Users don't understand that Facebook doesn't review these apps before release.
January 08, 2008 — CIO —
The hook was playful: Facebook users received a "Secret Crush Invitation," saying, "One Of Your Friends Might Have a Crush On You!" But the reality was stark: This malware hiding behind a Facebook widget installed spyware on as many as 1.7 million machines—and taught some lessons about managing social networks that business cannot ignore, say security experts and vendors, including Fortinet, which released a detailed report on the incident.
First, security analysts say, the incident should serve as a reminder that the burden of vetting the legitimacy of third-party widgets—applications that run atop webpages made by developers who don't work for the host company—rests in the hands of the user. That's true both at home and work.
"The way it is now, once a widget gets bad enough and people complain, the social networks will yank the application reactively," says Chris Wysopal, chief technology officer at Veracode, a security vendor that specializes in application testing. "Meanwhile, a million people had their machines compromised by an application."
Facebook shut down the Secret Crush widget last week after receiving complaints that the application had placed malicious adware onto users' computers. According to Fortinet, 3 percent of Facebook's 59 million active users added Secret Crush to their profiles, amounting to roughly 1.7 million people. Zango, an online media company cited in the report as having installed the spyware, issued a statement calling the Fortinet report "untrue."
To reach that many users, Secret Crush relied on viral popularity, the social engineering model that most Facebook widgets use, says Derek Manky, a security research engineer for Fortinet. Upon getting a Secret Crush invitation, the user could choose to click on a button that said "find out who!:" After clicking, the user saw a Facebook authorization page that asked for permission to add the Secret Crush application. Then a "download now" added a "Crush Calculator" to PC desktop, and at this point, the spyware infiltrated the user's machine.
Like any Facebook widget, the "add this application" page stated clearly that the user would allow the third-party developer to "know who I am and access my information." It also said, in bold text, that "Secret Crush was not created by Facebook." But even with these crystal clear warnings, most users wrongly assume Facebook has vetted the third-party applications before they become available on the directors, says Fortinet's Manky.
Make Your Business More Productive
Upgrading to VMware vSphere with vWire
Using ERP To Gain Competitive Advantage in a Tough Economy
Why BI is Ripe For Businesses of Any Size
Oracle Accelerate
Powerful Software Solutions for Midsize Companies
Extending Client Refresh - 11 Steps to Maximize Savings
CIOs Weigh In On Virtualization
Jim Malone, Editorial Director of CXO Media's C...
Beyond Installing ITPM Software: How a global company reduced risk and successfully implemented ITPM
IT Consolidation Made Easy
Taking a Seat at the Executive Table: The Reality of Virtualization
Who Are the Data Center Leaders?
Resource Alerts
Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.
Global Warming Research Exposed After Hack
Silicon Valley Abuzz About Tech Video That Lets You Command a Computer With Gestures
Two Approaches to NFC Battle for French Hearts and Mobiles
Palm Pixi Smartphones Now Just $25
FCC: Internet Program for Deaf Cheated Out of Millions
Judge Sets Schedule for Google Book Search Case
Twitter Geotagging: What You Need to Know
Twitter Turns on Geolocation Functionality
Some Nook E-Readers Won't Make it for the Holidays Either
Google's Chrome OS Hits BitTorrent
