IT DRILLDOWN
Virtualization
 
NEWSLETTERS
 

CIO.com updates, insights and advice on technology, management and your career.

 Advice and Opinion

 CIO Consumer IT

 CIO Leader

 CIO Enterprise

 CIO Insider

More Newsletters | Edit Profile
 

RSS Feeds »

 
 
LEADERSHIP
 

CIO Executive Programs

The Leader in Face-to-Face Education for Senior Executives

Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »

 

CIO Executive Council

Public Teleconferences

Join CIO Executive Council members and participate in the following live teleconferences:

* Planning for Succession:
Models for IT Leadership Development, June 23
 * Youth in IT: How CIOs Can Engage the Next Generation
 June 10
 * Change Leadership at General Growth Properties: A
Pathways Leadership Development Seminar, June 25

More / Register »

Learn more about the CIO Executive Council »



 
 
RESOURCE CENTER
 

buy a link »

Ads by TechWords
 
 
SUBSCRIBE TO CIO
 

Are you involved in setting the direction for your company's IT budget or strategy?


Apply today for a FREE subscription to CIO Magazine!

Subscription Services »

Reprints »

 
 

Feature

 

What "Secret Crush" Widget Can Teach Business About Managing Facebook

Facebook widget "Secret Crush" installed malware on as many as 1.7 million PCs last week. First lesson: Users don't understand that Facebook doesn't review these apps before release.
 

By C.G. Lynch

January 08, 2008CIO — The hook was playful: Facebook users received a "Secret Crush Invitation," saying, "One Of Your Friends Might Have a Crush On You!" But the reality was stark: This malware hiding behind a Facebook widget installed spyware on as many as 1.7 million machines—and taught some lessons about managing social networks that business cannot ignore, say security experts and vendors, including Fortinet, which released a detailed report on the incident.

MORE ON FACEBOOK
How to Create a Successful Facebook Widget
Five Favorite Facebook Widgets for Business Users
Confessions of a Facebook Addict

First, security analysts say, the incident should serve as a reminder that the burden of vetting the legitimacy of third-party widgets—applications that run atop webpages made by developers who don't work for the host company—rests in the hands of the user. That's true both at home and work.

"The way it is now, once a widget gets bad enough and people complain, the social networks will yank the application reactively," says Chris Wysopal, chief technology officer at Veracode, a security vendor that specializes in application testing. "Meanwhile, a million people had their machines compromised by an application."

Facebook shut down the Secret Crush widget last week after receiving complaints that the application had placed malicious adware onto users' computers. According to Fortinet, 3 percent of Facebook's 59 million active users added Secret Crush to their profiles, amounting to roughly 1.7 million people. Zango, an online media company cited in the report as having installed the spyware, issued a statement calling the Fortinet report "untrue."

To reach that many users, Secret Crush relied on viral popularity, the social engineering model that most Facebook widgets use, says Derek Manky, a security research engineer for Fortinet. Upon getting a Secret Crush invitation, the user could choose to click on a button that said "find out who!:" After clicking, the user saw a Facebook authorization page that asked for permission to add the Secret Crush application. Then a "download now" added a "Crush Calculator" to PC desktop, and at this point, the spyware infiltrated the user's machine.

Like any Facebook widget, the "add this application" page stated clearly that the user would allow the third-party developer to "know who I am and access my information." It also said, in bold text, that "Secret Crush was not created by Facebook." But even with these crystal clear warnings, most users wrongly assume Facebook has vetted the third-party applications before they become available on the directors, says Fortinet's Manky.

 
 
 
 
 
 
Loading...
 
 
ABCs
 

How To Do Nearly Anything

Just the basics, please. Sometimes we all need a refresher or we need to make sure our team and our colleagues are all on the same page.

Over 25 tutorials on everything from business intelligence to virtualization.

 
 
FEATURED SPONSORS
 
 
 
SPONSORED LINKS
 

BPM Done Right: 15 Ways to Succeed Where Others have Failed

3 Reasons to Invest in Integration Technology Now

Survival of the Fittest: Disaster Recovery Design for the Data Center

Building a Foundation for Pragmatic Service Management White Paper

Strategies for centralizing data backup

The Best IT Strategy for a Company with Global Operations

The PCI Data Security Standard

Tuning ERP and the Supply Chain for Profitable Growth

How Plug-in Integration with Global Suppliers Quickly Multiplies the Value of SAP Investments

White Paper: Transportation is a prime opportunity to reduce costs

Riverbed RiOS 4.0: Raising the Bar in Wide Area Data Services

Case Study: 24 Hour Fitness turned to SEPATON

Webcast: Learn how Accenture, Avanade and Microsoft are helping organizations overcome productivity declines

Comparing Google and Other Leading Messaging Security Solutions

Secure your virtual and physical environments with the same software.

Research Report: The State of Data Protection in Today's Enterprise

A Must Read on Data Protection Strategies!

Taneja Group Report - The Greening of the Data Center

Balance Your Innovation and Efficiency Platforms for Competitive Advantage and Responsiveness

LIVE Webcast - The Mainframe is Dead...Long Live the Mainframe?

Putting Windows Server and Citrix to Work in the Enterprise

Knowledge Management Best Practices: Get Proven Tips and Techniques

Oracle 9i Database Upgrade Management Services - Upgrade with Confidence

How to Support Your IT Environment - Important Factors

Learn how to communicate the business value of IT

The New Growth Paragidm: Multi-Enterprise SOA

Enterprise Service Bus: A Definition

Helping IT Become a Service Provider White Paper

Extending PCI Compliance to the Mobile Workforce

Wide-area data services enable todays global enterprise

Tripwire PCI DSS Solutions: Automated, Continuous Compliance

ITCi White Paper: Challenges and Opportunities of PCI

Compliance by the numbers- addressing requirements with online document management and collaboration technology

White Paper: IDC Analysts Discuss Open Text

Business Transaction Management: The Evolution of IT Management

Case Study: CitiStreet achieves complete disaster recovery protection

A Solution for Remote Data Replication

2008 Annual Google Communications Intelligence Report

This white paper highlights best-of-breed solutions being built on the Microsoft platform

IT Service Management: Metrics That Matter

TCO Comparison Report: Reducing Costs in the Data Center

Guidelines for Energy Efficient Data Centers

Drive More Effective Business Processes with SOA

Fuel the Responsive Enterprise Through Oracle Fusion Middleware

Today's Enterprise Workforces: Remote But Not Isolated

E-Discovery: Why Archiving Your Web Presence is a Business Necessity

Webcast: Learn how organizations are overcoming productivity declines

Uniting IT with Business through ITSM

Unified IT Strategy Playbook - A Must Have!

Extending the Enterprise Network Through Mobility