What "Secret Crush" Widget Can Teach Business About Managing Facebook

Facebook widget "Secret Crush" installed malware on as many as 1.7 million PCs last week. First lesson: Users don't understand that Facebook doesn't review these apps before release.

By
Tue, January 08, 2008

CIO — The hook was playful: Facebook users received a "Secret Crush Invitation," saying, "One Of Your Friends Might Have a Crush On You!" But the reality was stark: This malware hiding behind a Facebook widget installed spyware on as many as 1.7 million machines—and taught some lessons about managing social networks that business cannot ignore, say security experts and vendors, including Fortinet, which released a detailed report on the incident.

First, security analysts say, the incident should serve as a reminder that the burden of vetting the legitimacy of third-party widgets—applications that run atop webpages made by developers who don't work for the host company—rests in the hands of the user. That's true both at home and work.

"The way it is now, once a widget gets bad enough and people complain, the social networks will yank the application reactively," says Chris Wysopal, chief technology officer at Veracode, a security vendor that specializes in application testing. "Meanwhile, a million people had their machines compromised by an application."

Facebook shut down the Secret Crush widget last week after receiving complaints that the application had placed malicious adware onto users' computers. According to Fortinet, 3 percent of Facebook's 59 million active users added Secret Crush to their profiles, amounting to roughly 1.7 million people. Zango, an online media company cited in the report as having installed the spyware, issued a statement calling the Fortinet report "untrue."

To reach that many users, Secret Crush relied on viral popularity, the social engineering model that most Facebook widgets use, says Derek Manky, a security research engineer for Fortinet. Upon getting a Secret Crush invitation, the user could choose to click on a button that said "find out who!:" After clicking, the user saw a Facebook authorization page that asked for permission to add the Secret Crush application. Then a "download now" added a "Crush Calculator" to PC desktop, and at this point, the spyware infiltrated the user's machine.

Like any Facebook widget, the "add this application" page stated clearly that the user would allow the third-party developer to "know who I am and access my information." It also said, in bold text, that "Secret Crush was not created by Facebook." But even with these crystal clear warnings, most users wrongly assume Facebook has vetted the third-party applications before they become available on the directors, says Fortinet's Manky.

Continue Reading

Everybody's heard the cliché, "the network is your business." But that's not going to help you choose the best wide area networking service to meet your diverse needs
Learn how your answer to this question compares to your peers by taking this quick poll. See how your peers are dealing with the challenge of ensuring a highly capable server infrastructure as technological shifts impact the application server platform.
With increasing data growth, comes increased need for data security.  The existing DLP model, with a focus on compliance/enforcement is not sufficient as the data discovery and classification capabilities are not granular enough.  Read this paper to find how you can efficiently and accurately manage your risk by rapidly inventorying and classifying your data and then developing remediation workflows that support business needs. 
This paper breaks down attack sources into four categories: external, malicious insiders, accidental insiders, and unknown.
The rapid growth of data and technology is creating challenges for organizations as this digital data is considered to be business communications and must be preserved according the same industry-specific regulations governing the retention and discovery of emails and more traditional forms of electronic communications. This paper examines the role that Data Loss Prevention ("DLP") technology can play in helping organizations address the challenges of locating information in response to electronic discovery.
This research, conducted by the Ponemon Institute, focuses on issues relating to the use of data protection solutions such as endpoint encryption and data loss prevention within the workplace.
Too much information can be just as limiting as too little information if users can't get what they want when they want it. Find out how the IT leaders at one of Canada's leading law firms, Fraser Milner Casgrain LLP, implemented Recommind's next-generation content delivery and search platform within their SharePoint portal to enable timely and effortless access to the information users need.
As greater numbers of datacenter servers transition from the physical to the virtual world, the components of virtualization success come to the fore. What scores of organizations have discovered is that success is derived from an optimal pairing of the right software platform with the right hardware platform.
Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn about VMware customer, Navicure, and their experiences testing and evaluating the recovery manager, their progress in implementing it in their environment and their advice other customers considering using vCenter.
Many enterprises have discovered that the use of virtualization to support desktop workloads creates a range of significant benefits. These benefits include price efficiencies, improved IT management and greater agility and choice for end users.

This VMware sponsored webcast with IDC will provide both quantitative measurement of the business value -- defined as the expected ROI -- and qualitative analysis associated with the use of VMware View™. IDC will also provide an analysis of the View Composer and ThinApp™ features of VMware View, including the business value of these solutions and an overview of how they work.

Attend this webcast to learn about:
- Challenges and barriers that might impede the adoption of desktop virtualization
- Navigating roadblocks to facilitate a strategic implementation
- Optimizing qualitative and quantitative benefits to IT and your business
VMware recently announced VMware vFabric™ Data Director, a new database deployment and operations platform that enables enterprise IT organizations to offer database as a private cloud service. Built on top of VMware vSphere 5, vFabric Data Director enables IT organizations to ontrol database sprawl through automation and consistent policy enforcement and accelerate application development cycles with self-service database management. Attend this webcast to learn how vFabric Data Director can help you build database-as-a-service in your datacenter.
A simple, cost-effective disaster-recovery solution for virtual environments is high on the agenda for IT organizations as they virtualize more business-critical applications with VMware. VMware vCenter™ Site Recovery Manager-the market-leading disaster-recovery product-ensures the simplest and most reliable disaster protection for all virtualized applications. VMware vCenter Site Recovery Manager provides centralized management of recovery plans, enables nondisruptive testing and automates site-failover processes.
Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  1. View all Newsletters | Privacy Policy
Resource Center