Facebook is for old people. Facebook will ultimately make us more secure.

I have learned these two important lessons over the last few weeks. Saying Facebook is for old people is not like saying it’s dead – far from it. But every time I talk computers with people 10-15 years older than me, all they do is talk about Facebook. They love it! They can’t believe they found high school acquaintances they have not seen for 30+ years. They love the convenience of keeping tabs on family and friends from their Facebook page. They are amazed to find relatives who have been out of touch for decades. It’s their favorite web site by far. And they are shocked that I don’t use it. Obviously I will want to once I understand it, so they all insist on telling me about all the great things I could do with Facebook and the wonderful things I am missing. They even give me that look, like I am a complete computer neophyte. One said “I thought you were into computers?” Any conversation about security and privacy went in one ear and out the other because, as I have been told, Facebook is awesome.

As it always does, this thread eventually leads to the “My computer is really slow!” and “I think I have a virus, what should I do?” conversations. Back when I had the patience to help people out, a quick check of the machine would not uncover a virus. I never got past the dozen quasi-malicious browser plug-ins, PR-ware tracking scripts sucking up 40% of system resources, or nasty pieces of malware that refused to be uninstalled. Nowdays I tell them to stop visiting every risky site, stop installing all this “free” crap, and for effing sake, stop clicking on email links that supposedly come from your bank or Facebook friends! I think I got some of them to stop clicking email links from their banks. They are, after all, concerned about security. Facebook is a different story – they would rather throw the machine out than change their Facebook habits because, sheesh, why else use the computer?

I am starting to notice an increase in computer security awareness from the general public. Actually, the extent of their awareness is that a lot of them have been hacked. The local people I talk to on a regular basis tell me they and all their children, have had Facebook and Twitter accounts hacked. It slowed them down for a bit, but they were thankful to get their accounts back. And being newly interested in security, they changed their passwords to ‘12345’ to ensure they will be safe in the future. Listening to the radio last week, two of the DJs had their Twitter accounts stolen. One DJ had a password that was his favorite team name concatenated with the number of his favorite player. He was begging over the air for the ‘hacker’ to return his access so he could tweet about the ongoing National League series. Social media are a big part of their personal and professional lives and, dammit, someone was messing with them!

One of my biggest surprises in Average Joe computer security was seeing Hammacher Schlemmer offer an “online purchase security system”. Yep, it’s a little credit card mag stripe reader with a USB cable. Supposedly it encrypts data before it reaches your computer. I certainly wonder exactly whose public key it might be encrypting with! Actually, I wonder if the device does what it says it does – or anything at all! I am certain Hammacher Schlemmer sells more Harry Potter wands, knock-off Faberge eggs, and doggie step-up ladders than they do credit card security systems, but clearly they believe there is a market for this type of device. I wonder how many people will see these in their in-flight Sky Mall magazines over the holidays and order a couple for the family. Even for aunt Margie in Minnesota, so she can safely send electronic gift cards to all the relatives she found on Facebook. Now that she regained access to her account and set a new password.

And that’s how Facebook will improve security for everyone.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

• Adrian’s Tech Target article on Database Auditing.
• Adrian’s technical tips on setting up database auditing.
• Rich at RSA 2010 China.

Favorite Securosis Posts

• Mike Rothman: Monitoring up the Stack: Climbing the Stack. Then end of the MUTS series provides actionable information on where to start extending your monitoring environment.
• Adrian Lane: Vaults within Vaults.

Other Securosis Posts

• React Faster and Better: Data Collection/Monitoring Infrastructure.
• White Paper Goodness: Understanding and Selecting an Enterprise Firewall.
• Incite 10/20/2010: The Wrongness of Being Right.
• React Faster and Better: Introduction.
• New Blog Series: React Faster and Better.
• Monitoring up the Stack: Platform Considerations.

Favorite Outside Posts

• Mike Rothman: Reconcile This. Gunnar calls out the hypocrisy of what security folks focus on – it’s great. The bad guys are one thing, but our greatest adversary is probably inertia.
• Gunnar Peterson: Tidal Wave of Java Exploitation.
• Adrian Lane: Geek Day at the White House.
• Chris Pepper: WTF? Apple deprecates Java. Actuallly they’re dropping the Apple JVM as of 10.7, but do you expect Oracle to build and maintain a high-quality JVM for Mac OS X? A lot of Mac-toting Java developers are looking at each other quizzically today.

Project Quant Posts

• NSO Quant: Index of Posts.
• NSO Quant: Health Metrics – Device Health.
• NSO Quant: Manage Metrics – Monitor Issues/Tune IDS/IPS.
• NSO Quant: Manage Metrics – Deploy and Audit/Validate.
• NSO Quant: Manage Metrics – Process Change Request and Test/Approve.

Research Reports and Presentations

• Understanding and Selecting a DLP Solution.
• White Paper: Understanding and Selecting an Enterprise Firewall.
• Understanding and Selecting a Tokenization Solution.
• Security + Agile = FAIL Presentation.
• Data Encryption 101: A Pragmatic Approach to PCI.
• White Paper: Understanding and Selecting SIEM/Log Management.
• White Paper: Endpoint Security Fundamentals.

Top News and Posts

• A boatload of Oracle fixes.
• Judge Clears CAPTCHA-Breaking Case for Criminal Trial
• Data theft overtakes physical loss.
• Malware pushers abuse Firefox warning page.
• Predator drone software pirated. Oopsie.
• Killing the Evercookie.
• Facebook admits ‘inadvertent’ privacy breach.
• DNS rebinding attacks, take two.
• Critical RealPlayer Update.

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Augusto Paes de Barros, in response to Vaults within Vaults.

Mike, Ron, maybe it’s not a question of security people not understanding the business point of view. Maybe it is due to a knowledge gap about how the internal IT infrastructure works. The business knows what data is important, but they don’t see how that data is related to several components of IT infrastructure. So, when security sees, in shock, that the business doesn’t consider the ActiveDirectory servers important, maybe it’s not because they are not, but because the business does not understand the importance of AD to the information repositories where that important data is.

Now, it’s not ony AD. We are increasingly creating ubiquitous infrastructure pieces, specially with all the cloud stuff. There’s so much of that in the organizations today that security spends all its time trying to protect those infrastructure components, what may appear irrelevant to the “business important data” but it’s as necessary as directly protecting that data. I know that may trigger the discussions about data centric security, but if we consider all the security aspects (such as availability and auditability [ugh!]), there’s a lot to be done on the layers below the “critical data”.

My point is, there are lots of things that need to be done independently of where the important stuff is. It doesn’t mean you don’t have to know it, but it’s important to note that most organizations are still fighting to protect the critical infrastructure where that data resides.

So, my suggestion for research is trying to measure how big the problem of securing critical infrastructure is. My initial guess is that in some cases it might be so big it hinders your ability to work on more directed measures to protect important data. The results may indicate the ability to selectively protect data is one of the key design components for IT infrastructure if we want to keep security operations and cost manageable.