Facebook squashes bug that exposed e-mail addresses for 6 million users

Facebook engineers have fixed a privacy bug that disclosed e-mail addresses and phone numbers of about 6 million account holders to other users, company officials said Friday.

The inadvertent disclosure was included in archives generated when people used the Facebook Download Your Information tool. The service allows users to acquire the entire contents of their accounts. In some cases, the archives contained private e-mail addresses and phone numbers belonging to people the account holder had searched for on Facebook. In a blog post published Friday, company representatives wrote:

We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing. Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it's still something we're upset and embarrassed by, and we'll work doubly hard to make sure nothing like this happens again. Your trust is the most important asset we have, and we are committed to improving our safety procedures and keeping your information safe and secure.

Company officials have already notified regulators in the US and Canada of the disclosure and are in the process of notifying affected users through e-mail.

Read 1 remaining paragraphs | Comments

    


Device-disabling Fake AV migrates to Android phones, demands ransom

Symantec

Device-disabling malware that masquerades as legitimate antivirus protection is migrating to smartphones running Google's Android operating system, according to researchers who got their hands on what appears to be an early test version of one such malicious program.

So-called Fake AV software, which is often bundled with screensavers or other innocuous-appearing apps, has long been a nuisance in the malware landscape for both the Microsoft Windows and Mac OS X platforms. Some operators have managed to rake in millions of dollars by reporting non-existent infections on machines and then tricking owners into paying for fraudulent disinfection services.

Enter Android Fakedefender, which researchers from antivirus provider Symantec recently discovered in several third-party Android app markets. The malicious app is still buggy and crude to say the least, but it nonetheless has the ability to create major headaches for smartphone users who install it. On many handsets, for instance, Fakedefender cannot be uninstalled at all and will prevent users from performing factory resets. Borrowing a page from so-called ransomware malware, the app also prevents many users from opening other apps or accessing data stored on the device until users buy a premium version of the Fake AV program.

Read 6 remaining paragraphs | Comments

    

Australian and New Zealand Architects Surveyed on Business Architecture

Mike The Architect Blog: Business Architecture

Business Architecture (BA) is a really hot topic these days. A few years back it was  a topic that people either didn't talk about or they avoided it. Over the past year or two I have noticed it's frequency increase a great deal. I think the reason it comes up so much is that we as Enterprise Architects are desperately trying to solve the root business challenges instead of implementing technology for technology sake. 

In this post I will reflect on the two part surveys The Open Group conducted over a few months back. Kudos to them for conducting this in a crowd sourced / practitioner based way and not going into an academic debate over this topic. This is as real world as you can get.

Before we go into the survey I think there is a broader context I want to highlight and take a step back. I believe that Business Architecture is not ply part of EA but also key to EA success.

 

Business Architecture is Core to the New World of Enterprise Architecture

[UPDATED Gartner Research]

Based on a double blind 2011 worldwide survey and a 2012 survey of Gartner Enterprise Architecture Summit attendees in the US and Europe, Gartner finds that the vast majority of organizations are focusing their EA efforts on how they can drive business value (including IT), not just on driving IT decisions.

In a June 2012 survey, they find that 80% of organizations are focused on how they can leverage EA to either:

  • Aligning business and IT strategies (25%)
  • Delivering strategic business and IT value (39%)
  • Enabling major business transformation (16%)

They also find that 67% of organizations are either: starting (39%), restarting (7%) or renewing(21%) their EA efforts. A point to note that many of the organizations that state that they are "starting EA for the first time" are actually "restarting" because we have talked to them in the past - it is just that the current EA leaders don't know that there previous efforts.

See more in: Hype Cycle for Enterprise Architecture, 2012

 

Wow, those are big numbers behind the refocusing . I was very surprised to see that the number was so high. The next set of statements from Gartner was that those new and restarted EA organizations are not rebooting with the same concepts they had in the past but rather business oriented ones instead. That then drives for a much stronger focus on Business Architecture.

With these data points from the analysts and from what I see with customers I certainly see the tide shifting. There is a readiness factor to all of this though. Of the total customers I work with, I would say that currently there are very few that are performing what I would call an end-to-end BA practice. Of that base there is a growing community of EA’s very ready to do BA or have started in some way but again still small. The largest population I've seen are the ones willing  entertain the notion because they realize that keeping their heads out of the sand only focusing on technology hasn't given them overwhelming success.

Evidence shows that business leaders are sick of the IT status quo and are making drastic shifts. IT is getting run by more and more business professionals. Both Gartner and Forrester agree that there is a new breed of the CIO. This person is one that comes from business background and runs IT as such. Gartner says 46% of today's CIO comes from a business background. This is compounded by other roles taking on IT. Like at NASCAR, the CMO has a large stake in big data and pulling in the IT budget as his own. This is becoming increasingly popular with CMOs but also COOs as well.

The bottom line for me is that this wave is coming, either we can be on top or get swept by it and pulled under by the current.

What is Business Architecture - By The Open Group Survey Members

Back in April 2013, the president of the Open Group, Allen Brown surveyed Australian and New Zealand Architects on their views of Business Architecture. The post was called, "What is Business Architecture".

Some of the questions asked were:

  1. What is Business Architecture in the context of your organization?
  2. Do you have Enterprise Architects in your organization? If so, what is it that you do that they do not? If not, how do you see Business Architecture differently from Enterprise Architecture?
  3. Who do you report to? Is your line of reporting up to the CIO, the COO if you have one, or other senior level person?
  4. How is Business Architecture perceived in your organization? It would also help me if I knew something about your organization.

 

Allen says it well on the state of Business Architecture:

The first level of analysis, which should come as no surprise is that Business Architecture is a relatively new discipline for most organizations: in most cases it has been around for between 1 and 5 years.  Described by some as a growing capability, or as immature, or even as “largely missing”.  One respondent describes herself quite rightly as a pioneer.

 

I personally feel you would be hard pressed to find any one individual or organization that is an authority on Business Architecture. Myself included here. I am very much along for the ride to see where this leads as well.  Now with that said I certainly have perspective on the field and want to evolve it to the best of my abilities. As with the other architects that participated in the survey, we all have our own unique perspectives on the matter. With that are success stories that are largely situational in nature and don't represent the profession.

This is a challenge that we need to be mindful of. We don’t have a baseline that is universally accepted from a BA perspective.  Meaning that without universally accepted outcomes of doing things with common roles and approaches our "mileage will vary". It just will not be repeatable and predictable for the masses. So while it may work in unique situations, once you go outside of that the value may diminish.

I say that because most practitioners, including myself have made our own way through BA. What this leads to is lot of independent thoughts, methods, misconceptions, etc. around this discipline of BA. You can see evidence of this in Nick Malik's blog post about Business Architecture definitions. We are all over the map. 

These architects surveyed see this as an issue. They want standardization from both a broad industry perspective and their respective industries.

A recurring theme was that the ability to have a company-wide or industry-wide model was critical as it provides a common terminology across the board to what the organization actually does and enables understanding of the implications of any changes. 

 

Which of the five interrogative's do business architects focus on?

In the post some of the surveyed architects said that BA focuses on the "what" part of the equation. An area of clarification that I would add to the comments is in regards to BA's only focusing on  "What" the business is. I don't think this gives the BA its full justice.

In my opinion, I see the common mistake that business architect make is that they focus on what the business currently is, instead of focusing on what the business should be. You need both views to guide you. Business Capability Models (BCM) do a great job of addressing "what" the business is. But if you don;t understand the motivations and value creation and ultimately realization you are left with a context-less and a risk of a flawed BCM.

Business Architecture in my opinion all boils down to rationalizing "Why". To be explicit, rationalizing and not creating the business strategy.

Below is a model I have used to articulate this:

Business Architecture Overview

 

I believe the surveyed architects nailed the BA focus with the following listed:

  • Understanding strategic themes and drivers
  • Modeling value chains, value streams, configurations
  • Context modeling e.g. external interactions
  • Capabilities, including business capability, service capability (including both business and IT capabilities), capability maturity, targets and gaps
  • Calling out the interdependencies of all the business and architecture domains: strategy, governance, market, distribution, product, capability
  • Design – entities, people (organization structure, incentives), process, systems, functions, roles
  • Linking with and supporting the strategy and injecting into the investment planning cycle
  • The Business Architect provides processes, part of the input and information for the business to determine whether or not any investment will be made within their organisation

The only thing I would add here is that while models, templates and tools are good and helpful, we need to be wary not to develop a model for a models sake. Business Architecture facilitates the process of understanding the business and how to improve it based on that analysis. In other words it's not about the destination (models and tools) but the journey (collaboration, ideation, rationalization, negotiation, etc.).

 

Again, a big thank you to the Open Group for conducting the survey and distilling the results for all of us. Much appreciated.

FakeAV holds Android Phones for Ransom

FakeAV software is a type of scam using malware that intentionally misrepresents the security status of a computer and attempts to convince the user to purchase a full version of the software in order to remediate non-existing infections. Messages continue to pop up on the desktop until the payment is made or until the malware is removed. This type of fraud, which typically targets computers, began several years ago and has now become a household name. The scam has evolved over time and we are now seeing FakeAV threats making their way onto Android devices. One interesting variant we have come across, detected by Symantec as Android.Fakedefender, locks up the device just like Ransomware. Ransomware is another well-known type of malware that takes a computer hostage, by denying the user access to their files for example, until a payment/ransom is handed over.

Figure1_2.png

Figure 1. Screenshot of FakeAV Android app

Once the malicious app has been installed, user experience varies as the app has compatibility issues with various devices. However, many users will not have the capability to uninstall the malicious app as the malware will attempt to prevent other apps from being launched. The threat will also change the settings of the operating system. In some cases users may not even be able to perform a factory data reset on the device and will be forced to do a hard reset which involves performing specific key combinations and/or connecting the device to a computer in order to perform a reset using software provided by the manufacturer. If they are lucky, some users may be able to perform a simple uninstall due to the fact that the app may crash when executed because of compatibility issues.

Please take a look at the following video to see how FakeAV can lock up a device.

 

Default Chromeless Player

 

We may soon see FakeAV on the Android platform increase to become a serious issue just like it did on computers. These threats may be difficult to get rid of once installed, so the key to staying protected against them is preventing them from getting on to your device in the first place. We recommend installing a security app, such as Norton Mobile Security or Symantec Mobile Security, on your device. Malicious apps can also be avoided by downloading and installing apps from trusted sources. For general safety tips for smartphones and tablets, please visit our Mobile Security website.

Symantec detects this malware as Android.Fakedefender.