580 likes | 594 Views
CSCD 303 Essential Computer Security Fall 2017. Lecture 16 – Social network Security Reading: See links - End of Slides. Overview. Talk about the good and bad of Social Network sites … Threats and Your safety using these sites Privacy, and what you can do to protect it
E N D
CSCD 303Essential ComputerSecurityFall 2017 Lecture 16 – Social network Security Reading: See links - End of Slides
Overview • Talk about the good and bad of Social Network sites … • Threats and Your safety using these sites • Privacy, and what you can do to protect it • Will be talking more in-depth on privacy later • Question is, do you care?
Social Networking Defined PC Magazine defines a Social Network as • "An association of people drawn together by family, work or hobby • The term was first coined by professor J. A. Barnes in the 1950s, who defined the size of a social network as a group of about 100 to 150 people."
Early Social Networking In the Beginning ...Introduced in 2002, Friendster (www.friendster.com) was the first social site, followed by MySpace (www.myspace.com) a year later. Started by two friends, MySpace was very popular, and its parent company, Intermix, was acquired by News Corporation for $580 million two years after MySpace was launched
Early Social Networking Facebook (www.facebook.com) came out in 2004 Initially for college students, but later for everyone Following Facebook were TagWorld (www.tagworld.com) and Tagged (www.tagged.com) TagWorld introduced tools for creating more personalized Web pages, and Tagged introduced the concept of building tag teams for teens with like interestsSocial networking sites competed for attention much like first Web portals when Internet became popular in mid-1990s Yahoo, AOL, Alta Vista, and finally, Google
Video Sharing - YouTube Founded in February 2005, YouTube is world's most popular online video community, allowing millions of people to discover, watch and share originally-created videos YouTube provides forums for people to connect to others across globe Acts as distribution platform for original content creators and advertisers YouTube allows people to easily upload and share video clips on www.YouTube.com and across the Internet through websites, mobile devices, blogs, and e-mail
Social Networking Sites Problems of Trust • Research shows that nearly 2/3 of us don’t trust online companies like Facebook • Facebook has constantly tweaked its complex security settings over years and despite public outcry • They don't seem to care !!! • Studies show that 68% of Facebook users do not understand social network’s privacy settings • According to a 2011 report by MSNBC and Ponemon Institute Internet users feel they have less control over their personal information today than they did 5 years ago http://www.jeffbullas.com/2012/02/23/is-social-media-a-serious-threat-to-your-privacy-infographic/
Facebook Origins • How did Facebook originate? • Who funded it? • In-Q-tel is a venture capital company of the CIA – Central Intelligence Agency • In their own words, “ As an information-based agency, CIA must be at the cutting edge of information technology in order to maintain its competitive edge and provide its customers with intelligence that is both timely and relevant” https://www.iqt.org/
In-Q-Tel Information • The Corbett Report describes In-Q-Tel involvement in companies involved in monitoring people • The data mining equipment installed in NSA back door at AT&T, a Narus STA 6400, was developed by company whose partners were funded by In-Q-Tel • News21 reported on an In-Q-Tel investment in CallMiner, a company developing technology for turning recorded telephone conversations into searchable databases • Direct investment in Google and Facebook is shadier, but can still be traced back to In-Q-Tel … details below http://www.corbettreport.com/meet-in-q-tel-the-cias-venture-capital-firm-preview/
“Giving people the power to share and make the world more open and connected.”
“Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick frequent answers to one simple question: What are you doing?”
“Your professional network of trusted contacts gives you an advantage in your career, and is one of your most valuable assets. LinkedIn exists to help you make better use of your professional network and help the people you trust in return.”
“Delicious is a Social Bookmarking service, which means you can save all your bookmarks online, share them with other people, and see what other people are bookmarking.”
Instagram • Instagram is a mobile, desktop, and Internet-based photo-sharing application and service that allows users to share pictures and videos either publicly or privately. Wikipedia • Date launched: 2010 • Developed by: Facebook • Owner: Facebook, Inc. • Nominations: Teen Choice Award for Choice Social Network • Did you know: Instagram (@instagram) is most followed user on Instagram by number of followers (227 million)
Social Networking – Digital Cocktail Party • Define my profile • Define myself online • Interests, skills etc… • Define relations to other profiles • Including some access control • Interact with my “Friends” via IM, wall posts, blogs.
Threats to Privacy ... It’s OK because only my network can see my profile data
Only my friends can see my data Most users don’t realize the size of their audience • Only Everyone in the London Network? • Only Everyone who pays for a LinkedIn Pro account? • Only Everyone in your email address book? • Only Social Network employees? • Only anyone who’s willing to pay for behavioural advertising? • Only Plastic green frogs?
Relying on faith in anonymity …. It’s OK because I don’t use my real name
Data mining tools MyFaceID application will automatically process your photos, find all faces, help you tag them and let you search for similar people.
Online Social Network (OSN)Information Privacy • Information posted on OSNs is generally public • Unless you set privacy settings appropriately • “I’ll be on vacation” post plus geolocation invites burglars, i.e., “Please Rob Me” • Indiscreet posts can lead to nasty consequences Map from other images public domain
Examples of Burglaries • Burglars used social network information to commit crimes … Examples Police said there were 50 home burglaries in the Nashua, NH in August. • Investigators said suspects used social networking sites such as Facebook to identify victims who posted online that they would not be home at a certain time. " Be careful of what you post on these social networking sites," said Capt. Ron Dickerson. "We know for a fact that some of these criminals, were looking on these sites and identifying their targets through social networking sites." http://www.wmur.com/Police-Thieves-Robbed-Homes-Based-On-Facebook-Social-Media-Sites/11861116#ixzz2uH0y4OLj
Online Social Network (OSN)Information Privacy • Employers, insurers, college admissions officers, et al. already screen applicants using OSNs • Recent report from Novarica, research group for finance and insurance industries: “We can now collect information on buying behaviors, geospatial and location information, social media and Internet usage, and more…Our electronic trails have been digitized, formatted, standardized, analyzed and modeled, and are up for sale. As intimidating as this may sound to the individual, it is a great opportunity for businesses to use this data.”
OSN Information Privacy • Posts that got people fired • Connor Riley: “Cisco just offered me a job! Now I have to weigh the utility of a [big] paycheck against the daily commute to San Jose and hating the work.” • Tania Dickinson: compared her job at New Zealand development agency to “expensive paperweight” • Virgin Atlantic flight attendants who mentioned engines replaced 4 times/year, cabins with cockroaches
OSN Information Privacy • OSN's don’t exactly safeguard posted info… Facebook “You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof. You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.” LinkedIn Additionally, you grant LinkedIn a nonexclusive, irrevocable, worldwide, perpetual, unlimited, assignable, sublicenseable, fully paid up and royalty-free right to us to copy, prepare derivative works of, improve, distribute, publish, remove, retain, add, process, analyze, use and commercialize, in any way now known or in the future discovered, any information you provide, directly or indirectly to LinkedIn, including but not limited to any user generated content, ideas, concepts, techniques or data to the services, you submit to LinkedIn, without any further consent, notice and/or compensation to you or to any third parties. Any information you submit to us is at your own risk of loss.
Facebook Privacy Policy • Facebook's own Terms of use state: • "By posting Member Content to any part of the Web site, you automatically grant, and you represent and warrant that you have the right to grant, to facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license to use, copy, perform, display, reformat, translate, excerpt and distribute such information and content and to prepare derivative works of, or incorpoate into other works, such information and content, and to grant and authorise sublicenses of the foregoing” • And in its equally interesting privacy policy: • "Facebook may also collect information about you from other sources, such as newspapers, blogs, instant messaging services, and other users of the Facebook service through the operation of the service (eg. photo tags) in order to provide you with more useful information and a more personalised experience. By using Facebook, you are consenting to have your personal data transferred to and processed in the United States."
OSN Security Threats/Attacks • Malware Distribution
OSN Malware Distribution • Best-known example: Koobface • Worm masquerading as Adobe Flash Player update • Starting in 2009, OSN users enticed to watch “funny video”, then conned into “updating” Flash • Koobface connected infected computers to botnet, served ads for fake antivirus software • Estimated 400,000–800,000 bots in 2010 • Facebook outed gang behind Koobface in Jan. 2012, bot server shut down
Locky Malware via Image Files • One of the most sophisticated attacks to go down on social media in recent memory was that of the Locky app. Initially spread through email attachments, Locky directly targeted social networks through the circulation of corrupt jpegs (those sneaky Locky hackers found a way to embed malicious code into an image file). • When an unknowing user clicked and opened the image, Locky would immediately put a lock-down on all their computer files. A nasty little note would soon follow demanding the user make a payment https://gizmodo.com/imagegate-ransomware-spreading-via-jpg-files-on-social-1789381291
OSN Security Threats/Attacks • Cyber harassment, stalking, etc.
OSN Stalking, Harassment, etc. • Bullies, stalkers, etc. harass people via OSNs • High-profile example: Megan Meier’s suicide • 13-year old Meier killed herself after chatting on MySpace with a 16-year-old boy who made degrading remarks • The “boy” was a fake account set up by Lori Drew, mother of Meier’s ex-friend • Drew found guilty of violating Computer Fraud and Abuse Act in 2008; acquitted in 2009 • Most U.S. states have since criminalized cyber harassment, stalking, etc. • OSNs (and their members) have played similar roles in mistreating people
OSN Threats • Then, there is Social Networking Spam and Scams … “ Scams on social media skyrocketed by 150 percent across Facebook, Twitter, Instagram, and LinkedIn in 2016. And the number is likely to continue climbing as more cyber crooks see social as a fruitful target.” https://blog.hootsuite.com/social-media-security-for-business/
Social Media Hacks - Businesses • Privacy and protection on social media is extremely important … Yet many businesses continue to put their reputations at risk by not implementing strict privacy settings • Result, hackers can easily take control of a brand’s social channels and wreak havoc at will Sending fraudulent posts to followers or making adjustments to a channel’s appearance • Burger King, whose Twitter account was hijacked and made to look like it was promoting McDonald’s ...
Social Media Hacks - Businesses McD's Response We empathize with our @BurgerKing counterparts. Rest assured, we had nothing to do with the hacking. 10:43 AM - Feb 18, 2013 • Comments courtesy of Gizmodo … • if you run a hamburger company, make sure your password isn't "cheese" or something. • The Burger King account has gained over 20,000 30,000 followers since it was compromised. Someone at BK corporate owes these hackers a meat gift basket. • After well over an our, @BurgerKing is suspended, and a grieving nation can enjoy its lunchtime in relative peace while the BK social media team screams at one another and cleans things up. https://gizmodo.com/5985058/burger-king-twitter-hacked
Social networking spam in 2011 That’s an increase of from a year ago 70.6% 57% of social networking users report being hit by spam via the services
Social Media Spam Here to Stay • How lucrative is social media spam? • Spam can be quite lucrative. After they posted an article about Pinterest spamming, a self-proclaimed affiliate marketer said he makes up to $2,500 a day with thousands of spambots… • Facebook and the state of Washington sued spammy advertising company Adscend early this year 80% of Adscend’s $1.2 million monthly revenue is generated by Facebook scams. The Facebook suit was also settled and the terms were undisclosed https://www.ignitesocialmedia.com/social-networks/a-quick-look-at-spammers-in-social-media/
OSN Malware Distribution • Other third-party apps on OSNs like Facebook may contain malware (if not vetted) • Which they typically are not
OSN Third Party Applications • Games, quizzes, “cute” stuff • Untested by Facebook – anyone can write one… • No Terms and Conditions – either allow or deny • Installation gives developers rights to look at your profile and overrides your privacy settings! There’s a sucker born every minute. –P.T. Barnum
OSN Threats • Shelf-life of your on-line Information is FOREVER!!!
OSN Information “Shelf Life” • Common sense: it’s very difficult to delete information after it’s been posted online • Indiscreet information can adversely affect college admissions, employment, insurance • Twitter gave its entire archive to Library of Congress in 2010
Click-Jacking and Like-Jacking • What is Clickjacking? • Clickjacking occurs when a scam artist or other internet-based bad guy places an invisible button or other user interface element over top of a seemingly innocent web page button or interface element using a transparency layer (which you can't see)
Click-Jacking and Like-Jacking • Innocent web page might have a button which reads: • "Click here to see a video of a fluffy kitty being cute and adorable", • But hidden on top of that button is an invisible button that is actually a link to something that you would not otherwise want to click on, such as a button that: • Tricks you into changing privacy settings on your Facebook account • Tricks you into "liking" something you wouldn't normally like • Tricks you into adding yourself as a Twitter follower for someone who doesn't deserve you • Tricks you into enabling something on your computer (such as a microphone or camera)
Click-Jacking andLike-Jacking • What is Like-Jacking? • "Likejacking" is a Facebook-specific version of an attack called "clickjacking." • The purpose of the attack is to get you to click items on a webpage without your knowledge. • Facebook attackers present a web page that actually has two layers. The back layer is designed with a Facebook "Like" button configured to follow your mouse cursor. The front layer shows whichever lure to be tricked by • No matter where you click on web page, you are actually clicking Facebook Like button and further spreading the spam http://www.sophos.com/en-us/security-news-trends/security- trends/what-is-likejacking.aspx • A short video about this http://www.webpronews.com/likejacking-scams-on-facebook-2012-04