240 likes | 382 Views
Security in social media. Samuel Rahikainen Jesse Huttunen Tuukka Kivioja. Classification of social media Collaborative projects ( Wikipedia ) Blogs ( Twitter , Tumblr ) Content communities ( Youtube ) Social networking ( Facebook , Google Plus) Virtual game-worlds ( WoW , SWTOR)
E N D
Security in social media Samuel Rahikainen Jesse Huttunen Tuukka Kivioja
Classification of social media • Collaborativeprojects (Wikipedia) • Blogs(Twitter, Tumblr) • Content communities (Youtube) • Social networking (Facebook, Google Plus) • Virtualgame-worlds (WoW, SWTOR) • Virtual Social worlds (Second Life)
What kind of threats there exist in social media? • Facebook • Self-XSS • Spam • Threats to privacy / Identity theft • Clickjacking
Cross-site scripting or "Self-XSS.“ • For example a message: “Why are you tagged in this video?” and the Facebook Dislike button take you to a webpage that tries to trick you into cutting and pasting a malicious JavaScript code into your browser’s address bar. Self-XSS attacks can also run hidden, or obfuscated, JavaScript on your computer allowing for malware installation without your knowledge.
Threats to privacy / Identity theft • Facebook scams also tap into interest in the news, holiday activities and other topical events to get you to innocently reveal your personal information. Facebook posts such as “create a Royal Wedding guest name” and "In honor of Mother’s Day" seem innocuous enough, until you realize that information such as your children’s names and birthdates, pet’s name and street name now reside permanently on the Internet. • Since this information is often used for passwords or password challenge questions, it can lead to identity theft.
“Clickjacking" or "likejacking," also known as "UI redressing” • Tricks web users into revealing confidential information or takes control of their computer when they click on seemingly innocuous webpages. Clickjacking takes the form of embedded code or script that can execute without the user's knowledge. One disguise is a button that appears to perform another function. Clicking the button sends out the attack to your contacts through status updates, which propagates the scam
“Facebook Removing Option To Be Unsearchable By Name, Highlighting Lack Of Universal Privacy Controls” (http://techcrunch.com/2013/10/10/facebook-search-privacy/)
How can you protect against these threats ? • Facebook’ssecurityfeatures: • In theory, new Facebook security features provide protection against scams and spam but unfortunately they’re mainly ineffectual. Self-XSS, clickjacking and survey scams essentially did not exist just a few years ago, but they now appear on Facebook and other social networks on a daily basis
How can you protect against these threats ? • Check to see that you're logging in from a legitimate Facebook page with the facebook.com domain • Remote logout • Common sense • Use an up-to-date browser that features an anti-phishing black list
What kind of threats there exist in social media? • Youtube • Availability of many videos and the incredible volumes of traffic the site receives, it shouldn’t come as surprise that cybercriminals are looking to reap some benefit • Links in the video description to full video -> leads to online survey rabbit hole
Google account (Gmail, Youtube, Drive etc.) • One accountlinked to manyservices -> One password to getaccess to all of the services • Article: ”Android one-click Google authentication method puts users, businesses at risk” (http://www.computerworld.com/s/article/9241355/Android_one_click_Google_authentication_method_puts_users_businesses_at_risk)
How can you protect against these threats ? • Verification • Password+ SMS/Phone callverification • IP-basedverification • Revokeunauthorizedaccess • Trackaccountactivity • Createa strongpassword
Web 2.0 -technology • Web 2.0 describes web sites that use technology beyond the static pages of earlier web sites • Web 2.0 is the popular term for advanced Internet technology and applications including blogs, wikis, RSS and social bookmarking. • The two major components of Web 2.0 are the technological advances enabled by Ajax and other new applications such as RSS and Eclipse and the user empowerment that they support.
Web 2.0 threats • InsufficientAuthenticationControls • In many Web 2.0 applications, content is trusted in the hands of many users, not just a select number of authorized personnel. That means there's a greater chance that a less-experienced user will make a change that will negatively affect the overall system. • CrossSite Scripting • In a stored cross site scripting (XSS) vulnerability, malicious input sent by an attacker is stored in the system then displayed to other users. • At risk are blogs, social networks, and wikis • Phishing • Although phishing isn't just a risk associated with Web 2.0 technologies by any means, the multitude of dissimilar client software in use makes it harder for consumers to distinguish between the genuine and the fake web sites
Web 2.0 threats • InformationLeakage • Web 2.0 combined with our "work-from-anywhere" lifestyle has begun to blur the lines between work and private life. Because of this psychological shift, people may inadvertently share information their employer would have considered sensitive. • InjectionFlaws • Web 2.0 technologies tend to be vulnerable to new types of injection attacks including XML injection, XPath injection, JavaScript injection, and JSON injection for no other reason beyond the fact that the Web 2.0 applications tend to use and rely on those technologies • With increased use, comes increased risk.
Web 2.0 possibilities • Flash • A major advantage of using the Flash Player for Web 2.0 applications is consistent development across operating systems and browsers and a lot less overhead programming around differences and needing to debug and test on every configuration. • The Flash Player has more reach than any browser or operating system, and is being distributed faster than any other technology • Transformation of Flash from purely an animation engine to a runtime for rich media and rich internet applications has been happening for several years now
Web 2.0 possibilities • The new Flash Player 9 has even stronger enterprise data connectivity including client support for Flex Enterprise Services which enables use of message queues, integration with JMS, remote procedure calls, and data synchronization. This enables not only simple applications like photo viewers, but also sophisticated business applications.
References • http://www.sophos.com/en-us/security-news-trends/security-trends/social-networking-security-threats/facebook.aspx • http://resources.avg.com.au/security_risks/youtube-threats/ • http://www.facebook.com/notes/facebook/protect-yourself-against-phishing/81474932130 • http://readwrite.com/2009/02/16/top-8-web-20-security-threats#awesm=~olQQwNPj77bba1 • http://www.klynch.com/archives/000082.html