380 likes | 569 Views
Security Issues of Online Social Networking. Hongyu Gao Northwestern University EECS450 class presentation Adapted from slides of Harvard Townsend and Jessica Van Hattem. The Risks of Social Networking. Fan, Friend or Foe?. CHECK 2010 May 26, 2010. Sherry Callahan, CISSP, CISM, CISA.
E N D
Security Issues of Online Social Networking Hongyu Gao Northwestern University EECS450 class presentation Adapted from slides of Harvard Townsend and Jessica Van Hattem
The Risks of Social Networking Fan, Friend or Foe? CHECK 2010 May 26, 2010 Sherry Callahan, CISSP, CISM, CISA University of Kansas Medical Center
2/3rd US households use social networks, twice as many as a year ago 98% of students at UNC use Facebook Facebook has over 400 million “active” users, half of which login on any given day, 100 million via their mobile device U.S. Facebook users 55 and older grew 922% in 2009 (now ~ 10 million)
Social Networking Websites • What are they? • Tool for: • Communication • Expressing interests • etc. • Interaction • User-contribution • Users submit content for other users
History Early social networking websites: • 1995 - classmates.com • focused on ties between former schoolmates • 1997 – sixdegrees.com • focused on indirect ties
History, cont’d Modern social networking websites: • 2002 – Friendster • now mostly used in Asia • 2003 – Myspace • bought by News Corporation (parent company of Fox) in 2005 • most popular social networking site in 2006
“Giving people the power to share and make the world more open and connected.”
“Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick frequent answers to one simple question: What are you doing?”
“Your professional network of trusted contacts gives you an advantage in your career, and is one of your most valuable assets. LinkedIn exists to help you make better use of your professional network and help the people you trust in return.”
“Delicious is a Social Bookmarking service, which means you can save all your bookmarks online, share them with other people, and see what other people are bookmarking.”
What Are The Security Risks? • Spam, phishing, malware • Privacy breach • Network structural attack
Spam, Phishing and Malware • Spam: • Unsolicited messages to other users. • The method. • Phishing and malware distribution: • The goal (or method?). • Ultimate goal: • $$$
Spam, Phishing and Malware • Ads • Wall posts, inbox or chat messages with malicious links from hijacked “Friends” • CSRF • “My wallet was stolen and I’m stuck in Rome. Send me cash now.” • Spam email pretending to be from Facebook admins
Oh no! URL Shorteners • bit.ly, TinyUrl, ReadThisURL, NotLong • Hides the true destination URL – no way to tell where you’re going until you click! http://www.hacker.com/badsite?%20infect-your-pc.html is now http://bit.ly/aaI9KV
Malware Distribution • Koobface is grandaddy of malware targeting Facebook; continues to evolve and infect today • Register and activate a Facebook account. • Join random Facebook groups, adding Facebook friends. • Post messages on friends’ walls that contain links to the Koobface loader component
Defenses • Attack the carrier: • Spam message detection • Don’t talk to strangers: • Sender reputation assessment • Stop the exploit (CSRF): • Web security enhancement • Don’t touch what you shouldn’t touch: • Malicious URL detection • Be alerted! (send-me-money hoax): • Do not send money
What Are The Security Risks? • Spam, phishing, malware • Privacy breach • Network structural attack
Privacy Policy Protection? LOL Linked In Additionally, you grant LinkedIn a nonexclusive, irrevocable, worldwide, perpetual, unlimited, assignable, sublicenseable, fully paid up and royalty-free right to us to copy, prepare derivative works of, improve, distribute, publish, remove, retain, add, process, analyze, use and commercialize, in any way now known or in the future discovered, any information you provide, directly or indirectly to LinkedIn, including but not limited to any user generated content, ideas, concepts, techniques or data to the services, you submit to LinkedIn, without any further consent, notice and/or compensation to you or to any third parties. Any information you submit to us is at your own risk of loss. Facebook “You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof. You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.”
Some Facts • A study on Facebook users in Carnegie Mellon University network • 90.8% uploaded images • 87.8% revealed birth dates • 39.9% share phone # • 50.8% list current addresses • By Gross et. Al.
Breaches from Service Providers • Root cause: • Client-server architecture • OSN service provider in dominant position and can benefit from examining and sharing information • Solution: • Users dictate fine-grained policies regarding who may view their information • Enforce the policy with encryption
Defenses • Persona, by Baden et al. • Use decentralized storage • Lockr, by Tootoonchian et al. • Recipient needs to provide digitally signed social relationships as proof to fetch data • Smart clients and an untrusted central server, by Anderson, et al. • Server stores encrypted data • Client accesses user information only if the owner’s client mediates the access
Breaches from Other User • Root cause: • Lack of carefulness in examining friend requests • A simple attack version: • 75,000 out of 250,000 random Facebook users contacted using an automatic script accepted the script’s friend request • A report from Sept. 2005
Advanced Attacks (Bilge et al.) • Same-site profile cloning: • An attacker duplicates a user’s profile in the same OSN • Use the duplication to send out friend requests to the user’s friends • Cross-site profile cloning: • An attacker identifies a user from OSN A • The attacker duplicates the user’s profile to OSN B • Use the duplication to send out friend requests to the user’s friends who also registered in OSN B
Defenses • None. • But suggestions, yes: • Increase users’ alertness concerning their acceptance of friend requests • Improving the strength of Captcha to provent large-scale automated attacks.
Breaches from 3rd Party Apps • Root cause: • 3rd party apps are essentially untrusted. • A LOT of similarity with their smart phone counterparts. • Problem breakdown: • Which piece of information is necessary for the apps to function? • How the monitor the way in which the apps manipulate the personal information?
Defenses • For problem 1: • None. Have to trust the app’s manifest. • For problem 2, Xbook by Singh et al.: • Information flow in the apps can only occur via XBook APIs (modify the app development language). • Use information flow models and run-time monitoring. • The Facebook move: • Applications must obtain specific approval from users before gaining access to any personal information that isn’t available to “everyone”. (recall the Android case?)
What Are The Security Risks? • Spam, phishing, malware • Privacy breach • Network structural attack
Network Structural Attacks • Root cause: • Attacker can control and manipulate multiple identities. • Attack scenarios: • Promote the reputation of an account in e-commerce settings by voting the target as “good”. • De-anonymize the social network by inserting particular topological feature into the network.
Defenses • Trusted certification (prevention): • Only verified users can enter the network. • Too costly to implement. • Resource testing (detection): • Investigates resources associated with nodes. • E.g., SybilGuard, by Yu, et al. • Recurring costs (mitigation): • Increase the cost for launching Sybil attack • Increase the use of Captcha, put monetary charges, etc.
Conclusion • The value of online social networking far outweighs the risk. • Use social networking effectively and positively to establish new relationships, strengthen existing ones, innovate, learn, collaborate, and have fun. • But beware of the risks so you can do your best to steer clear of them • And think before you click!!
Questions? ? ? ? ? ? ? ? ? ? ?