Post on 19-Jan-2016
description
Social Networking:Risks and realities
Nick Barronnick.barron@pennantplc.co.uk
2
Who am I?
• Day job
– Employed by Pennant Plc www.pennantplc.co.uk– Head of Group IT, Security controller, software
developer• Meanwhile...
– Freelance security consultant/researcher– SC magazine columnist – IT advisor to DISA
• Disclaimers
– Views expressed are my own, not those of my employer– Don’t try this at work without consent– Check legal aspects
3
What am I talking about?
• What information can be obtained from online social networks?
• How can it be (ab)used?
• What can you do to address the risks
• Focus on corporate liabilities/risks
• Mainly about risks of online social networks, but many apply equally to old fashioned ones too!
4
The usual suspects
5
Not just for kids
Source: http://www.penn-olson.com/2010/02/19/the-social-media-age-distribution-stats/Used with permission
6
How data leaks: users
• Oversharing
• Short-temper syndrome
• Underestimated automation
Did you post it
online?
Did you post it
online?
Probably not private
Probably not private
Possibly private
Possibly private
7
How data leaks: hacks
8
How data leaks: loose lips
9
How data leaks: loose lips
http://www.weknowwhatyouredoing.com
10
How data leaks: apps
11
How data leaks: location
12
Facebook never forgets!
13
Feature creep
14
Risks are real…
http://news.bbc.co.uk/1/hi/8134807.stm
15
Risks are real… (2)
https://www.zdnet.com/blog/facebook/chinese-spies-used-fake-facebook-profile-to-friend-nato-officials/10389
16
Risks are real (3)
17
Risks are real (4)
18
Risks are real (5)
• “All Your Contacts Are Belong to Us” WWW2009http://www2009.eprints.org/56/
• Automatically create fake profiles and request friends
• Create profiles on other sites
19
Risks are real (6)
http://thecaucus.blogs.nytimes.com/2009/02/09/in-iraq-to-twitter-or-not-to-twitter/
20
Who cares?
21
Using the data (1)
22
Using the data (2)
• Online Privacy Foundation’s “Big 5” experimenthttps://www.onlineprivacyfoundation.org/?p=329
– Establish Myers-Briggs characteristics– Linguistic and post statistics analysis– Statistically significant link between FB habits and
personality test results (but…)– Twitter: are you a psychopath?!
• “Augmenting password recovery…”http://www.dfrws.org/2011/proceedings/08-340.pdf
– Use online profiles to help guess passwords– Early days but other research ongoing– What about those password reset questions…?
23
Using the data (3)
• Facebook analysis to determine Nigerian scammershttp://preview.tinyurl.com/specops-paper (PDF)http://preview.tinyurl.com/specops-vid (video)
24
Sanity check
• Your employees will use Facebook etc
– Even if blocked at work– Use takes place outside corporate network perimeter
• Social network users are not customers, they are product
• It is not in social network vendors’ commercial interests to make your privacy a priority
– Long record of truly awful security– Commercialisation is an incentive for more intrusion
25
Defences
26
Guidance
http://www.cpni.gov.uk/documents/publications/2010/2010032-gpg_online_social_networking.pdfhttp://preview.tinyurl.com/gpg27
27
Guidance (2)
http://preview.tinyurl.com/sophossmt
28
Countermeasures
• Education, education, educations
– Most users don’t actually want to breach privacy– Usually unaware of how much is available– Better privacy awareness increases personal security as
well as business security
Used with kind permission of Scott Hampson, www.agent-x.com.au
29
Countermeasures (2)
• Snoop yourself (Google, NodeXL, Maltego etc)
• Check exposure of key staff
• Include social networks in scope for penetration tests (but check with ethics/legal departments)
30
Countermeasures (3)
• Blur data where possible
– Your friends will already know most of the useful info– Minimise what goes into profile– Seed a few bogus “facts”– Turn off location features– Check password reset policies
• But….
– Not having DOB no help when people say “Happy Birthday” on your Facebook wall!
– May be breach of terms of service to lie
31
Countermeasures (4)
• Weed old accounts
– FriendsReunited, MySpace etc• Compartmentation where possible
– Facebook for home stuff– LinkedIn for business– Flickr for pictures
– Avoid the use of corporate mail addresses for social networking sites
– High value targets should consider use different email addresses
32
Countermeasures (5)
• “Placeholder” profiles on unused systems
• Look at ‘privacy’ settings
– KISS, don’t have too many options
– Assume privacy controls will fail, and consider impact
– If in doubt, don’t post
Used with kind permission of Scott Hampson, www.agent-x.com.au
33
Summary
• Online social networks are not going away any time soon
• There are real benefits to their use for many staff
• OSN vendors cannot be trusted to implement strong security
• Education and defensive monitoring are the best protections
• The risks apply to non-electronic social networks as well!
34
Links…
• www.44con.com (Sept 2012, lots of business level info too)
• www.agent-x.com.au for great cartoons!
• www.securityg33k.com
• www.facecrooks.com
• www.onlineprivacyfoundation.org
• harmonyguy.com
• www.social-engineer.org
• nodexl.codeplex.com (free Excel plugin for social network analysis)
• www.paterva.com (industry standard tool for network analysis)
35
Questions?