CSCD 303 Essential Computer Security Winter 2014 Lecture 13a – Social network Security Reading:...
Transcript of CSCD 303 Essential Computer Security Winter 2014 Lecture 13a – Social network Security Reading:...
CSCD 303Essential ComputerSecurityWinter 2014
Lecture 13a – Social network Security
Reading: See links - End of Slides
Overview
• Talk about the good and bad of Social Network sites …
• Threats and Your safety using these sites
• Privacy, and what you can do to protect it–Will be talking more in-depth on
privacy later• Question is, do you care?
Information Security is not just for companies
Social Networking Defined
PC Magazine defines a Social Network as "An association of people drawn together by family, work or hobbyThe term was first coined by professor J. A. Barnes in the 1950s, who defined the size of a social network as a group of about 100 to 150 people."
Early Social Networking
In the Beginning ... Introduced in 2002, Friendster (www.friendster.com) was the first social site, followed by MySpace (www.myspace.com) a year later.
Started by two friends, MySpacewas very popular, and its parent company,Intermix, was acquired by News Corporation for $580 million two years after MySpace was launched
Early Social Networking
Facebook (www.facebook.com) came out in 2004Initially for college students, but later for everyone
Following Facebook wereTagWorld (www.tagworld.com) and Tagged (www.tagged.com)TagWorld introduced tools for creating more personalized Web pages, and Tagged introduced the concept of building tag teams for teens with like interests
Social networking sites competed for attention much like first Web portals when Internet became popular in mid-1990s
– Yahoo, AOL, Alta Vista, and finally, Google
Video Sharing - YouTube
Founded in February 2005, YouTube is world's most popular online video community, allowing millions of people to discover, watch and share originally-created videos
YouTube provides forum for people to connect, inform, and inspire others across globe and acts as distribution platform for original content creators and advertisers large and small YouTube allows people to easily upload and share video clips on www.YouTube.com and across the Internet through websites, mobile devices, blogs, and e-mail
Social Networking Sites Problems of Trust• Research shows that nearly 2/3 of us don’t trust
online companies like Facebook• Facebook has constantly tweaked its complex
security settings over years and despite public outcry – They do not seem to care !!!
• Studies show that 68% of Facebook users do not understand social network’s privacy settings
• According to a 2011 report by MSNBC and Ponemon Institute Internet users feel they have less control over their personal information today than they did 5 years ago
http://www.jeffbullas.com/2012/02/23/is-social-media-a-serious-threat-to-your-privacy-infographic/
Facebook Origins How did Facebook originate? Who funded it?
In-Q-tel is a venture capital company of the CIA – Central Intelligence Agency
In their own words, “ As an information-based agency, CIA
must be at the cutting edge of information technology in order to maintain its competitive edge and provide its customers with intelligence that is both timely and relevant”
https://www.iqt.org/
In-Q-Tel Information
The corbett Report describes In-Q-Tel involvement in companies involved in monitoring people
The data mining equipment installed in NSA back door at AT&T, a Narus STA 6400, was developed by company whose partners were funded by In-Q-Tel
News21 reported on an In-Q-Tel investment in CallMiner, a company developing technology for turning recorded telephone conversations into searchable databases
Direct investment in Google and Facebook is shadier, but can still be traced back to In-Q-Tel … details below
http://www.corbettreport.com/meet-in-q-tel-the-cias-venture-capital-firm-preview/
“Giving people the power to share and make the world more open and connected.”
“Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick frequent answers to one simple question:
What are you doing?”
“Your professional network of trusted contacts gives you an advantage in your career, and is one of your most valuable assets. LinkedIn exists to help you make better use of your professional network and help the people you trust in return.”
“Delicious is a Social Bookmarking service, which means you can save all your bookmarks online, share them with other people, and see what other people are bookmarking.”
Social Networking – Digital Cocktail Party
• Define my profile – define myself online-
interests, skills etc…• Define relations to
other profiles– Including some
access control• Interact with my
“Friends” via IM, wall posts, blogs.
Threats to Privacy ...It’s OK because only my
network can see my profile data
Low friending thresholds (poor authentication)
Only my friends can see my dataMost users don’t realise the size of their
audience
• Only Everyone in the London Network?
• Only Everyone who pays for a LinkedIn Pro account?
• Only Everyone in your email address book?
• Only Social Network employees?• Only anyone who’s willing to pay for
behavioural advertising?• Only Plastic green frogs?
Relying on faith in anonymity ….It’s OK because I don’t use my real
name
Data mining tools
MyFaceID application will automatically process your photos, find all faces, help you tag them and let you search for similar people.
Which fortunately don’t work very well
Online Social Network (OSN)Information Privacy
• Information posted on OSNs is generally public– Unless you set
privacy settings appropriately
– “I’ll be on vacation” post plus geolocation invites burglars, i.e., “Please Rob Me”
• Indiscreet posts can lead to nasty consequences
Map from other images public domain
Examples of Burglaries Burglars used social network
information to commit crimesPolice said there were 50 home burglaries in the
Nashua, NH iin August. Investigators said suspects used social networking sites such as Facebook to identify victims who posted online that they would not be home at a certain time.
"Be careful of what you post on these social networking sites," said Capt. Ron Dickerson. "We know for a fact that some of these players, some of these criminals, were looking on these sites and identifying their targets through these social networking sites."
http://www.wmur.com/Police-Thieves-Robbed-Homes-Based-On-Facebook-Social-Media-Sites/11861116#ixzz2uH0y4OLj
Online Social Network (OSN)Information Privacy • Employers, insurers, college admissions
officers, et al. already screen applicants using OSNs
• Recent report from Novarica, research group for finance and insurance industries:
“We can now collect information on buying behaviors, geospatial and location information, social media and Internet usage, and more…Our electronic trails have been digitized, formatted, standardized, analyzed and modeled, and are up for sale. As intimidating as this may sound to the individual, it is a great opportunity for businesses to use this data.”
OSN Information Privacy
• Posts that got people fired– Connor Riley: “Cisco just offered me a
job! Now I have to weigh the utility of a [big] paycheck against the daily commute to San Jose and hating the work.”
– Tania Dickinson: compared her job at New Zealand development agency to “expensive paperweight”
– Virgin Atlantic flight attendants who mentioned engines replaced 4 times/year, cabins with cockroaches
OSN Information Privacy
• OSN's don’t exactly safeguard posted info…
Additionally, you grant LinkedIn a nonexclusive, irrevocable, worldwide, perpetual, unlimited, assignable, sublicenseable, fully paid up and royalty-free right to us to copy, prepare derivative works of, improve, distribute, publish, remove, retain, add, process, analyze, use and commercialize, in any way now known or in the future discovered, any information you provide, directly or indirectly to LinkedIn, including but not limited to any user generated content, ideas, concepts, techniques or data to the services, you submit to LinkedIn, without any further consent, notice and/or compensation to you or to any third parties. Any information you submit to us is at your own risk of loss.
“You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or
(ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof. You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.”
Facebook Privacy Policy Facebook's own Terms of use state: "By posting Member Content to any part of the Web site, you
automatically grant, and you represent and warrant that you have the right to grant, to facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license to use, copy, perform, display, reformat, translate, excerpt and distribute such information and content and to prepare derivative works of, or incorpoate into other works, such information and content, and to grant and authorise sublicenses of the foregoing”
And in its equally interesting privacy policy: "Facebook may also collect information about you from other
sources, such as newspapers, blogs, instant messaging services, and other users of the Facebook service through the operation of the service (eg. photo tags) in order to provide you with more useful information and a more personalised experience. By using Facebook, you are consenting to have your personal data transferred to and processed in the United States."
OSN Security Threats/Attacks
• Malware Distribution
OSN Malware Distribution
• Best-known example: Koobface– Worm masquerading as Adobe Flash Player
update– Starting in 2009, OSN users enticed to watch
“funny video”, then conned into “updating” Flash
– Koobface connected infected computers to botnet, served ads for fake antivirus software
– Estimated 400,000–800,000 bots in 2010– Facebook outed gang behind Koobface in Jan.
2012, bot server shut down
OSN Security Threats/Attacks
• Cyber harassment, stalking, etc.
OSN Stalking, Harassment, etc.
• Bullies, stalkers, etc. harass people via OSNs– High-profile example: Megan Meier’s
suicide• 13-year old Meier killed herself after chatting on
MySpace with a 16-year-old boy who made degrading remarks
• The “boy” was a fake account set up by Lori Drew, mother of Meier’s ex-friend
• Drew found guilty of violating Computer Fraud and Abuse Act in 2008; acquitted in 2009
• Most U.S. states have since criminalized cyber harassment, stalking, etc.
– OSNs (and their members) have played similar roles in mistreating people
OSN Threats
• Then, there is Social Networking Spam ...
Social networking spam
Social networking spam
Social networking spam
of social networking usersreport being hit by spamvia the services
57%
70.6%That’s an increase of
from a year ago
Social networking spam in 2011
OSN Malware Distribution
• Other third-party apps on OSNs like Facebook may contain malware (if not vetted)
• Which they typically are not
OSN Third Party Applications
• Games, quizzes, “cute” stuff• Untested by Facebook – anyone can write one…• No Terms and Conditions – either allow or deny• Installation gives developers rights to look at your profile and overrides your privacy settings!
There’s a sucker born every minute.–P.T. Barnum
OSN Threats
• Shelf-life of your on-line Information is FOREVER!!!
OSN Information “Shelf Life”
• Common sense: it’s very difficult to delete information after it’s been posted online
• Indiscreet information can adversely affect college admissions, employment, insurance
• Twitter gave its entire archive to Library of Congress in 2010
Click-Jacking and Like-Jacking
• What is Clickjacking?– Clickjacking occurs when a scam artist or other
internet-based bad guy places an invisible button or other user interface element over top of a seemingly innocent web page button or interface element using a transparency layer (which you can't see)
Click-Jacking and Like-Jacking• Innocent web page might have a button which reads:
• "Click here to see a video of a fluffy kitty being cute and adorable",
• But hidden on top of that button is an invisible button that is actually a link to something that you would not otherwise want to click on, such as a button that:
– Tricks you into changing privacy settings on your Facebook account
– Tricks you into "liking" something you wouldn't normally like
– Tricks you into adding yourself as a Twitter follower for someone who doesn't deserve you
– Tricks you into enabling something on your computer (such as a microphone or camera)
Click-Jacking andLike-Jacking
• What is Like-Jacking?–"Likejacking" is a Facebook-specific version of an attack called "clickjacking."
–The purpose of the attack is to get you to click items on a webpage without your knowledge.
–Facebook attackers present a web page that actually has two layers. The back layer is designed with a Facebook "Like" button configured to follow your mouse cursor. The front layer shows whichever lure to be tricked by
–No matter where you click on web page, you are actually clicking Facebook Like button and further spreading the spam
http://www.sophos.com/en-us/security-news-trends/security- trends/what-is-likejacking.aspx• A short video about this http://www.webpronews.com/likejacking-scams-on-facebook-
2012-04
Defense Measures
Personal Defense Measures
• Common sense measures– Use strong, unique passwords– Provide minimal personal information: avoid
entering birthdate, address, SSN number etc.– Review privacy settings, set them to
“maximum privacy”• “Friends of friends” includes far more people than
“friends only”
– Exercise discretion about posted material:• Pictures, videos, etc.• Opinions on controversial issues• Anything involving coworkers, bosses, classmates,
professors• Anything related to employer (unless authorized to
do so)
– Be wary of 3rd party apps, ads,
Personal Defense Measures
• More advice ...– “If it sounds too good to be true, it probably
is”– Use browser security tools for protection
• Anti-phishing filters (IE, Firefox)• AdBlock/Do Not Track Plus• NoScript add-on helps click-jacking
– Personal reputation management• Search for yourself online, look at the results…• More on this next time .. look at privacy
– Extreme cases• Cease using OSNs, delete accounts• Contact law enforcement re. relentless online
harassment
Summary
• Experts suggest,– Internet Security model is flawed– Made worse by User contributed content– Human nature and trust in our friends
and connections will always leave us vulnerable
– Try not to put anything too personal and incriminating on Social Networking sites
– Or, don't use them at all !!!!
References
1. J. Drömer and D. Kollberg, “The Koobface malware gang – exposed!”, 2012, http://nakedsecurity.sophos.com/koobface/
2. Wikipedia, https://en.wikipedia.org/wiki/Suicide_of_Megan_Meier 3. M. Schwartz, “The Trolls Among Us,” 3 Aug. 2008,
https://www.nytimes.com/2008/08/03/magazine/03trolls-t.html?pagewanted=all
4. M. Raymond, “How Tweet It Is!: Library Acquires Entire Twitter Archive,” 14 Apr. 2010, http://blogs.loc.gov/loc/2010/04/how-tweet-it-is-library-acquires-entire-twitter-archive/
5. B. Borsboom, B. van Amstel, and F. Groeneveld, “Please Rob Me”, http://pleaserobme.com
6. D. Love, “13 People Who Got Fired for Tweeting,” 16 May 2011, http://www.businessinsider.com/twitter-fired-2011-5?op=1
7. C. Smith and C. Kanalley, “Fired Over Facebook: 13 Posts That Got People Canned,” http://www.huffingtonpost.com/2010/07/26/fired-over-facebook-posts_n_659170.html
8. https://twitter.com/BPglobalPR9. http://curl.haxx.se/ 10. http://jonathonhill.net/2012-05-18/unshorten-urls-with-php-and-curl/ 11. http://www.securingsocialmedia.com/resources/
More References
• Sophos Report on Social Networking Threats– http://www.sophos.com/en-us/security-news-
trends/security-trends/social-networking-security-threats/facebook.aspx
End
New Assignment up on Assignments Page