Security Paper

Shante’ Stallings Confidentiality in Social Media 4/21/16

CONFIDENTIALITY IN SOCIAL MEDIA

EXECUTIVE SUMMARY

The purpose of this document is to inform others of how personal information can be gathered by using social media outlets. After researching heavily, I found that the use of social networks presented a number of potential threats.

The first threat is malware such as the Koobface worm, Zeus Trojan, and malicious browser extensions posed different risks that affected the user’s privacy. The Koobface worm had the ability to steal confidential information on the computer and intercept network traffic. The download of the worm is initiated through web links to mislead the user to download the worm. This problem not only affects the user but the entire network it is on as well. The Zeus Trojan targeted users to user their banking data. The attackers utilize Zeus to steal banking credentials and perform man in the browser attacks. Zeus is well known because it stole millions of dollars from several major companies. The malicious browser extensions can be downloaded from a link from a social media platform. With it installed on the user’s computer it can collect all data from the user’s browser which can include saved credentials for various websites. The 2nd threat is social engineering could be used on social media networks to imitate someone the victim knows in order to view data that only friends of that person can see. Another method is using a phishing method to send the victim to a website for them to log in using their credentials for the social media website. The 3rd threat is tracking. Social media networks such as Facebook and Google utilize Single Sign-On techniques to gather information about the user. Facebook relies on the user to never log out of Facebook. Google does the same but it has more resources that it can connect to in order to gather data.

After carefully researching I do believe that data on Social Media networks are not confidential and can compromise the computer’s integrity if not addressed.

INTRO

When we think of using social media we think of catching up with friends and sharing a piece life with them and the world. Myspace was one of the first known popular social networks that attracted youth and musicians but it was Facebook that brought youth and adults from various age groups along. Many businesses saw this as a great source of revenue but some viewed it as an opportunity to spy on others. Privacy is of grave importance now due to hackers but what we may not realize is how these people can get that private information and even more it’s not only hackers that can get personal information about you and your friends. Privacy in social media can be made public through malware, social engineering, and tracking.


MALWARE

Hackers, also known as the attacker, are known to have a lot of experience making things happen that shouldn’t. Hackers may work alone for their own need or they may be hired to do so (Osborne). In the past hackers have utilized methods that download an infection onto the victim’s computer. Here are a few examples where that has happened and the results of them.

KOOBFACE WORM

The Koobface worm was spread through a wide variety of social networks such as Facebook, Myspace, and Twitter and infected Windows, Mac OS, and Linux (Constantin). The worm is able to perform actions such as “steal confidential information and intercept internet traffic” (Chien and Shearer). Here is an example of a message that a victim could receive.

(Yonts)

After clicking on one of those links he victim could then be presented with a page to view a video or a payload site that will download the worm onto the victim’s computer (Yonts). While Koobface is stealing private info such as passwords it will have a process running on the computer called webserver.exe. It will assist in tricking the victim to attack other systems through CAPTCHA, it will manipulate proxy settings to send the victim to a click fraud site and it will have rogue software that will appear to be Windows security software. (Yonts)

ZEUS BANKING TROJAN

Zeus, also known as ZBot, is a Trojan horse malware package that can be executed on Windows computers. Zeus is capable for many malicious things but what it does best is steal banking information by using man in the browser and keystroke logging. Once a computer has been compromised with the Zeus Trojan the computer will wait until a financial purchase is made then it will send off the payment information to the attacker (Solutionary). It has


also been found that it can infect mobile devices to get around two factor authentication (Kaspersky). Here is an illustration of a man in the browser attack. Zeus has infected over 3.6 million computers and damages extend to unauthorized money transfers and changing of banking login information (Lawrence).

(How To Hack A Bank A/C - Zeus - "A Man In The Browser Attack")

MALICIOUS BROWSER EXTENSIONS

Similar to the Koobface worm there is another variant of malware that infects the browser through an extension downloaded onto Firefox and Chrome. A page will appear as if a video will play but it requires the user to download a plugin to be able to view it. After the plug-in is downloaded, the attackers “can access everything stored in the browser, including accounts with saved passwords. Many people commonly save e-mail, Facebook and Twitter login data in their browsers, so the attackers can masquerade as the victim and tap those accounts” (Goel).


These are only three instances where hackers can take advantage of social media to trick victims into giving away their personal banking information, their browsing history, passwords.

SOCIAL ENGINEERING

Many times when people think about having their information compromised they immediately point to the hackers yet sometimes all it takes is a little social engineering and this is where the non-technical can strive for to get what they want. Here are three ways they can go about doing that.

CREATE A FAKE PAGE

There are some motives when it comes to wanting to access a private social media page such as having a crush on someone, wanting to do a personal background check, or to ensure their spouse isn’t cheating on them. According to MakeUseOf it’s not that difficult to access a private page by creating a fake page. In short, here’s one way to do it. (Dube)


1. Find the person’s Facebook page that you’re interested in2. Click on view friends3. Look for a friend that you know are actually friends with the target and the profile

doesn’t have a photo. 4. Create a fake profile with the same name and information as their friend without the

photo5. Strategically send friend requests to 20 of their friends6. After the 20 have accepted send a friend request to the target

To make the page look more legitimate they may update the about section such as workplace. (wikiHow)

PHISHING

Phishing is a scan that works like this. Someone contacts you through some personal form communication like email or direct message. That was the case for over 250,000 Twitter users in 2013. A direct message was sent to victims that served as bait to get them to click on the link that person sent.


After clicking on the link the person is forwarded to a Twitter look-a-like page requesting the person to verify their account credentials and then shortly afterwards it would produce a message as if the page made a mistake. Later their account would begin to send spam messages on their Twitter account. What the victim doesn’t know if that when they typing in their credentials to verify their account it was sent off to some remote server for someone to use at their will. (Hamada)

(Hamada)

TRACKING

Have you ever done some shopping online and then when you go back to Facebook it starts to show ads of some of the items you were shopping for? This is what is called tracking and it is used to collect data on users to generate data for advertisers to use. Here are some of the ways social networks track their accounts.

FACEBOOK

Unlike some websites Facebook no loner uses cookies to track a user’s movements on the web but now it relies on the premise that the user will not log out of Facebook. This is using what is called Single Sign-On or SSO which means that even when the user closes all of the Facebook tabs and go to another website Facebook can still see your browsing because the Facebook session is still running in the background. (Reilly)

GOOGLE

Like Facebook, Google also does not utilize cookies and it uses SSO to gather data on it’s users to collect data for its own Adsense, AdMob, and DoubleClick. Though this is a similar schema as Facebook it covers a wider variety of tracking. Since Google has a vast amount of


free apps and utilities for its users the price to pay is that they’ll see what you do in order to make the ads fit the needs of the user. Some of those apps include “Youtube, Gmail, Voice, and Search” (Reilly) So if you wonder why when you open a Google app it asks you to log in, this is why.

CONCLUSION

After carefully researching I do believe that data on Social Media networks are not confidential. Social Media can be used to infect computers with software that can intercept your internet traffic, steal banking information to do unauthorized money transfers, and access everything stored in the browser such as accounts and passwords. Social Media can be utilized through social engineering where someone can mislead a user to accept their friend request where they can see private posts only meant for friends and scamming users to believe that you should enter your Twitter credentials on an illegitimate website. Social Media can be used to track user’s movements on Facebook through Single Sign-On where users browsing history is used to select ads to display while browsing Facebook and Google whom uses Single Sign-On gathers more information throughout it’s vast amount of apps. Because of the popularity of social media is penetrated more than most things online. For that reason, it’s history of privacy problems proves that even now social media does not equal confidentiality.


WORKS CITED

Chien, Eric and Jarrad Shearer. W32.Koobface. 8 Augusta 2012. 5 April 2016. <https://www.symantec.com/security_response/writeup.jsp?docid=2008-080315-0217-99>.

Constantin, Lucian. New Koobface Variant Infects Linux Systems. 28 October 2010. 12 April 2016. <http://news.softpedia.com/news/New-Koobface-Variant-Infects-Linux-too-163450.shtml>.

Cronto. Cronto Visual Cryptogram. 28 April 2008. 12 April 2016. <http://www.slideshare.net/cronto/cronto-visual-cryptogram>.

Dube, Ryan. How to View Private Facebook Profiles. 14 May 2009. 3 March 2016. <http://www.makeuseof.com/tag/how-to-view-private-facebook-profiles/>.

Goel, Vindu. Malicious Software Poses as Video From a Facebook Friend. 26 August 2013. 12 April 2016. <http://bits.blogs.nytimes.com/2013/08/26/malicious-software-poses-as-video-from-a-facebook-friend/?ref=technology>.

Hamada, Joji. Phishing: The Easy Way to Compromise Twitter Accounts. 2013 February 2013. 12 April 2016. <http://www.symantec.com/connect/blogs/phishing-easy-way-compromise-twitter-accounts>.

How To Hack A Bank A/C - Zeus - "A Man In The Browser Attack". 15 February 2012. 16 April 2016. <https://www.youtube.com/watch?v=USCHPIQB8_Y>.

Kaspersky. Kaspersky Labs. n.d. 12 April 2016. <https://usa.kaspersky.com/internet-security-center/threats/zeus-trojan-malware-threat#.VxghIBMrLGJ>.

Lawrence, Dune. The Hunt for the Financial Industry's Most-Wanted Hacker. 18 June 2015. 12 April 2016. <http://www.bloomberg.com/news/features/2015-06-18/the-hunt-for-the-financial-industry-s-most-wanted-hacker>.

Osborne, Charlie. Hackers for hire: Anonymous, quick, and not necessarily illegal. 16 January 2015. 15 April 2016. <http://www.zdnet.com/article/hackers-for-hire-anonymous-quick-and-not-necessarily-illegal/>.

Reilly, Richard Byrne. The cookie is dead. Here's how Facebook, Google, and Apple are tracking you now. 6 October 2014. 12 April 2016. <http://venturebeat.com/2014/10/06/the-cookie-is-dead-heres-how-facebook-google-and-apple-are-tracking-you-now/>.

Solutionary. Information Security: Hacking with the Zeus Trojan. 8 November 2013. 16 April 2016. <https://www.youtube.com/watch?v=QKWFAcDLLPw>.


wikiHow. How to Make a Fake Facebook Page Seem Real. n.d. 12 April 2016. <http://www.wikihow.com/Make-a-Fake-Facebook-Page-Seem-Real>.

Yonts, Joel. Malicious Social Networking: Koobface Worm. n.d. 2 April 2016. <http://www.sans.org/security-resources/malwarefaq/koobface-worm.php>.

Security Paper

Documents

Transcript of Security Paper