Title: Social Networking Security
1Social Networking Security
- Adam C. Champion and Dong Xuan
- CSE 4471 Information Security
2Outline
- Overview of Social Networking
- On-line Social Networking
- Mobile Social Networking
- Threats and Attacks
- Defense Measures
3Online Social Networking (OSN)
- Online Web services enabling people to connect
with each other, share information - Common friends, interests, personal info,
- Post photos, videos, etc. for others to see
- Communicate via email, instant message, etc.
- Major OSN services Facebook, Twitter, MySpace,
LinkedIn, etc.
4Giving people the power to share and make the
world more open and connected.
5(No Transcript)
6OSN Popularity
- Over 900 million Facebook users worldwide 6
- Over 150 million in U.S. 5
- Over 450 million access via mobile 6
- 300 million pictures uploaded to Facebook daily
6 - Over 140 million Twitter users over 340 million
Tweets sent daily 7 - Over 175 million LinkedIn members in over 200
countries 8
7Benefits of OSN Communication
- Vast majority of college students use OSNs
- Organizations want to market products, services,
etc. to this demographic - OSNs can help them reach these potential buyers
- OSNs provide communal forum for expression (self,
group, mass), collaboration, etc. - Connect with old friends, find new friends and
connect - Play games with friends, e.g., Mafia Wars,
Scrabulous - Commerce in virtual items
- But using OSNs poses security issues for orgs as
well as individuals
8Mobile Social Networking
9Application Scenario Conference
10Small Talk
- People come into contact opportunistically
- Face-to-face interaction
- Crucial to people's social networking
- Immediate non-verbal communication
- Helps people get to know each other
- Provides the best opportunity to expand social
network - Small talk is an important social lubricant
- Difficult to identify significant topics
- Superficial
11A Naive Approach of Smartphone-based Small Talk
- Store all users information, including each
users full contact list - User report either his own geo-location or a
collection of phone IDs in his physical proximity
to the server using internet connection or SMS - Server performs profile matching, finds out small
talk topics (mutual contact, common interests,
etc.) - Results are pushed to or retrieved by users
12However
- Require costly data services (phones internet
connection, SMS) - Require report and store sensitive personal
information in 3rd party - Trusted server may not exist
- Server is a bottleneck, single point of failure,
target of attack
13E-SmallTalker A Fully Distributed Approach
- No Internet connection required
- No trusted 3rd party
- No centralized server
- Information stored locally on mobile phones
- Original personal data never leaves a users
phone - Communication only happens in physical proximity
14E-Shadow
- Enhanced E-SmallTalker
- Local profiles
- Mobile phone based local social interaction tools
- E-Shadow publishing
- E-Shadow localization
15Outline
- Overview of Social Networking
- Threats and Attacks
- Defense Measures
16OSN Security Threats/Attacks
- Malware distribution
- Cyber harassment, stalking, etc.
- Information shelf life in cyberspace
- Privacy issues
- Information about person posted by him/herself,
others - Information about people collected by OSNs
- Information posted on OSNs impacts unemployment,
insurance, etc. - Organizations concerns brand, laws, regulations
17MSN Security Threat/Attacks
- Personal information leakage
- Particularly dangerous because of physical
proximity - Malware distribution
18Outline
- Overview of Social Networking
- Threats and Attacks
- Defense Measures
19Common Sense Measures (1)
- Use strong, unique passwords
- Provide minimal personal information avoid
entering birthdate, address, etc. - Review privacy settings, set them to maximum
privacy - Friends of friends includes far more people
than friends only - Exercise discretion about posted material
- Pictures, videos, etc.
- Opinions on controversial issues
- Anything involving coworkers, bosses, classmates,
professors - Anything related to employer (unless authorized
to do so) - Be wary of 3rd party apps, ads, etc. (P.T.
Barnums quote) - Supervise childrens OSN activity
20Common Sense Measures (2)
- If it sounds too good to be true, it probably
is - Use browser security tools for protection
- Anti-phishing filters (IE, Firefox)
- Web of Trust (crowdsourced website trust)
- AdBlock/NoScript/Do Not Track Plus
- Personal reputation management
- Search for yourself online, look at the results
- Google Alerts emails sent daily to you about
results for any search query (free), e.g., your
name - Extreme cases
- Cease using OSNs, delete accounts
- Contact law enforcement re. relentless online
harassment
21E-SmallTalker Privacy-Preserved Information
Exchange
- Example of Alices Bloom filter
- Alice has multiple contacts, such as Bob, Tom,
etc. - Encode contact strings, Firstname.lastname_at_phone_n
umber, such as Bob.Johnson_at_5555555555 and
Tom.Mattix_at_6141234567
22E-Shadow Layered Publishing
- Spatial Layering
- WiFi SSID
- at least 40-50 meters, 32 Bytes
- Bluetooth Device (BTD) Name
- 20 meters, 2k Bytes
- Bluetooth Service (BTS) Name
- 10 meters, 1k Bytes
- Temporal Layering
- For people being together long or repeatedly
- Erasure Code
23Final Remarks
- On-line social networking systems are very
popular and mobile social networking systems are
emerging - Malware distribution and personal information
leakage are two most prominent threats and
attacks - Personal countermeasures are most effective
24References (1)
- G. Bahadur, J. Inasi, and A. de Carvalho,
Securing the Clicks Network Security in the Age
of Social Media, McGraw-Hill, New York, 2012. - H. Townsend, 4 Jun. 2010, http//www.k-state.edu/i
ts/security/training/roundtables/presentations/SI
RT_roundtable-RisksofSocialNetworking-Jun10.ppt - U.S. Dept. of State, Social Networking Cyber
Security Awareness Briefing, http//www.slidesha
re.net/DepartmentofDefense/social-media-cyber-secu
rity-awareness-briefing - National Security Agency, Social Networking
Sites, http//www.nsa.gov/ia/_files/factsheets/I7
3-021R-2009.pdf - Consumer Reports, Jun. 2012, http//www.consumerre
ports.org/cro/magazine/2012/06/facebook-your-priv
acy/index.htm - S. Sengupta, 14 May 2012, http//www.nytimes.com/2
012/05/15/technology/facebook-needs-to-turn-data-
trove-into-investor-gold.html?_r1pagewantedall - T. Wasserman, 21 Mar. 2012, http//mashable.com/20
12/03/21/twitter-has-140-million-users/ - LinkedIn Corp., 2012, http//press.linkedin.com/ab
out - R. Richmond, Web Gang Operating in the Open, 16
Jan. 2012, https//www.nytimes.com/2012/01/17/tec
hnology/koobface-gang-that-used-facebook-to-spread
-worm-operates-in-the-open.html?_r1
25References (2)
- J. Drömer and D. Kollberg, The Koobface malware
gang exposed!, 2012, http//nakedsecurity.sopho
s.com/koobface/ - Wikipedia, https//en.wikipedia.org/wiki/Suicide_o
f_Megan_Meier - M. Schwartz, The Trolls Among Us, 3 Aug. 2008,
https//www.nytimes.com/2008/08/03/magazine/03tro
lls-t.html?pagewantedall - M. Raymond, How Tweet It Is! Library Acquires
Entire Twitter Archive, 14 Apr. 2010,
http//blogs.loc.gov/loc/2010/04/how-tweet-it-is-l
ibrary-acquires-entire-twitter-archive/ - B. Borsboom, B. van Amstel, and F. Groeneveld,
Please Rob Me, http//pleaserobme.com - D. Love, 13 People Who Got Fired for Tweeting,
16 May 2011, http//www.businessinsider.com/twitte
r-fired-2011-5?op1 - C. Smith and C. Kanalley, Fired Over Facebook
13 Posts That Got People Canned,
http//www.huffingtonpost.com/2010/07/26/fired-ove
r-facebook-posts_n_659170.html - https//twitter.com/BPglobalPR
- http//curl.haxx.se/
- http//jonathonhill.net/2012-05-18/unshorten-urls-
with-php-and-curl/ - http//www.securingsocialmedia.com/resources/