Social Networking Security

1
Social Networking Security

• Adam C. Champion and Dong Xuan
• CSE 4471 Information Security

2
Outline

• Overview of Social Networking
• On-line Social Networking
• Mobile Social Networking
• Threats and Attacks
• Defense Measures

3
Online Social Networking (OSN)

• Online Web services enabling people to connect
  with each other, share information
• Common friends, interests, personal info,
• Post photos, videos, etc. for others to see
• Communicate via email, instant message, etc.
• Major OSN services Facebook, Twitter, MySpace,
  LinkedIn, etc.

4
Giving people the power to share and make the
world more open and connected.
5
(No Transcript)
6
OSN Popularity

• Over 900 million Facebook users worldwide 6
• Over 150 million in U.S. 5
• Over 450 million access via mobile 6
• 300 million pictures uploaded to Facebook daily
  6
• Over 140 million Twitter users over 340 million
  Tweets sent daily 7
• Over 175 million LinkedIn members in over 200
  countries 8

7
Benefits of OSN Communication

• Vast majority of college students use OSNs
• Organizations want to market products, services,
  etc. to this demographic
• OSNs can help them reach these potential buyers
• OSNs provide communal forum for expression (self,
  group, mass), collaboration, etc.
• Connect with old friends, find new friends and
  connect
• Play games with friends, e.g., Mafia Wars,
  Scrabulous
• Commerce in virtual items
• But using OSNs poses security issues for orgs as
  well as individuals

8
Mobile Social Networking

• E-SmallTalker
• E-Shadow

9
Application Scenario Conference
10
Small Talk

• People come into contact opportunistically
• Face-to-face interaction
• Crucial to people's social networking
• Immediate non-verbal communication
• Helps people get to know each other
• Provides the best opportunity to expand social
  network
• Small talk is an important social lubricant
• Difficult to identify significant topics
• Superficial

11
A Naive Approach of Smartphone-based Small Talk

• Store all users information, including each
  users full contact list
• User report either his own geo-location or a
  collection of phone IDs in his physical proximity
  to the server using internet connection or SMS
• Server performs profile matching, finds out small
  talk topics (mutual contact, common interests,
  etc.)
• Results are pushed to or retrieved by users

12
However

• Require costly data services (phones internet
  connection, SMS)
• Require report and store sensitive personal
  information in 3rd party
• Trusted server may not exist
• Server is a bottleneck, single point of failure,
  target of attack

13
E-SmallTalker A Fully Distributed Approach

• No Internet connection required
• No trusted 3rd party
• No centralized server
• Information stored locally on mobile phones
• Original personal data never leaves a users
  phone
• Communication only happens in physical proximity

14
E-Shadow

• Enhanced E-SmallTalker
• Local profiles
• Mobile phone based local social interaction tools
• E-Shadow publishing
• E-Shadow localization

15
Outline

• Overview of Social Networking
• Threats and Attacks
• Defense Measures

16
OSN Security Threats/Attacks

• Malware distribution
• Cyber harassment, stalking, etc.
• Information shelf life in cyberspace
• Privacy issues
• Information about person posted by him/herself,
  others
• Information about people collected by OSNs
• Information posted on OSNs impacts unemployment,
  insurance, etc.
• Organizations concerns brand, laws, regulations

17
MSN Security Threat/Attacks

• Personal information leakage
• Particularly dangerous because of physical
  proximity
• Malware distribution

18
Outline

• Overview of Social Networking
• Threats and Attacks
• Defense Measures

19
Common Sense Measures (1)

• Use strong, unique passwords
• Provide minimal personal information avoid
  entering birthdate, address, etc.
• Review privacy settings, set them to maximum
  privacy
• Friends of friends includes far more people
  than friends only
• Exercise discretion about posted material
• Pictures, videos, etc.
• Opinions on controversial issues
• Anything involving coworkers, bosses, classmates,
  professors
• Anything related to employer (unless authorized
  to do so)
• Be wary of 3rd party apps, ads, etc. (P.T.
  Barnums quote)
• Supervise childrens OSN activity

20
Common Sense Measures (2)

• If it sounds too good to be true, it probably
  is
• Use browser security tools for protection
• Anti-phishing filters (IE, Firefox)
• Web of Trust (crowdsourced website trust)
• AdBlock/NoScript/Do Not Track Plus
• Personal reputation management
• Search for yourself online, look at the results
• Google Alerts emails sent daily to you about
  results for any search query (free), e.g., your
  name
• Extreme cases
• Cease using OSNs, delete accounts
• Contact law enforcement re. relentless online
  harassment

21
E-SmallTalker Privacy-Preserved Information
Exchange

• Example of Alices Bloom filter
• Alice has multiple contacts, such as Bob, Tom,
  etc.
• Encode contact strings, Firstname.lastname_at_phone_n
  umber, such as Bob.Johnson_at_5555555555 and
  Tom.Mattix_at_6141234567

22
E-Shadow Layered Publishing

• Spatial Layering
• WiFi SSID
• at least 40-50 meters, 32 Bytes
• Bluetooth Device (BTD) Name
• 20 meters, 2k Bytes
• Bluetooth Service (BTS) Name
• 10 meters, 1k Bytes
• Temporal Layering
• For people being together long or repeatedly
• Erasure Code

23
Final Remarks

• On-line social networking systems are very
  popular and mobile social networking systems are
  emerging
• Malware distribution and personal information
  leakage are two most prominent threats and
  attacks
• Personal countermeasures are most effective

24
References (1)

1. G. Bahadur, J. Inasi, and A. de Carvalho,
   Securing the Clicks Network Security in the Age
   of Social Media, McGraw-Hill, New York, 2012.
2. H. Townsend, 4 Jun. 2010, http//www.k-state.edu/i
   ts/security/training/roundtables/presentations/SI
   RT_roundtable-RisksofSocialNetworking-Jun10.ppt
3. U.S. Dept. of State, Social Networking Cyber
   Security Awareness Briefing, http//www.slidesha
   re.net/DepartmentofDefense/social-media-cyber-secu
   rity-awareness-briefing
4. National Security Agency, Social Networking
   Sites, http//www.nsa.gov/ia/_files/factsheets/I7
   3-021R-2009.pdf
5. Consumer Reports, Jun. 2012, http//www.consumerre
   ports.org/cro/magazine/2012/06/facebook-your-priv
   acy/index.htm
6. S. Sengupta, 14 May 2012, http//www.nytimes.com/2
   012/05/15/technology/facebook-needs-to-turn-data-
   trove-into-investor-gold.html?_r1pagewantedall
7. T. Wasserman, 21 Mar. 2012, http//mashable.com/20
   12/03/21/twitter-has-140-million-users/
8. LinkedIn Corp., 2012, http//press.linkedin.com/ab
   out
9. R. Richmond, Web Gang Operating in the Open, 16
   Jan. 2012, https//www.nytimes.com/2012/01/17/tec
   hnology/koobface-gang-that-used-facebook-to-spread
   -worm-operates-in-the-open.html?_r1

25
References (2)

1. J. Drömer and D. Kollberg, The Koobface malware
   gang exposed!, 2012, http//nakedsecurity.sopho
   s.com/koobface/
2. Wikipedia, https//en.wikipedia.org/wiki/Suicide_o
   f_Megan_Meier
3. M. Schwartz, The Trolls Among Us, 3 Aug. 2008,
   https//www.nytimes.com/2008/08/03/magazine/03tro
   lls-t.html?pagewantedall
4. M. Raymond, How Tweet It Is! Library Acquires
   Entire Twitter Archive, 14 Apr. 2010,
   http//blogs.loc.gov/loc/2010/04/how-tweet-it-is-l
   ibrary-acquires-entire-twitter-archive/
5. B. Borsboom, B. van Amstel, and F. Groeneveld,
   Please Rob Me, http//pleaserobme.com
6. D. Love, 13 People Who Got Fired for Tweeting,
   16 May 2011, http//www.businessinsider.com/twitte
   r-fired-2011-5?op1
7. C. Smith and C. Kanalley, Fired Over Facebook
   13 Posts That Got People Canned,
   http//www.huffingtonpost.com/2010/07/26/fired-ove
   r-facebook-posts_n_659170.html
8. https//twitter.com/BPglobalPR
9. http//curl.haxx.se/
10. http//jonathonhill.net/2012-05-18/unshorten-urls-
    with-php-and-curl/
11. http//www.securingsocialmedia.com/resources/