Locking down Social Networking Vulnerabilities - PowerPoint PPT Presentation

About This Presentation
Title:

Locking down Social Networking Vulnerabilities

Description:

XSS, widgets and other bad programming threats. Extortion and bullying ... News Corporation's $580 million cash takeover of Myspace ... – PowerPoint PPT presentation

Number of Views:296
Avg rating:3.0/5.0
Slides: 45
Provided by: hogb
Learn more at: https://www.cs.kent.edu
Category:

less

Transcript and Presenter's Notes

Title: Locking down Social Networking Vulnerabilities


1
Security Issues in Social Networking Based on
Security issues in the future of social
networking ENISA Position Paper for W3C workshop
on the future of social networking By- Giles
Hogben, ENISA Privacy and social network sites
Follow the money ! By- Martin Pekarek, Ronald
Leenes, TILT, Netherlands Information Revelation
and Privacy in Online Social Networks (The face
book case). By- Ralph Gross, Alessandro
Accquisti, CMU, PA. Presenter Moinul Zaber,
Ph.D Student, Dept.of CS, Kent State University
2
WHAT TODAYS TALK IS ABOUT
  • Social Networking (SN) and its benefits
  • SN is an Identity Management System
  • But very much prone to vulnerabilities
  • Discussion will be on
  • Some key security issues
  • Reasons behind these vulnerabilities
  • Attacking the vulnerabilities at the root

3
SOCIAL NETWORKING WHATS THAT ALL ABOUT !
  • One can define his/her
  • profile (interests, skills, etc..)?
  • Define relations to other profiles (sometimes
    some access control may exist)?
  • Interact with Friends via IM, wall posts,
    blogs.

4
SOCIAL NETWORKING IS A GREAT WAY TO SOCIALIZE AND
TO STAY CONNECTED
  • SN has More privacy than a blog one can
    restrict his/her data within ones network.
  • SN is an IDM tool
  • Helps to discover like-minded individuals and
    business partners.
  • Biggest repository of personal images on the
    internet is Facebook ( 30 billion images, 14
    million new images are uploaded every day.)
  • Largest number of personal profiles is held in
    SNSs.

5
SOCIAL NETWORKS BUSINESS BENEFITS
  • Increase interactivity
  • Exploit the value of relationships
  • Publicise and test results in trusted circles

6
IDENTITY MANAGEMENT SYSTEM
  • Storage of personal data
  • Tools for managing how data is viewed
  • Access control to personal data based on
    credentials.
  • Tools for finding out who has accessed personal
    data.

7
SOCIAL NETWORKING IS AN IDENTITY MANAGEMENT
SYSTEM.
Sensitive Personal data can be there Recognise
these ? (a) Racial or ethnic origin (b)
Political opinions (c) Religious beliefs (e)
Physical or mental health or condition (f) Sex
life
8
TOOLS FOR ORGANISING THE PERSONAL DATA
9
(No Transcript)
10
TOOLS FOR MANAGING ACCESS BASED ON CREDENTIALS
11
(No Transcript)
12
SOCIAL NETWORKING IS AN IDENTITY MANAGEMENT
SYSTEM.
But FULL of Vulnerabilities
13
INAPPROPRIATE (AND OFTEN IRREVERSIBLE) DISCLOSURE
14
10 MINUTES SURFING OF MYSPACE - EXAMPLE
15
INAPPROPRIATE DISCLOSURE
16
We might think its OK because only our own
network can see our profile data
17
ACCESS CONTROL BASED ON CREDENTIALS?
18
LOW FRIENDING THRESHOLDS (POOR AUTHENTICATION)?
19
(No Transcript)
20
WHO CAN SEE MY DATA?
  • Do we know the size of our audience.
  • Only Everyone in the Kent Network?
  • Only Everyone who pays for a LinkedIn Pro
    account?
  • Only Everyone in your email address book?
  • Only Social Network employees?
  • Only anyone whos willing to pay for behavioural
    advertising?
  • Only Plastic green frogs?

21
Am I safe as I dont use my real name?
22
DATA MINING TOOLS
MyFaceID application will automatically process
your photos, find all faces, help you tag them
and let you search for similar people.
23
WHICH FORTUNATELY DONT WORK VERY WELL
24
Then... I can delete my embarrassing
revelations, Cant I?
25
Lock-in the Hotel California effect.
Social Networking is like the Hotel California.
You can check out, but you can never leave
Nipon Das to the New York Times
26
  • Caches
  • Internet archives
  • Deactivation of the account
  • Delete comments from other peoples walls?

27
Isnt my privacy settings enough?
28
(No Transcript)
29
THE THREATS
  • SN-based Spear phishing and corporate espionage
  • Profile-squatting/theft
  • Huge amounts of time wasted on corporate bills.
  • Global Security Systems estimates that SN costs
    UK Corporations 8 billion Euro every year in lost
    productivity (infosec 2008)?

30
  • SN Spam
  • XSS, widgets and other bad programming threats.
  • Extortion and bullying
  • SN Aggregators one password unlocks all

31
WHY THEY DO MORE DAMAGE ?
  • The usual-suspects (Cross-site scripting, SPAM,
    Social Engineering etc) do more damage because
  • SN gives away the relationships for free
  • SN is highly viral

32
WHY?
  • The value of the network (e.g. 15 billion US and
    counting) is
  • Its personal data
  • Its ability to profile people for advertising
  • Its ability to spread information virally

33
  • Economic success is inversely proportional to
    strength of privacy settings.

Speed of spread gt Economic and Social Success
Privacy
34
SO WHAT COULD BE THE ALTERNATIVES
  • Portable networks (checking out of the Hotel
    California and going to another one)?
  • Portable access-control and security.
  • Privacy and anonymity tools for social networks.
    Including more sophisticated authentication and
    encryption.

35
(No Transcript)
36
WHAT ELSE ?
  • Clear corporate policies on social network usage
    inside AND out of the office. E.g.
  • Hours where SN usage is allowed enforced by
    firewall.
  • Clearly define which corporate data is not
    permitted on social networks.
  • Recommend privacy settings to be used on networks
  • Conduct awareness-raising campaigns

37
WHAT ELSE ?
  • Social Networking as a trust infrastructure we
    can use the network to
  • Authenticate people
  • Provide testimonials and recommendations
  • Provide a saleable trust architecture
  • Educating people on the risks is vital.

38
SUMMARY OF TYPES OF HARM
  • 1. Information based Harm others could abuse the
    mobile phone number you listed in your profile.
  • 2. Information inequality information about
    purchases and preferences can be used for
    marketing purposes without SNS user being aware.
  • 3. Information injustice risqué photographic
    report of a party!
  • 4. Restriction of moral autonomy SNS information
    effectively restricts people from presenting
    different faces in different contexts.

39
ATTACKER MODEL
  • 1. Other Users can harvest more or less personal
    information from the profile page of SSN members.
  • 2. Third Parties They have only minimal access
    and can only access publicly available data
    legitimately.
  • 3. Platform Providers The owners and operators
    of SNS itself.

40
MOTIVATIONS
  • 1.Social building social capital
  • 2. Monetary information trade.
  • Few Facts
  • News Corporations 580 million cash takeover of
    Myspace
  • Microsofts 240 million payment for 1.6 percent
    stake in Facebook, theoretically valuing the SNS
    provider at a staggering 15 billion.
  • Individuals disclose more information than they
    intend to (Norberg,Horne et al 2007),
  • Any techniques limiting social aspects of SNSs is
    doomed to fail users are simply not interested
    in them. (Grimmelmann 2009).

41
RECOMMENDATIONS
  • 1. Restraining the monetary incentive to harvest
    information use
  • 2. A transfer of SNS use to non commercial
    platforms.
  • 3. Open source ! ( such as Elgg )?
  • Problem
  • SNS users have devoted time and energy to build
    their current profile on their favorite SNSs, and
    it will take them once again much effort to build
    a comparable profile on the new network.

42
DISCUSSION 1
  • Is it realistic to dream of portable social
    networks where the user owns and controls his own
    data? Are there insurmountable security problems
    with this idea?
  • What policies should be applied to mitigate
    threats from inside SN's?
  • How to educate users to protect them from
    exposing themselves to threats on SN's?

43
DISCUSSION 2
  • What are the threats from 3rd party applications
    on SN's and how can we address them?
  • What advice should we give to businesses about
    employee SN usage?
  • Can we imagine social networks where the social
    network provider does not see the data?

44
REFERENCES
  • Giles.hogben at thingy enisa.europa.eu
  • http//www.enisa.europa.eu/doc/pdf/deliverables/en
    isa_pp_social_networks.pdf, 2008
  • Security at the digital cocktail party social
    networking meets IAM, Giles Hogben European
    Network and Information Security Agency, 2008.
  • Privacy and Social Network Sites Follow the
    Money!, Martin Pekarek, Ronald Leenes, TILT,
    Netherlands, Position Paper W3C workshop, Jan
    ,2009.
  • Information Revelation and Privacy in Online
    Social Networks (The face book case). By- Ralph
    Gross, Alessandro Accquisti, CMU, PA.
Write a Comment
User Comments (0)
About PowerShow.com