Locking down Social Networking Vulnerabilities

1
Security Issues in Social Networking Based on
Security issues in the future of social
networking ENISA Position Paper for W3C workshop
on the future of social networking By- Giles
Hogben, ENISA Privacy and social network sites
Follow the money ! By- Martin Pekarek, Ronald
Leenes, TILT, Netherlands Information Revelation
and Privacy in Online Social Networks (The face
book case). By- Ralph Gross, Alessandro
Accquisti, CMU, PA. Presenter Moinul Zaber,
Ph.D Student, Dept.of CS, Kent State University
2
WHAT TODAYS TALK IS ABOUT

• Social Networking (SN) and its benefits
• SN is an Identity Management System
• But very much prone to vulnerabilities
• Discussion will be on
• Some key security issues
• Reasons behind these vulnerabilities
• Attacking the vulnerabilities at the root

3
SOCIAL NETWORKING WHATS THAT ALL ABOUT !

• One can define his/her
• profile (interests, skills, etc..)?
• Define relations to other profiles (sometimes
  some access control may exist)?
• Interact with Friends via IM, wall posts,
  blogs.

4
SOCIAL NETWORKING IS A GREAT WAY TO SOCIALIZE AND
TO STAY CONNECTED

• SN has More privacy than a blog one can
  restrict his/her data within ones network.
• SN is an IDM tool
• Helps to discover like-minded individuals and
  business partners.
• Biggest repository of personal images on the
  internet is Facebook ( 30 billion images, 14
  million new images are uploaded every day.)
• Largest number of personal profiles is held in
  SNSs.

5
SOCIAL NETWORKS BUSINESS BENEFITS

• Increase interactivity
• Exploit the value of relationships
• Publicise and test results in trusted circles

6
IDENTITY MANAGEMENT SYSTEM

• Storage of personal data
• Tools for managing how data is viewed
• Access control to personal data based on
  credentials.
• Tools for finding out who has accessed personal
  data.

7
SOCIAL NETWORKING IS AN IDENTITY MANAGEMENT
SYSTEM.
Sensitive Personal data can be there Recognise
these ? (a) Racial or ethnic origin (b)
Political opinions (c) Religious beliefs (e)
Physical or mental health or condition (f) Sex
life
8
TOOLS FOR ORGANISING THE PERSONAL DATA
9
(No Transcript)
10
TOOLS FOR MANAGING ACCESS BASED ON CREDENTIALS
11
(No Transcript)
12
SOCIAL NETWORKING IS AN IDENTITY MANAGEMENT
SYSTEM.
But FULL of Vulnerabilities
13
INAPPROPRIATE (AND OFTEN IRREVERSIBLE) DISCLOSURE
14
10 MINUTES SURFING OF MYSPACE - EXAMPLE
15
INAPPROPRIATE DISCLOSURE
16
We might think its OK because only our own
network can see our profile data
17
ACCESS CONTROL BASED ON CREDENTIALS?
18
LOW FRIENDING THRESHOLDS (POOR AUTHENTICATION)?
19
(No Transcript)
20
WHO CAN SEE MY DATA?

• Do we know the size of our audience.
• Only Everyone in the Kent Network?
• Only Everyone who pays for a LinkedIn Pro
  account?
• Only Everyone in your email address book?
• Only Social Network employees?
• Only anyone whos willing to pay for behavioural
  advertising?
• Only Plastic green frogs?

21
Am I safe as I dont use my real name?
22
DATA MINING TOOLS
MyFaceID application will automatically process
your photos, find all faces, help you tag them
and let you search for similar people.
23
WHICH FORTUNATELY DONT WORK VERY WELL
24
Then... I can delete my embarrassing
revelations, Cant I?
25
Lock-in the Hotel California effect.
Social Networking is like the Hotel California.
You can check out, but you can never leave
Nipon Das to the New York Times
26

• Caches
• Internet archives
• Deactivation of the account
• Delete comments from other peoples walls?

27
Isnt my privacy settings enough?
28
(No Transcript)
29
THE THREATS

• SN-based Spear phishing and corporate espionage
• Profile-squatting/theft
• Huge amounts of time wasted on corporate bills.
• Global Security Systems estimates that SN costs
  UK Corporations 8 billion Euro every year in lost
  productivity (infosec 2008)?

30

• SN Spam
• XSS, widgets and other bad programming threats.
• Extortion and bullying
• SN Aggregators one password unlocks all

31
WHY THEY DO MORE DAMAGE ?

• The usual-suspects (Cross-site scripting, SPAM,
  Social Engineering etc) do more damage because
• SN gives away the relationships for free
• SN is highly viral

32
WHY?

• The value of the network (e.g. 15 billion US and
  counting) is
• Its personal data
• Its ability to profile people for advertising
• Its ability to spread information virally

33

• Economic success is inversely proportional to
  strength of privacy settings.

Speed of spread gt Economic and Social Success
Privacy
34
SO WHAT COULD BE THE ALTERNATIVES

• Portable networks (checking out of the Hotel
  California and going to another one)?
• Portable access-control and security.
• Privacy and anonymity tools for social networks.
  Including more sophisticated authentication and
  encryption.

35
(No Transcript)
36
WHAT ELSE ?

• Clear corporate policies on social network usage
  inside AND out of the office. E.g.
• Hours where SN usage is allowed enforced by
  firewall.
• Clearly define which corporate data is not
  permitted on social networks.
• Recommend privacy settings to be used on networks
• Conduct awareness-raising campaigns

37
WHAT ELSE ?

• Social Networking as a trust infrastructure we
  can use the network to
• Authenticate people
• Provide testimonials and recommendations
• Provide a saleable trust architecture
• Educating people on the risks is vital.

38
SUMMARY OF TYPES OF HARM

• 1. Information based Harm others could abuse the
  mobile phone number you listed in your profile.
• 2. Information inequality information about
  purchases and preferences can be used for
  marketing purposes without SNS user being aware.
• 3. Information injustice risqué photographic
  report of a party!
• 4. Restriction of moral autonomy SNS information
  effectively restricts people from presenting
  different faces in different contexts.

39
ATTACKER MODEL

• 1. Other Users can harvest more or less personal
  information from the profile page of SSN members.
• 2. Third Parties They have only minimal access
  and can only access publicly available data
  legitimately.
• 3. Platform Providers The owners and operators
  of SNS itself.

40
MOTIVATIONS

• 1.Social building social capital
• 2. Monetary information trade.
• Few Facts
• News Corporations 580 million cash takeover of
  Myspace
• Microsofts 240 million payment for 1.6 percent
  stake in Facebook, theoretically valuing the SNS
  provider at a staggering 15 billion.
• Individuals disclose more information than they
  intend to (Norberg,Horne et al 2007),
• Any techniques limiting social aspects of SNSs is
  doomed to fail users are simply not interested
  in them. (Grimmelmann 2009).

41
RECOMMENDATIONS

• 1. Restraining the monetary incentive to harvest
  information use
• 2. A transfer of SNS use to non commercial
  platforms.
• 3. Open source ! ( such as Elgg )?
• Problem
• SNS users have devoted time and energy to build
  their current profile on their favorite SNSs, and
  it will take them once again much effort to build
  a comparable profile on the new network.

42
DISCUSSION 1

• Is it realistic to dream of portable social
  networks where the user owns and controls his own
  data? Are there insurmountable security problems
  with this idea?
• What policies should be applied to mitigate
  threats from inside SN's?
• How to educate users to protect them from
  exposing themselves to threats on SN's?

43
DISCUSSION 2

• What are the threats from 3rd party applications
  on SN's and how can we address them?
• What advice should we give to businesses about
  employee SN usage?
• Can we imagine social networks where the social
  network provider does not see the data?

44
REFERENCES

• Giles.hogben at thingy enisa.europa.eu
• http//www.enisa.europa.eu/doc/pdf/deliverables/en
  isa_pp_social_networks.pdf, 2008
• Security at the digital cocktail party social
  networking meets IAM, Giles Hogben European
  Network and Information Security Agency, 2008.
• Privacy and Social Network Sites Follow the
  Money!, Martin Pekarek, Ronald Leenes, TILT,
  Netherlands, Position Paper W3C workshop, Jan
  ,2009.
• Information Revelation and Privacy in Online
  Social Networks (The face book case). By- Ralph
  Gross, Alessandro Accquisti, CMU, PA.