Cscu module 11 security on social networking sites

Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.

1

Security on Social Networking Sites

Simplifying Security.

Module 11


2

SAN FRANCISCO — Social networks are "lucrative hot beds" for cyber scams as crooks endeavor to dupe members of online communities, according to a Microsoft security report released on Thursday.

"Phishing" attacks that use seemingly legitimate messages to trick people into clicking on booby‐trapped links, buying bogus software, or revealing information rocketed 1,200 percent at social networks last year, it said.

"We continue to see cyber criminals evolve attack methods such as a significant rise in social network phishing," Microsoft malware protection center manager Vinny Gullotto said in the Security Intelligence Report.

Phishing using social networking as a "lure" represented 84.5 percent of all such trickery in December as compared with 8.3 percent at the start of 2010, according to the report.

Microsoft analyzed data gathered from more than 600 million computer systems worldwide from July through December of last year for the semi‐annual study.

"The popularity of social networking sites has created new opportunities for cyber criminals to not only directly impact users, but also friends, colleagues and family through impersonation," the report said.

Cyber Scams Rife at Social Networks: Microsoft

http://www.physorg.com

May 12, 2011


3

Scenario: Identity Theft over Social Networking Sites

Alice wanted to show her friends how fun her trip to Bahamas was. She uploaded her photos of the trip in one of the social networking sites. She was shocked when one of her friends showed her a website that contained her photos in compromised positions. She realized that the photos from her Bahamas trip were morphed.

What options has she left unchecked while uploading the photos?


4

Module Objectives

Social Networking Sites

What is a Profile?

Top Social Networking Sites

Security Risks Involved in Social Networking Sites

Staying Safe on Facebook

Facebook: Security Tips

Staying Safe on MySpace

Security Measures

Social Networking Security Checklist

Social Networking Security Checklist for Parents and Teachers


5

Introduction to Social Networking

Sites

Social Networking Security Threats



Module Flow


6

Social Networking SitesSocial networking sites are web‐based services that allow users to build on‐line profiles, share information, pictures, blog entries, music clips, etc.

These sites allow users to create a list of other users with whom they can share information

It allows user to get themselves involved in discussion boards and hobby groups

It allow users to refer other potential users to businesses

MySpace (http://www.myspace.com) Facebook (http://www.facebook.com)


7

What is a Profile?Facebook Profile Profile is a collection of information that

defines or describes a user’s interests

The main profile page of a user of any social networking site introduces and describes the user

The information that a user may post on his/her profile includes:

Names/nicknames

Email addresses

Phone numbers

Photos, videos

Personal interests

Names of schools, sports teams, and friends http://www.sophos.com


8

Top Social Networking Sites

http://www.ebizmba.com

http://www.facebook.com

http://twitter.com

http://www.myspace.com

http://www.linkedin.com

http://www.ning.com

http://www.classmates.com

http://www.tagged.com

http://hi5.com

http://www.myyearbook.com

http://www.bebo.com

http://www.meetup.com

http://www.mylife.com

http://www.friendster.com

http://multiply.com

http://www.myheritage.com


9


Sites




Module Flow


10

Attacks on a Social Networking Sites

Security Risks Involved in Social Networking Sites

Cyberbullying

Identity Theft

Phishing Scams

Malware Attacks

Site Flaws

Objectionable Content

Overexposure

Contact with Predators

Contact Inappropriate Adults and Businesses


11

Cyberbullying refers to the abuse of technology to harass or threaten the Internet users

The information posted on social networking sites such as pictures, videos, comments, updates can be used to spread false rumors, threaten to reveal the information on the Internet, harass/blackmail the user, stalking the user, etc.

According to a research by the Pew Internet Project, 39% of social network users had been cyber‐bullied in some way, compared to 22% of online teens who do not use social networks

Cyberbullying


12

Identity TheftPeople often get carried away with posting information onto social networking sites

Left in the hands of cyber criminals, such information can be used to hack into an online services security questions, leading to identity theft

Attacker can also use the information to penetrate into the corporate network of a company of his/her target

Alternatively, the attacker may find the user’s name, browse through his/her social profile

He can then write an e‐mail based on the user’s interests bearing a malicious link or document

UserAttacker

Malicious email


13

Social networking sites contains user’s information like the email addresses, archived messages

This information can be used to customize email messages or fake websites designed such that the victims disclose usernames, passwords, credit card numbers, etc.

Phishing Scams

If a user clicks on the Update button, he/she is redirected to a Facebook look‐alike phishing site

Users are then asked to enter a password to complete the Update procedure


14

Malware Attacks Malware attacks are carried out

through social engineering as users are mostly misled into clicking on malicious links embedded within personal messages

Malicious software give attackers access to your profile and personal information

Malicious software may also send messages automatically to your "friends" list, instructing them to download the new application too

Another method of attack involves applications advertised on social networking sites, which appear genuine

However, some of these applications install malicious code or rogue antivirus software


15

Site FlawsThere have been instances when site flaws in the social networking sites allow the information of the users to be accessed, even though the privacy settings are set

Such information can include mother’s maiden name, often used as a security question in online and real‐life security checks

Social Networking Sites Flaws

Server‐side flaws

Cross‐site scriptingCross‐site request forgery


16

On many social networking communities, users post material that is not appropriate for children

This can include obscene, racist or violent text and images

Many community pages may contain material that is not appropriate for the children

The child may be involved in posting pictures of himself or herself or of friends that may be misused

Individuals with intention to exploit minors may create community pages pretending to be teens themselves

Objectionable Content Contact with PredatorsOverexposure

Social Networking Threats to Minors


17


Sites




Module Flow


18

Facebook Privacy Settings Facebook allows the users to set the privacy settings for:

Search

Friend requests

Messages

Friend List

Education and Work

Current city and Hometown

Likes, activities and other connections


19

Facebook Privacy Settings


20

Profile SettingsSet the profile settings as “Only my friends”‐By default, Facebook allows all of your networks and all of your friends to be able to view your profile

The users reveal personal information to potential identity thieves if they leave this option to default settings

Therefore, it is advised to allow your profile to be viewed by only friends


21

Privacy Settings for ApplicationsPrivacy settings for applications controls what information shared with websites and apps, including search engines

You can view your apps, remove any you don't want to use, or turn off platform completely

Everybody on Facebook can read the user notes, but it is advisable to limit visibility of notes to just friends


22

Settings to Block UsersThis settings lets you block people from interacting with you or seeing your information on Facebook

You can also specify friends you want to ignore app invites from, and see a list of the specific apps that you've blocked from accessing your information and contacting you


23

Recommended Actions for Facebook Search Settings

Allow anyone to see my public search listing

Allow my public search listing to be indexed by external search engines

See your picture

Send you a message

Poke you

Add you as a friend

View your friend list

Be careful

“No”

Be careful

“No”

“No”

Be careful

“No”

Option Recommended Action ReasonThe users should select the option “Yes” only if they want people they are familiar with to know that they are on Facebook

The user should not allow people who are not yet their friends to view their friend list

Be cautious before accepting anyone's friend request

By responding to the poke from an unknown user, the users will be allowing him/her to view their profile information for a period of time

If the users respond to a message sent by someone that they are not friends with, the unknown users will be able to view the user’s profile

Do not share pictures that may embarrass or that are personal

If enabled, it allows people using external search engines like Google, Yahoo and MSN to find the user on Facebook


24

Facebook: Security TipsFacebook: Security Tips

1. Adjust Facebook privacy settings to help protect identity

2. Think carefully about who is allowed to become a friend

3. Show "limited friends" a cut‐down version of the profile

Facebook allows its users to make people 'limited friends' who only have partial access to the user profile

This is useful if the users have connections who they do not feel comfortable sharing personal information with

4. Enable access to information only when necessary


25


Sites




Module Flow


26

Step 1: Go to “Account Settings”

Go to Account Settings Privacy

Do not check Online Now if you do not wish others to know when you log in

Check Show my birthday to my friends only if necessary

Do not check following options under applications: Do not allow my profile information to

be accessed by games and third party services I haven’t connected to option

Do not allow communications from games and third party services I haven’t connected to


27

Step 2: Check Settings for “Comments” and “Mail”

Go to Account Settings Comments and check Only Friends can add comments to my blog

Go to Account Settings Mail and check only people I know to receive emails from people you know


28

Step 3: Check Settings for “Friends Request” and “IM”

Go to Account Settings Friends Request

Check Require CAPTCHA [?] from users suspected of spamming and also check other options according to your choice

Go to Account Settings IM

Check Only My IM friends to appear only friends in the IM list


29

Step 4: Check Settings for Stream Settings

Go to Account Settings My published activities and check the proper option according to your choice

Go to Account Settings My Friends' Activities and check the proper option according to your choice


30

Step 5: Settings for Block Users By Age

Do not check Allow users under 18 to contact me

Checking this option would allow all the fake users who pretend to be Under 18access to the account

To deny any unauthorized access to the profile: Block the user by adding their profile URL to the Blocked users list


31

Module Summary

Social networking sites allow users to build online profiles, share information, pictures, blog entries, music clips, etc.

The main profile page of a user of a social networking site introduces and describes the user

Cyberbullying is the process of using technology to harass or bully someone

Social networking sites contain the user’s information like email addresses, archived messages that can be used to customize email messages, or fake websites

Malware attacks are carried out through social engineering as users are mostly misled into clicking malicious links embedded within personal messages

Set appropriate privacy and security defaults and choose a complex/unique password for the account


32

Read the privacy policy and terms of service carefully

Do not post anything personal on the social networking site

Set appropriate privacy and security defaults to make your profile private

Choose a complex/unique password for the account

Be careful about what is posted on the Internet

Be careful installing third‐party applications

Only accept friend requests from people you know

Only share limited personal information



33

Do not use common verification such as your date of birth or your mother's maiden name

Be aware of the intentions of anyone you meet on these sites

Restrict the access of personal videos on social networking sites to friends

Apply privacy settings so that only friends can view your profile information

Disable the comments to prevent cyber bullying

Do not click suspicious links to prevent malicious attacks

Update the computer with the latest antivirus and other system security software

Never install codecs when a site prompts you to do so



34

Read the privacy policies of the sites before allowing children to use them

Consider keeping the computer in a family room rather than the child’s bedroom

Instruct children to never respond to messages that are suggestive, obscene, belligerent, threatening, or make them feel uncomfortable

Be open with kids; encourage and instruct them to seek permission before providing any details on social networking sites

Create your own account on the social network and spend some time on the network's site to familiarize with social networking media

Create a cheat sheet with your child's password, a list of his/her approved friends, and rules for how your child operates

Know children's passwords, screen names, and account information; this will help in monitoring their activities

Instruct your child to add people to their "friends" list only if they know them in real life

Social Networking Security Checklist for Parents and Teachers

Documents

Cscu module 11 security on social networking sites