How to Build Your #SocialMedia #Defense #Armour?€¦ · Your #SocialMedia #Defense #Armour? Issam Al-Dalati - Senior IT Security Engineer, M.A.Sc., CISSP . Outline Social Media Today

How to Build Your #SocialMedia

#Defense #Armour?

Issam Al-Dalati - Senior IT Security Engineer, M.A.Sc., CISSP

Outline

Social Media Today Social Network Types Common Attacks/Threats Vulnerabilities Counter Measures Conclusion

- Social Media #1 activity on the Internet - 72% of Internet users are now active on social media. - 22% of world population have a social online identity presence [1]

Social Media Today

1.11 Billion +users

200 Million +users

225 Million +users

Social Media Security

- A recent study by Gartner group found that 60% social media users haven’t changed their default security settings [1]. - 40% of social media users disclosed information about their home address, hometown, birth date and high school can be used in identity theft crimes [1].

Social Network Types

Personal Networks: Friendships, Age, Interests, Educational background, Employment, Private Photos, Private Videos.

Location Networks: In Real Time

Content Sharing Networks: Public Music, Public Photos, Public Videos

Social Network Types

Shared Interest Networks: Similar hobbies, educational backgrounds, political affiliations, ethnic backgrounds, religious views

Status Update Networks: Feelings, Emotions, News, Rumors, Information

Malware Distribution • Lead to financial fraud • Abuse of users systems • Data leakage

Common Social Media Attacks/Threats

• Best Known example: Koobface [2] Originally spread by Facebook “friends” messages To watch “funny video”, you need to install Adobe update. Compromise computers to build P2P botnets Hijack search queries to display advertisements Install additional pay-per-install malware Sells Scareware(fake anti-virus) Over $2 million in revenue (June 2009 to June 2010) Shut down by Facebook in Jan. 2012

Cyber Bullying or Harassment • 13-year girl killed herself in 2008 after chatting on

MySpace [3] • 16-year-old boy made degrading remarks • The “boy” was fake account setup by a mother of the

girl’s ex-friend. • Most U.S. states have since criminalized cyber

harassment, stalking, etc.



Spear Phishing attack - Selected few targets /single target. - Identity theft - Gather intelligence and intellectual property. - Custom hacking tools - Zero-day exploits - Synchronized - 91% of cyber attacks [4]

1. Created young female Facebook & LinkedIn profile named Emily Williams

2. Posted as a new hire at the targeted organization 3. Became “Friends” with young male employees

4. Observed discussions and gathered stories

5. Started asking innocent questions about more sensitive info

6. Sent malicious holiday e-cards


- Presented at RSA Europe Security Conference in Amsterdam in 2013 [5] - Penetrated a US government agency in 2012

- First 15 hours: - 60 Facebook connections - 55 LinkedIn connections.

- After 24 hours: - 3 job interview offers

- Received a work laptop - Received network access - Obtained passwords - Installed applications - Stole sensitive documents

Employee1

Employee2

Organization ABC

Employee3

Location Tracking:

• Apps transmit Smartphones location. • Geo-tagging Photos.

How?

Cell tower identification ~100 meters Global Positioning System (GPS) ~20 meters WIFI triangulation ~200 meters IP Address approximation ~metro area

Social Media Vulnerabilities

Mental Health:

- Stalkers


- Stress!

- post/share things to improve your image - Relationship drama - Always Plugged-in Addiction (Study by Anxiety UK) [6]


- The more YOU share the more YOU are vulnerable


Communication Patterns Thinking Health Beliefs Group Behaviour Personality

• Voting Trends • Buying Trends • Interests & Health Concerns

- A study done in 2010 by Ben-Gurion University, researchers stated that new intelligent stealth type of attacks called Stealing Reality [7]. - Feeds on social communication patterns to predict future natural patterns to achieve its targeted goal slowly and without detections.

- Based on user’s behaviour life patterns which rely on user existing trusted network and daily behaviours.


Security Starts From Within

Home

Work

City

Nation

Improved Authentication - More than 2 millions social media passwords have been leaked online according to report by Trustwave in 2013 [8]

Social Media Counter Measures

Don’t stay logged on Avoid using personal information Different passwords for each account One base password and unique pattern Write and lock them down The longer the better (more than 7 characters) Change every few months Two factor authentication


Account Border Control Don’t accept connections that you don’t know A friend of a friend is NOT a friend Categorize your connections Limit your circle of trust Keep your friends list private Block scanning your email address book

Develop Your Social Data Leakage Prevention Technique


Exercise discretion about: Photos/Videos shared Opinions on controversial issues Anything involving coworkers,

employers, teachers

Review your posts before submitting Review and delete old posts Don’t post when you are happy or angry

Be careful clicking away (Too Good to be True)

(Chrome/Firefox)

Force SSL Anyway Possible Use https in URL Use tool


Disable Location Tracking Disable through browsers [9] Disable through operating system [9] Disable GPS/WIFI Disable feature on Apps

Remove Apps/Extension Only install ones you cant live without Trusted sources

(Firefox/Chrome)

Limit Appearance in Search and Advertisements - Over 1300 tracking companies run 2800 scripts to deliver advertisements using users online activity [10] Opt out of Ads Enhanced Security Settings. block banners, pop up and rollover ads. By using


1) First Party Cookies by legitimate websites 2) Third Party Cookies sold and sent to online

marketers. 3) Flash Cookies: uses Adobe Flash

Delete cookies manually in all used web browsers [11].

Clears cookies automatically

Scans for trackers

Blocks tracking Blocks third party tracking

Deletes flash cookies Firefox extension

Block and Clear your Cookies


Use Google Alerts for your name search Install ESET social media scanner: scans your wall, newsfeed and private messages. scans your friends ensure you have active antivirus on all devices malicious URL detection anti-phishing


Monitor your Social Online Presence


Secure your Family Social Online Presence

Review their security settings Tools to help monitor social media activity in a home network [12]

Stay Updated! http://www.welivesecurity.com/ http://www.facecrooks.com/

http://www.welivesecurity.com/

http://www.welivesecurity.com/

http://www.facecrooks.com/

http://www.facecrooks.com/

Conclusion

Future is NOT Friendly. Be Careful! Your Social Media Junk, might be Someone’s else Treasure Strength Security from within

[1] http://www.jeffbullas.com/2014/01/17/20-social-media-facts-and-statistics-you

-should-know-in-2014/

[2] J. Drömer and D. Kollberg, “The Koobface malware gang – exposed!”, 2012,

http://nakedsecurity.sophos.com/koobface/

[3] Wikipedia,https://en.wikipedia.org/wiki/Suicide_of_Megan_Meier

[4] http://www.firmex.com/blog/spear-phishing-whos-getting-caught/

[5] http://www.itworld.com/security/380874/fake-social-media-id-duped-security

-aware-it-guys

[6] http://www.huffingtonpost.com/2012/07/10/social-media-anxiety_

n_1662224.html

[7] Yaniv Altshuler, Nadav Aharony, Yuval Elovici, Alex Pentland,

Manuel Cebrian. Stealing Reality. arXiv, 2010

[8] http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html?

utm_source=dlvr.it&utm_medium=twitter

[9] http://www.reputation.com/reputationwatch/how-disable-internet-tracking

-location

Reference (1)

http://www.jeffbullas.com/2014/01/17/20-social-media-facts-and-statistics-you-should-know-in-2014/

























https://en.wikipedia.org/wiki/Suicide_of_Megan_Meier



http://www.firmex.com/blog/spear-phishing-whos-getting-caught/









http://www.itworld.com/security/380874/fake-social-media-id-duped-security-aware-it-guys


















http://www.huffingtonpost.com/2012/07/10/social-media-anxiety_n_1662224.html








http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html?utm_source=dlvr.it&utm_medium=twitter
















http://www.reputation.com/reputationwatch/how-disable-internet-tracking-location











[10] http://www.itworld.com/it-management/349218/web-trackers-are-completely

-out-control

[11] http://www.pcworld.com/article/242939/how_to_delete_cookies.html

[12] http://facebook-parental-controls-review.toptenreviews.com/

[13] Private traits and attributes are predictable from digital records of human

behavior by M. Kosinski, D. Stillwell, T. Graepel, Proceedings of the National

Academy of Sciences (PNAS), 2013.

[14] http://psychcentral.com/news/2014/02/14/using-social-media-as-new

-tool-to-explain-human-behavior/65880.html

Reference (2)

http://www.itworld.com/it-management/349218/web-trackers-are-completely-out-control














http://www.pcworld.com/article/242939/how_to_delete_cookies.html

http://www.pcworld.com/article/242939/how_to_delete_cookies.html

http://facebook-parental-controls-review.toptenreviews.com/







http://www.michalkosinski.com/pnas2013.pdf



http://psychcentral.com/news/2014/02/14/using-social-media-as-new-tool-to-explain-human-behavior/65880.html





















Questions?

Documents

How to Build Your #SocialMedia #Defense #Armour?€¦ · Your #SocialMedia #Defense #Armour? Issam Al-Dalati - Senior IT Security Engineer, M.A.Sc., CISSP . Outline Social Media Today