Hongyu GaoNorthwestern University

EECS450 class presentation

Adapted from slides of Harvard Townsend and Jessica Van

Hattem

Security Issues of Online Social Networking

Fan, Friend or Foe?

CHECK 2010May 26, 2010

Sherry Callahan, CISSP, CISM, CISA

The Risks of Social Networking

University of Kansas Medical Center

2/3rd US households use social networks, twice as many as a year ago

2/3rd US households use social networks, twice as many as a year ago

98% of students at UNC use Facebook98% of students at UNC use Facebook

Facebook has over 400 million “active” users, half of which login on any given day, 100 million via their mobile device

Facebook has over 400 million “active” users, half of which login on any given day, 100 million via their mobile device

U.S. Facebook users 55 and older grew 922% in 2009 (now ~ 10 million)

U.S. Facebook users 55 and older grew 922% in 2009 (now ~ 10 million)

Social Networking Websites

• What are they?

• Tool for:

• Communication

• Expressing interests

• etc.

• Interaction

• User-contribution

•Users submit content for other users

History

Early social networking websites:

1995 - classmates.com

focused on ties between former schoolmates

1997 – sixdegrees.com

focused on indirect ties

History, cont’d

Modern social networking websites:

• 2002 – Friendster

• now mostly used in Asia

• 2003 – Myspace

• bought by News Corporation (parent company of Fox) in 2005

• most popular social networking site in 2006

“Giving people the power to share and make the world more open and connected.”

“Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick frequent answers to one simple question:

What are you doing?”

“Your professional network of trusted contacts gives you an advantage in your career, and is one of your most valuable assets. LinkedIn exists to help you make better use of your professional network and help the people you trust in return.”

“Delicious is a Social Bookmarking service, which means you can save all your bookmarks online, share them with other people, and see what other people are bookmarking.”

What Are The Security Risks?• Spam, phishing, malware

• Privacy breach

• Network structural attack

• Spam:– Unsolicited messages to other users.– The method.

• Phishing and malware distribution:– The goal (or method?).

• Ultimate goal:– $$$

Spam, Phishing and Malware

– Ads– Wall posts, inbox or chat messages with malicious

links from hijacked “Friends”– CSRF– “My wallet was stolen and I’m stuck in Rome.

Send me cash now.” – Spam email pretending to be from Facebook

admins

Spam, Phishing and Malware

Oh no! URL Shorteners

• bit.ly, TinyUrl, ReadThisURL, NotLong• Hides the true destination URL – no way

to tell where you’re going until you click!

http://www.hacker.com/badsite?%20infect-your-pc.html is now

http://bit.ly/aaI9KV

Malware Distribution

Malware Distribution

• Koobface is grandaddy of malware targeting Facebook; continues to evolve and infect today – Register and activate a Facebook account.– Join random Facebook groups, adding Facebook

friends.– Post messages on friends’ walls that contain links to

the Koobface loader component

Defenses• Attack the carrier:

– Spam message detection

• Don’t talk to strangers:

– Sender reputation assessment

• Stop the exploit (CSRF):

– Web security enhancement

• Don’t touch what you shouldn’t touch:

– Malicious URL detection

• Be alerted! (send-me-money hoax):

– Do not send money

What Are The Security Risks?• Spam, phishing, malware

• Privacy breach

• Network structural attack

Privacy Policy Protection? LOLLinked In

Additionally, you grant LinkedIn a nonexclusive, irrevocable, worldwide, perpetual, unlimited, assignable, sublicenseable, fully paid up and royalty-free right to us to copy, prepare derivative works of, improve, distribute, publish, remove, retain, add, process, analyze, use and commercialize, in any way now known or in the future discovered, any information you provide, directly or indirectly to LinkedIn, including but not limited to any user generated content, ideas, concepts, techniques or data to the services, you submit to LinkedIn, without any further consent, notice and/or compensation to you or to any third parties. Any information you submit to us is at your own risk of loss.

Facebook

“You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion

thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof. You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.”

Take my stuff, please!

Who’s peeking?

Some Facts

• A study on Facebook users in Carnegie Mellon

University network– 90.8% uploaded images

– 87.8% revealed birth dates

– 39.9% share phone #

– 50.8% list current addresses

– By Gross et. Al.

Breaches from Service Providers

• Root cause:– Client-server architecture

– OSN service provider in dominant position and can benefit from

examining and sharing information

• Solution:– Users dictate fine-grained policies regarding who may view their

information

– Enforce the policy with encryption

Defenses• Persona, by Baden et al.

– Use decentralized storage

• Lockr, by Tootoonchian et al.

– Recipient needs to provide digitally signed social relationships as proof

to fetch data

• Smart clients and an untrusted central server, by Anderson, et al.

– Server stores encrypted data

– Client accesses user information only if the owner’s client mediates

the access

Breaches from Other User

• Root cause:– Lack of carefulness in examining friend requests

• A simple attack version:– 75,000 out of 250,000 random Facebook users contacted using an

automatic script accepted the script’s friend request

– A report from Sept. 2005

Advanced Attacks (Bilge et al.)• Same-site profile cloning:

– An attacker duplicates a user’s profile in the same OSN

– Use the duplication to send out friend requests to the user’s friends

• Cross-site profile cloning:

– An attacker identifies a user from OSN A

– The attacker duplicates the user’s profile to OSN B

– Use the duplication to send out friend requests to the user’s friends

who also registered in OSN B

Defenses• None.

• But suggestions, yes:

– Increase users’ alertness concerning their acceptance of friend

requests

– Improving the strength of Captcha to provent large-scale automated

attacks.

Breaches from 3rd Party Apps

• Root cause:– 3rd party apps are essentially untrusted.

– A LOT of similarity with their smart phone counterparts.

• Problem breakdown:– Which piece of information is necessary for the apps to function?

– How the monitor the way in which the apps manipulate the personal

information?

Defenses• For problem 1:

– None. Have to trust the app’s manifest.

• For problem 2, Xbook by Singh et al.:

– Information flow in the apps can only occur via XBook APIs (modify

the app development language).

– Use information flow models and run-time monitoring.

• The Facebook move:

– Applications must obtain specific approval from users before gaining

access to any personal information that isn’t available to “everyone”.

(recall the Android case?)

What Are The Security Risks?• Spam, phishing, malware

• Privacy breach

• Network structural attack

Network Structural Attacks

• Root cause:– Attacker can control and manipulate multiple identities.

• Attack scenarios:– Promote the reputation of an account in e-commerce settings by

voting the target as “good”.

– De-anonymize the social network by inserting particular topological

feature into the network.

• Trusted certification (prevention):

– Only verified users can enter the network.

– Too costly to implement.

• Resource testing (detection):

– Investigates resources associated with nodes.

– E.g., SybilGuard, by Yu, et al.

• Recurring costs (mitigation):

– Increase the cost for launching Sybil attack

– Increase the use of Captcha, put monetary charges, etc.

Defenses

• The value of online social networking far outweighs the risk.

• Use social networking effectively and positively to establish new relationships, strengthen existing ones, innovate, learn, collaborate, and have fun.

• But beware of the risks so you can do your best to steer clear of them

• And think before you click!!

Conclusion

?? ???

???? ?