Embed Size (px)
Citation preview
Social Networking Security
Issues-Mangesh Gunjal
Social Networking Site…???
Threats Posing Risk to Social Networks
Digital Database Collection
Secondary Data Collection
Face Recognition
Content Based Image Retrieval
Image Data Linkability
Complete Account Deletion
Profile Squatting and Reputation Slander through ID
Theft
Continued…
Stalking
Bullying
Corporate Espionage
Spam
Cross Side Scripting
Spear Phishing
Infiltration of Networks
Digital Database Collection
Digital dossier of Personal Data for immoral
purposes
Regular Snapshots of entire network
Private Attributes can be accessed directly via
search
Miss out on Employment Opportunities
Information for negative use
E.g. Miss New Jersey Case
Secondary Data Collection
Personal Information to the Network Operator
E.g. time and length of connections
IP Address, other users’ profile visited
Messages sent and received
Powerful Data warehouse
Lack of Transparency about Data Collection
Privacy Policies tend to be vague
Transfer of Information to third party through resale
Example of Privacy Statement
“[SNS Provider] also logs non-personally identifiable
information including IP address, profile information,
aggregate
user data, and browser type, from users and visitors
to the site.
This data is used to manage the website, track
usage and
improve the website services. This non-personally-
identifiable
information may be shared with third-parties to
provide more
Face Recognition & CBIR
Face Recognition
User Provided Digital Images
They indentify the profile holder
Linking of Images Instances across services and websites
Content Based Image Recognition
Able to match features from Large Databases of Images
No Privacy control on the accountability on CBIR
Possibility of deducing User Location
May lead to Stalking, Blackmailing, Unwanted Marketing,
etc.
Image Data Linkability
Tag Images with metadata
Name of the person in the photo
Link to their profile
Their e-mail address
No control over images posted by others
Difficulty in Complete Account Deletion
Easy to remove Primary Pages
Secondary Info remains
Ambiguity over Information deletion upon account
closure
Facebook Privacy policy Statement:
“Removed information may persist in backup copies
for a reasonable period of time but will not be
generally available to members of Facebook.”
Manual Deletion is the only solution
Spam
Unsolicited messages
Free Traffic for the Spammers
Use of Specialized Spamming software – FriendBot
Provides links to Pornographic or other product sites
Links to phishing websites
Flood with Comments and Posts
Stealing Member’s Passwords to advertise on others profiles
Traffic Overload
Loss Of Trust
Reduce the value of SNS if no. of fake profiles Increases
Cross Side Scripting
Can post HTML code within profiles
SNS’s are vulnerable to XSS attacks
SAMY virus
Denial of Service
Spear Phishing
Highly personalized Phishing Attack
The worm JS/Quickspace.A was designed to
spread up through MySpace pages.
Effective Form of Phishing Attack
Identity Theft
Reputation Damage
Infiltration of Networks
Weak First line of Defense
FriendBot and FriendBlasterPro- commercial software
No implementations of CAPTCHA’s
SOPHOS- an Antivirus company Case Study
Polluting SNSs’ with irrelevant misleading Profiles
Allows to view Private Information
Conducts spamming and marketing campaigns
Profile Squatting & Reputation Slander
Fake Profiles
Profiles of Dead Celebrities
Galileo on MySpace (as well as over 3000 Friends)
Weak Authentication of Registration
Most unlikely the person
Easy to target the abuse at the people (e.g. Class
Teacher)
Damage Reputation
Phishing
Marketing under false pretences
Stalking
Involves threatening behaviour
Seeks repeated contacts through any means
SNSs’ are an easy means for stalking
SNSs’ emphasize on location data
Loss of Privacy
Physical Harm and psychological Damage
Bullying
Repeated and Purposeful acts of harm that are carried out using technology.
The ease of remaining anonymous
The one-stop-shop effect
The generation gap
Forms Of CyberBullying:
Flaming
Harassment
Denigration
Impersonation
Outing
Trickery
Exclusion
Corporate Espionage
Its an Underrated Risk to Corporate Infrastructure
Access Sensitive Enterprise Data; mostly by using Employees themselves
Privacy Settings are neglected
Threshold for gaining information is very lowLists of employees and connections between them
Stakeholders Information
Publication of information about its infrastructure, network directories.
Loss of Corporate Intellectual Property
Blackmailing
Access Physical assets
Which Social Network do you think poses the
biggest Risk to Security…???
Courtesy: SOPHOS Security Threat Report
2010
Social Networks Spam, Phishing and Malware
Report for year 2009
Courtesy: SOPHOS Security Threat Report
2010
Malwares, Number One Concern for the Firms
with Social Nerworks.
Courtesy: SOPHOS Security Threat Report
2010
Permission to Access Basic Information
Recommendations and Suggestions
Encourage Awareness raising and Educational Campaigns
Review and Reinterpret Regulatory Framework
Increase Transparency of Data handling Practices
Discourage Banning of SNSs’ in Schools
Promote Stronger Authentication and Access control
Implement Countermeasures against Corporate Espionage
Maximize Possibilities for Reporting and Detecting Abuse
Set Appropriate Defaults
Require the Consent of the Data Subject to include Profile Tags or e-mail Address Tags in Images
Social Networking Security Issues- Legal Aspects
Section 66A: Punishment for sending offensive messages through service, etc.
Imprisonment may extend to Three years and with fine
Section 66B: Punishment for dishonestly receiving stolen computer resource or communication device
Imprisonment may extend to Three years and with fine up to Rs.1Lakh or Both
Section 66C: Punishment for Identity TheftImprisonment of either description term up to 3 years and fine up to Rs.1Lakh
Section 66D: Punishment for cheating by personation by using computer resource
Imprisonment may extend to Three years and with fine up to Rs.1Lakh or with both
Section 66E: Punishment for violation of PrivacyImprisonment may extend to Three years and with fine up to Rs.1Lakh or with both
Continued…
Section 66F: Punishment for Cyber Terrorism
Imprisonment which may extend to imprisonment for life
Section 67: Punishment for publishing or transmitting Obscene material in electronic form
Imprisonment of either description up to three years and fine of up to Rs. 5Lakh.
Section 67A: Punishment for publishing or transmitting of material containing sexually explicit act, etc., in electronic form.
Imprisonment of either description up to five years and fine of up to Rs. 10Lakh.
Section 67B: Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc., in electronic form.
Imprisonment of either description up to three years and fine of up to Rs. 5Lakh.
Conclusion
If used correctly enhances Data Privacy providing
Interactive User Generated Content to anyone, if not
it provides a dangerously powerful tool in the hands
of Spammers, unscrupulous marketers and other
who may take criminal advantages of Users.
References
SOPHOS Security Report 2010
European Network and Information Security Agency
Report
Questions…???
