Hongyu Gao

1
Security Issues of Online Social Networking

• Hongyu Gao
• Northwestern University
• EECS450 class presentation
• Adapted from slides of Harvard Townsend and
  Jessica Van Hattem

2
Fan, Friend or Foe?
The Risks of Social Networking

• CHECK 2010
• May 26, 2010

Sherry Callahan, CISSP, CISM, CISA
University of Kansas Medical Center
3
2/3rd US households use social networks, twice as
many as a year ago
98 of students at UNC use Facebook
Facebook has over 400 million active users,
half of which login on any given day, 100 million
via their mobile device
U.S. Facebook users 55 and older grew 922 in
2009 (now 10 million)
4
Social Networking Websites

• What are they?
• Tool for
• Communication
• Expressing interests
• etc.
• Interaction
• User-contribution
• Users submit content for other users

5
History
Early social networking websites

• 1995 - classmates.com
• focused on ties between former schoolmates
• 1997 sixdegrees.com
• focused on indirect ties

6
History, contd
Modern social networking websites

• 2002 Friendster
• now mostly used in Asia
• 2003 Myspace
• bought by News Corporation (parent company of
  Fox) in 2005
• most popular social networking site in 2006

7
Giving people the power to share and make the
world more open and connected.
8
Twitter is a service for friends, family, and
co-workers to communicate and stay connected
through the exchange of quick frequent answers to
one simple question What are you doing?
9
Your professional network of trusted contacts
gives you an advantage in your career, and is one
of your most valuable assets. LinkedIn exists to
help you make better use of your professional
network and help the people you trust in return.
10
Delicious is a Social Bookmarking service, which
means you can save all your bookmarks online,
share them with other people, and see what other
people are bookmarking.
11
(No Transcript)
12
What Are The Security Risks?

• Spam, phishing, malware
• Privacy breach
• Network structural attack

13
Spam, Phishing and Malware

• Spam
• Unsolicited messages to other users.
• The method.
• Phishing and malware distribution
• The goal (or method?).
• Ultimate goal

14
Spam, Phishing and Malware

• Ads
• Wall posts, inbox or chat messages with malicious
  links from hijacked Friends
• CSRF
• My wallet was stolen and Im stuck in Rome. Send
  me cash now.
• Spam email pretending to be from Facebook admins

15
Oh no! URL Shorteners

• bit.ly, TinyUrl, ReadThisURL, NotLong
• Hides the true destination URL no way to tell
  where youre going until you click!

http//www.hacker.com/badsite?20infect-your-pc.ht
ml is now http//bit.ly/aaI9KV
16
Malware Distribution
17
Malware Distribution

• Koobface is grandaddy of malware targeting
  Facebook continues to evolve and infect today
• Register and activate a Facebook account.
• Join random Facebook groups, adding Facebook
  friends.
• Post messages on friends walls that contain
  links to the Koobface loader component

18
Defenses

• Attack the carrier
• Spam message detection
• Dont talk to strangers
• Sender reputation assessment
• Stop the exploit (CSRF)
• Web security enhancement
• Dont touch what you shouldnt touch
• Malicious URL detection
• Be alerted! (send-me-money hoax)
• Do not send money

19
What Are The Security Risks?

• Spam, phishing, malware
• Privacy breach
• Network structural attack

20
Privacy Policy Protection? LOL
Linked In Additionally, you grant LinkedIn a
nonexclusive, irrevocable, worldwide, perpetual,
unlimited, assignable, sublicenseable, fully paid
up and royalty-free right to us to copy, prepare
derivative works of, improve, distribute,
publish, remove, retain, add, process, analyze,
use and commercialize, in any way now known or in
the future discovered, any information you
provide, directly or indirectly to LinkedIn,
including but not limited to any user generated
content, ideas, concepts, techniques or data to
the services, you submit to LinkedIn, without any
further consent, notice and/or compensation to
you or to any third parties. Any information you
submit to us is at your own risk of loss.
Facebook You hereby grant Facebook an
irrevocable, perpetual, non-exclusive,
transferable, fully paid, worldwide license (with
the right to sublicense) to (a) use, copy,
publish, stream, store, retain, publicly perform
or display, transmit, scan, reformat, modify,
edit, frame, translate, excerpt, adapt, create
derivative works and distribute (through multiple
tiers), any User Content you (i) Post on or in
connection with the Facebook Service or the
promotion thereof subject only to your privacy
settings or (ii) enable a user to Post, including
by offering a Share Link on your website and (b)
to use your name, likeness and image for any
purpose, including commercial or advertising,
each of (a) and (b) on or in connection with the
Facebook Service or the promotion thereof. You
may remove your User Content from the Site at any
time. If you choose to remove your User Content,
the license granted above will automatically
expire, however you acknowledge that the Company
may retain archived copies of your User Content.
21
Take my stuff, please!
22
Whos peeking?
23
Some Facts

• A study on Facebook users in Carnegie Mellon
  University network
• 90.8 uploaded images
• 87.8 revealed birth dates
• 39.9 share phone
• 50.8 list current addresses
• By Gross et. Al.

24
Breaches from Service Providers

• Root cause
• Client-server architecture
• OSN service provider in dominant position and can
  benefit from examining and sharing information
• Solution
• Users dictate fine-grained policies regarding who
  may view their information
• Enforce the policy with encryption

25
Defenses

• Persona, by Baden et al.
• Use decentralized storage
• Lockr, by Tootoonchian et al.
• Recipient needs to provide digitally signed
  social relationships as proof to fetch data
• Smart clients and an untrusted central server, by
  Anderson, et al.
• Server stores encrypted data
• Client accesses user information only if the
  owners client mediates the access

26
Breaches from Other User

• Root cause
• Lack of carefulness in examining friend requests
• A simple attack version
• 75,000 out of 250,000 random Facebook users
  contacted using an automatic script accepted the
  scripts friend request
• A report from Sept. 2005

27
Advanced Attacks (Bilge et al.)

• Same-site profile cloning
• An attacker duplicates a users profile in the
  same OSN
• Use the duplication to send out friend requests
  to the users friends
• Cross-site profile cloning
• An attacker identifies a user from OSN A
• The attacker duplicates the users profile to OSN
  B
• Use the duplication to send out friend requests
  to the users friends who also registered in OSN B

28
Defenses

• None.
• But suggestions, yes
• Increase users alertness concerning their
  acceptance of friend requests
• Improving the strength of Captcha to provent
  large-scale automated attacks.

29
Breaches from 3rd Party Apps

• Root cause
• 3rd party apps are essentially untrusted.
• A LOT of similarity with their smart phone
  counterparts.
• Problem breakdown
• Which piece of information is necessary for the
  apps to function?
• How the monitor the way in which the apps
  manipulate the personal information?

30
Defenses

• For problem 1
• None. Have to trust the apps manifest.
• For problem 2, Xbook by Singh et al.
• Information flow in the apps can only occur via
  XBook APIs (modify the app development language).
• Use information flow models and run-time
  monitoring.
• The Facebook move
• Applications must obtain specific approval from
  users before gaining access to any personal
  information that isnt available to everyone.
  (recall the Android case?)

31
What Are The Security Risks?

• Spam, phishing, malware
• Privacy breach
• Network structural attack

32
Network Structural Attacks

• Root cause
• Attacker can control and manipulate multiple
  identities.
• Attack scenarios
• Promote the reputation of an account in
  e-commerce settings by voting the target as
  good.
• De-anonymize the social network by inserting
  particular topological feature into the network.

33
Defenses

• Trusted certification (prevention)
• Only verified users can enter the network.
• Too costly to implement.
• Resource testing (detection)
• Investigates resources associated with nodes.
• E.g., SybilGuard, by Yu, et al.
• Recurring costs (mitigation)
• Increase the cost for launching Sybil attack
• Increase the use of Captcha, put monetary
  charges, etc.

34
Conclusion

• The value of online social networking far
  outweighs the risk.
• Use social networking effectively and positively
  to establish new relationships, strengthen
  existing ones, innovate, learn, collaborate, and
  have fun.
• But beware of the risks so you can do your best
  to steer clear of them
• And think before you click!!

35
Questions?
?
?
?
?
?
?
?
?
?
?