420 likes | 957 Vues
Security in social media. Juha Siivikko 7.11.2013. What is a) sosial media and B) security. Social media is the online content published by people that use easily accessible and very scalable puplishing platforms 1 E.g. Twitter, Facebook, LinkedIn, MySpace, YouTube, Wikis
E N D
Security in social media Juha Siivikko 7.11.2013
What is a) sosial media and B) security • Social media is the online content published by people that use easily accessible and very scalable puplishing platforms 1 • E.g. Twitter, Facebook, LinkedIn, MySpace, YouTube, Wikis • Social media sub categories contain networkking, blogging etc. • Security is of course the barrier between the asset and the threat, but it is also a feeling
Top 5 social media security risks for enterprises 2 1/2 • Mobile apps • Employees download apps to their company-issued mobile devices • Mobile apps have huge security risks, and some apps are just plain malicious software that reveal and send the user’s private information to a third party, destroy persolan data, impersonate the device owner etc. • Social engineering • Nowadays people are more willing than evere to share personal information about themselves online 2 • Social media platforms encourage dangerous level of assumed trust 2
Top 5 social media security risks for enterprises 2/2 • The sites themselves • Malicious code-injections e.g. shortened URL injections • For example Twitter is really vulnerable because of the retweet function: the malicious code can be forwarded to hundreds of thousands of people in short time • Employees • Employees have lapses in judgement, they make mistakes and they behave emotianlly • Lack of social media policy • Without social media policy employees don’t know the goals and parameters of social media, this brings on chaos and problems
The risks in social media for any user • The amount of risks is vast and the risks are not conserning only major enterprises, but everyone using social media • The attacks can – for example – cause • Mild annoyance • Lose of personal data • Lose of money • Lose of a job • And of course thats not all
Social engineering • Rather than using thecnical hacking, social engineering is gaining acces to buildings, systems, data, etc. by manipulating or exploiting human psychology 3 • For example, instead of using a software vulnerabilty, one might call an employee to pose as an IT suppor person trying to get the password of the employee • One other popular tactic is to hack to someones Facebook accounta and send a message through the hacked account to ask for money by claiming to be stuck in a foreing city • Once a social engineer has access to a person’s account, it is eaasy to gain information that can be used to make an credible scam attempt • The most effective countermeasure for social engineering is awareness
Phishing • Phishing is like social engineering, its about getting personal information by means of fake emails, login sites etc. • An exampe of a phishing email http://www.banksafeonline.org.uk/node/112 • Countermesures: • Awareness, the knowledge about phisgin is vital, you can spot phishing attempts from bad grammar, questions about your password etc. • Of coure some times the phishing attempt is carefully crafted, you must also remember to 5 : • Not click links in your email, but use the real sites, log in and continue from there • If you feel like you are on a phishing site, try to log in with invalid credentials, if it directs you to a logon failed page, you might be on a legimate website
Cross-site scripting • Cross-site scripting, or XSS, is a security vulnerability in web applications • It enables to inject a script into a web page • Here is an example that I made http://users.jyu.fi/~jusasiiv/TIES326/xssexample/ • The example – especially the login form – has a combination of features from phishing, XSS, social engineering and code injection
Risks in web 2.0 7 1/2 • Authentication controls are spread amongst many users • In Web 2.0 content is trusted to many users, which means there will be less-experienced users creating security issues, but also more holes for hackers e.g. brute force, more accounts which may have more simple passwords ect. • Cross Site Request Forgery or CSRF • An innocent looking site that has malicious code which request to a different site and because the heavy use of AJAX, Web 2.0 applications are potentially more vulnerable • Phishing in Web 2.0 • Because of multitude of dissimilar client software, it makes it harder to distinguish between genuine and fake web sites
Risks in web 2.0 2/2 • Information leakage • Web 2.0 has brought the work-from-anywhere mentality, which blurs the line between work and private life and because of that, people may inadvertently share sensitive information • Injection flaws • Web 2.0 has brought new kinds of injection attacks to daylight e.g. XML injection, XPath injection, JS injection and JSON injection and because of the heavy client side code use, it bring risks to the end users • Insufficent anti-automation • Web 2.0 lets hacker automate attacks more easily, hackers can use more effectively attacks like brute force, CSRF, large amounts of data retrieval and automated opening of accounts
Web 2.0 countermesures • While Web 2.0 presents different types of challenges, those are not necessarily wore than the risks in legacy applications • In dealing with the risks in Web 2.0 it comes again down to having a good understanding of the risks • E.g. In the previous example about the HTML XSS blocking with the htmlspecialchars()
references • [1] http://socialmediasecurity.com/ • [2] http://www.networkworld.com/news/2011/053111-social-media-security.html?page=1 • [3] http://www.csoonline.com/article/514063/social-engineering-the-basics#1 • [4] https://sites.google.com/a/pccare.vn/it/security-pages/social-engineering-attacks-and-countermeasures • [5] http://web.archive.org/web/20080320035409/http://www.hexview.com/sdp/node/24 • [6] http://www.acunetix.com/websitesecurity/cross-site-scripting/ • [7] http://readwrite.com/2009/02/16/top-8-web-20-security-threats#awesm=~omBK194D1667qg