270 likes | 790 Vues
Social Networking Security. Adam C. Champion and Dong Xuan CSE 4471: Information Security. Outline. Overview of Social Networking On-line Social Networking Mobile Social Networking Threats and Attacks Defense Measures. Online Social Networking (OSN).
 
                
                E N D
Social Networking Security Adam C. Champion and Dong Xuan CSE 4471: Information Security
Outline • Overview of Social Networking • On-line Social Networking • Mobile Social Networking • Threats and Attacks • Defense Measures
Online Social Networking (OSN) • Online Web services enabling people to connect with each other, share information • Common friends, interests, personal info, … • Post photos, videos, etc. for others to see • Communicate via email, instant message, etc. • Major OSN services: Facebook, Twitter, MySpace, LinkedIn, etc.
“Giving people the power to share and make the world more open and connected.”
OSN Popularity • Over 900 million Facebook users worldwide [6] • Over 150 million in U.S. [5] • Over 450 million access via mobile [6] • 300 million pictures uploaded to Facebook daily [6] • Over 140 million Twitter users; over 340 million Tweets sent daily [7] • Over 175 million LinkedIn members in over 200 countries [8]
Benefits of OSN Communication • Vast majority of college students use OSNs • Organizations want to market products, services, etc. to this demographic • OSNs can help them reach these potential buyers • OSNs provide communal forum for expression (self, group, mass), collaboration, etc. • Connect with old friends, find new friends and connect • Play games with friends, e.g., Mafia Wars, Scrabulous • Commerce in “virtual items” • But using OSNs poses security issues for orgs as well as individuals
Mobile Social Networking • E-SmallTalker • E-Shadow
Small Talk • People come into contact opportunistically • Face-to-face interaction • Crucial to people's social networking • Immediate non-verbal communication • Helps people get to know each other • Provides the best opportunity to expand social network • Small talk is an important social lubricant • Difficult to identify significant topics • Superficial
A Naive Approach of Smartphone-based Small Talk • Store all user’s information, including each user’s full contact list • User report either his own geo-location or a collection of phone IDs in his physical proximity to the server using internet connection or SMS • Server performs profile matching, finds out small talk topics (mutual contact, common interests, etc.) • Results are pushed to or retrieved by users
However…… • Require costly data services (phone’s internet connection, SMS) • Require report and store sensitive personal information in 3rd party • Trusted server may not exist • Server is a bottleneck, single point of failure, target of attack
E-SmallTalker – A Fully Distributed Approach • No Internet connection required • No trusted 3rd party • No centralized server • Information stored locally on mobile phones • Original personal data never leaves a user’s phone • Communication only happens in physical proximity
E-Shadow • Enhanced E-SmallTalker • Local profiles • Mobile phone based local social interaction tools • E-Shadow publishing • E-Shadow localization
Outline • Overview of Social Networking • Threats and Attacks • Defense Measures
OSN Security Threats/Attacks • Malware distribution • Cyber harassment, stalking, etc. • Information “shelf life” in cyberspace • Privacy issues: • Information about person posted by him/herself, others • Information about people collected by OSNs • Information posted on OSNs impacts unemployment, insurance, etc. • Organizations’ concerns: brand, laws, regulations
MSN Security Threat/Attacks • Personal information leakage • Particularly dangerous because of physical proximity • Malware distribution
Outline • Overview of Social Networking • Threats and Attacks • Defense Measures
“Common Sense” Measures (1) • Use strong, unique passwords • Provide minimal personal information: avoid entering birthdate, address, etc. • Review privacy settings, set them to “maximum privacy” • “Friends of friends” includes far more people than “friends only” • Exercise discretion about posted material: • Pictures, videos, etc. • Opinions on controversial issues • Anything involving coworkers, bosses, classmates, professors • Anything related to employer (unless authorized to do so) • Be wary of 3rd party apps, ads, etc. (P.T. Barnum’s quote) • Supervise children’s OSN activity
“Common Sense” Measures (2) • “If it sounds too good to be true, it probably is” • Use browser security tools for protection: • Anti-phishing filters (IE, Firefox) • Web of Trust (crowdsourced website trust) • AdBlock/NoScript/Do Not Track Plus • Personal reputation management: • Search for yourself online, look at the results… • Google Alerts: emails sent daily to you about results for any search query (free), e.g., your name • Extreme cases: • Cease using OSNs, delete accounts • Contact law enforcement re. relentless online harassment
E-SmallTalker: Privacy-Preserved Information Exchange • Example of Alice’s Bloom filter • Alice has multiple contacts, such as Bob, Tom, etc. • Encode contact strings, Firstname.lastname@phone_number, such as “Bob.Johnson@5555555555” and “Tom.Mattix@6141234567”
E-Shadow: Layered Publishing • Spatial Layering • WiFi SSID • at least 40-50 meters, 32 Bytes • Bluetooth Device (BTD) Name • 20 meters, 2k Bytes • Bluetooth Service (BTS) Name • 10 meters, 1k Bytes • Temporal Layering • For people being together long or repeatedly • Erasure Code
Final Remarks • On-line social networking systems are very popular and mobile social networking systems are emerging • Malware distribution and personal information leakage are two most prominent threats and attacks • Personal countermeasures are most effective
References (1) • G. Bahadur, J. Inasi, and A. de Carvalho, Securing the Clicks: Network Security in the Age of Social Media, McGraw-Hill, New York, 2012. • H. Townsend, 4 Jun. 2010, http://www.k-state.edu/its/security/training/roundtables/presentations/SIRT_roundtable-RisksofSocialNetworking-Jun10.ppt • U.S. Dept. of State, “Social Networking Cyber Security Awareness Briefing,”http://www.slideshare.net/DepartmentofDefense/social-media-cyber-security-awareness-briefing • National Security Agency, “Social Networking Sites,”http://www.nsa.gov/ia/_files/factsheets/I73-021R-2009.pdf • Consumer Reports, Jun. 2012, http://www.consumerreports.org/cro/magazine/2012/06/facebook-your-privacy/index.htm • S. Sengupta, 14 May 2012, http://www.nytimes.com/2012/05/15/technology/facebook-needs-to-turn-data-trove-into-investor-gold.html?_r=1&pagewanted=all • T. Wasserman, 21 Mar. 2012, http://mashable.com/2012/03/21/twitter-has-140-million-users/ • LinkedIn Corp., 2012, http://press.linkedin.com/about • R. Richmond, “Web Gang Operating in the Open,” 16 Jan. 2012, https://www.nytimes.com/2012/01/17/technology/koobface-gang-that-used-facebook-to-spread-worm-operates-in-the-open.html?_r=1
References (2) • J. Drömer and D. Kollberg, “The Koobface malware gang – exposed!”, 2012, http://nakedsecurity.sophos.com/koobface/ • Wikipedia, https://en.wikipedia.org/wiki/Suicide_of_Megan_Meier • M. Schwartz, “The Trolls Among Us,” 3 Aug. 2008, https://www.nytimes.com/2008/08/03/magazine/03trolls-t.html?pagewanted=all • M. Raymond, “How Tweet It Is!: Library Acquires Entire Twitter Archive,” 14 Apr. 2010, http://blogs.loc.gov/loc/2010/04/how-tweet-it-is-library-acquires-entire-twitter-archive/ • B. Borsboom, B. van Amstel, and F. Groeneveld, “Please Rob Me”, http://pleaserobme.com • D. Love, “13 People Who Got Fired for Tweeting,” 16 May 2011, http://www.businessinsider.com/twitter-fired-2011-5?op=1 • C. Smith and C. Kanalley, “Fired Over Facebook: 13 Posts That Got People Canned,”http://www.huffingtonpost.com/2010/07/26/fired-over-facebook-posts_n_659170.html • https://twitter.com/BPglobalPR • http://curl.haxx.se/ • http://jonathonhill.net/2012-05-18/unshorten-urls-with-php-and-curl/ • http://www.securingsocialmedia.com/resources/