Security Dangers of Social Networking


Published on

This is a presentation Bill gave at the May 2009 NAISG meeting on the security dangers of such social networking entities as Facebook, LinkedIn and Twitter.

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security Dangers of Social Networking

  1. 1. Slapped in the Facebook: The wonders (and security threats) of social networking Presentation for the National Information Security Group (NAISG), May 2009 monthly meeting
  2. 2. About the presenter… <ul><li>About me… </li></ul><ul><li>Bill Brenner (BillBrenner70) </li></ul><ul><li>On the NAISG Board of Directors since 2006 </li></ul><ul><li>A Facebook/LinkedIn/Twitter junkie who is learning to use these tools with security in mind. </li></ul><ul><li>Senior Editor at </li></ul>
  3. 3. With a cameo from… <ul><ul><ul><ul><ul><li>Jack Daniel and his sock puppets </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>One of the top security voices on Twitter, fellow NAISG board member </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>As for the sock puppets, the man might have some issues </li></ul></ul></ul></ul></ul>
  4. 4. First, a look at the world we’re living in… <ul><li>Twouble with Twitters: </li></ul><ul><li>Savage Chickens: </li></ul>
  5. 5. Usefulness of the medium… <ul><li>Jack’s on Twitter all the time, so it can’t be that insecure, right? </li></ul><ul><li>I’ve gotten a ton of networking value from LinkedIn, and have worked a much wider range of security sources into my content as a result. I’ve been able to use Twitter with similar results. </li></ul><ul><li>Many of my security contacts are Facebook friends, but that one has become more about catching up with people I stopped caring about in 4 th grade. </li></ul><ul><li>In all, these are great tools to connect with people worth having in your professional and personal life. </li></ul>
  6. 6. How it’s changing the face of tech media <ul><li>It has quickly become a standard requirement for publications to have a Twitter/Facebook/LinkedIn presence </li></ul><ul><li>The old days: Reporters rummaged through phone books and a Rolodex. Today: They ask a question in one of these forums, leave their e-mail and phone number, and wait for the response to pour in </li></ul><ul><li>2004ish: Around this time, people joined e-mail forums to exchange ideas, ask questions, etc. </li></ul><ul><li>Today: It’s all being done in the Web 2.0 social networking realm </li></ul><ul><li>Requires the media to participate in the conversation in real time. </li></ul>
  7. 7. What’s out there… <ul><li>B-to-B networking, good place to ask questions and get answers, reach out to experts in your field. Job board as well. </li></ul>
  8. 8. My use of LinkedIn <ul><li>LinkedIn is my personal favorite because of the sheer number of groups. For security alone, I’m in 30-plus groups that deal with such specialized matters as identity management, vulnerability disclosure, digital forensics, port security, etc. </li></ul><ul><li>By asking targeted questions within the discussion threads of these individual groups, I’m better able to work the best sources into the particular issue I’m writing about. </li></ul><ul><li>In the process, I’ve grown my user/CSO contact base significantly, and these sources stay in touch with me about the pain points of their jobs. </li></ul><ul><li>Goal: Make CSO a true force on these groups, a source people truly rely on to do their jobs more effectively. So far, so good. </li></ul>
  9. 9. What’s out there… <ul><li>Great place to connect with business associates, colleagues etc. But the more you use it, the more it becomes a hang-out for friends and relatives. Not that there’s anything wrong with that. </li></ul><ul><li>Like Twitter, though, I find that Facebook is an excellent tool for proliferating our content. </li></ul>
  10. 10. What’s out there… <ul><li>Micro-blog. Lots of fun. Kind of like being in a crowded bar where you yell to be heard. </li></ul><ul><li>We’re all using it to push out our content, ask questions of the experts we’re following, etc. </li></ul>
  11. 11. What’s out there… <ul><li>Closer in style and purpose to Facebook. Some say it’s trashier. I’m not using it. </li></ul>
  12. 12. Like every good thing… <ul><ul><ul><ul><li>There’s a big security risk: people who have the access but not the scruples. </li></ul></ul></ul></ul>
  13. 13. Exhibit A: <ul><li>Slapped in the Facebook: Social Networking Dangers Exposed </li></ul><ul><li>ShmooCon 2009: Two security researchers demonstrate the many ways bad people can tamper with your Facebook account, MySpace page or LinkedIn profile </li></ul><ul><li>By Bill Brenner , Senior Editor </li></ul><ul><li>February 07, 2009 — CSO — </li></ul><ul><li>WASHINGTON, D.C. -- For many people, social networking has become as much of a daily routine as brewing coffee and brushing teeth. IT administrators dislike it and cyber crooks depend on it. </li></ul><ul><li>That's because most of the time people spend on MySpace, Facebook, LinkedIn, Twitter and elsewhere is during work hours -- on work machines. </li></ul><ul><li>At the ShmooCon 2009 security conference in the nation's capital this weekend, two security researchers demonstrated the many reasons why this is bad. </li></ul><ul><li>In a presentation called &quot;Fail 2.0: Further Musings on Attacking Social Networks,&quot; Nathan Hamiel and Shawn Moyer guided attendees through attacks made easy because of the very nature of these sites, where users can upload and exchange pictures, text, music and other content with little effort. </li></ul><ul><li>&quot;Social networking sites are meant to get as many users in one place as possible on one platform, and for attackers there's a lot of return-on-investment in going after them,&quot; Moyer said, describing the climate as a perfect storm of social engineering and bad programming. </li></ul><ul><li>Through a variety of easy tricks, attackers can hijack a person's social network account to use as a launching pad for additional attacks against other users, other Web 2.0-based applications , and so on. Social networks can also be incorporated into micro botnets and, by rummaging through a page of misfired direct messages on Twitter , a motivated attacker can unearth the cell phone numbers of prominent people. </li></ul>
  14. 14. Exhibit B: <ul><li>3 Ways Twitter Security Falls Short </li></ul><ul><li>Social-networking tool Twitter has become this year's &quot;it&quot; platform. But experts say it still has some work to do on its security </li></ul><ul><li>By Joan Goodchild , Senior Editor </li></ul><ul><li>February 18, 2009 — CSO — </li></ul><ul><li>The popular micro-blogging platform Twitter continues its explosive growth. Twitter experienced a 900 percent increase in active users in the last year, according to a recent blog post from Biz Stone, the company's co-founder. People are increasingly using it to get breaking news updates, to collaborate with colleagues remotely, and connect with friends on an up-to-the-minute basis. Some businesses are using it as a new promotion and marketing tool. </li></ul><ul><li>Despite the popularity, Twitter still a lot to do when it comes to securing the platform (See: Three Ways a Twitter Hack can Hurt You ). We spoke with two security experts about three areas where Twitter poses some significant risks . </li></ul>
  15. 15. 2-23-08 <ul><li>Hackers ramp up Facebook, MySpace attacks -- Five-exploit tool kit includes code aimed at Image Uploader ActiveX control </li></ul>
  16. 16. 1-6-09 <ul><li>Bogus LinkedIn profiles punt malware to fools </li></ul><ul><li>Beyoncé's not your friend, you berk </li></ul><ul><li>LINKEDIN IS NOT IMMUNE, EITHER </li></ul>
  17. 17. “ Fail 2.0: Further Musings on Attacking Social Networks,&quot; by Nathan Hamiel and Shawn Moyer <ul><li>At the 2009 ShmooCon conference in D.C., the duo guided attendees through attacks made easy because of the very nature of these sites, where users can upload and exchange pictures, text, music and other content with little effort. </li></ul>
  18. 18. “ Fail 2.0: Further Musings on Attacking Social Networks,&quot; by Nathan Hamiel and Shawn Moyer <ul><li>The demonstrations the duo ran through included: </li></ul><ul><li>Creating imposter profiles on LinkedIn , assuming the identity of someone prominent, and friending as many people as possible. For the sake of experimentation, the researchers created a fake profile for a well-known security leader (with permission) and accumulated 50-plus connections in less than a day, many of them CSOs and other bigwigs. </li></ul><ul><li>Showing how to sabotage the MySpace page of someone you're not directly connected with via the profile of a common connection. This example involved fake Myspace pages for rocker Alice Cooper and actors Eva Longoria and Bob Saget. In this scenario, Cooper and Longoria are connected to Saget but not to each other. Longoria wants to connect with Cooper, who refuses, and she responds my using their common connection to Saget to access and deface Cooper's page. </li></ul><ul><li>Rummaging through a site that accumulates old direct messages originally sent out through Twitter. With enough patience, the bad guy can find and exploit such discoveries as phone numbers, e-mail addresses and other personal information that was originally meant for individuals rather than the general Tweeting public. </li></ul>
  19. 19. “ Fail 2.0: Further Musings on Attacking Social Networks,&quot; by Nathan Hamiel and Shawn Moyer <ul><li>&quot;Any application can be used to attack other applications and an application can be used to view your entire file if the privacy settings are off. Even if you put the privacy settings in place, you should assume you are screwed.&quot; Nathan Hamiel </li></ul>
  20. 20. What to do? <ul><li>LinkedIn, Facebook, Twitter Users Beware </li></ul><ul><li>[FUD Watch with CSO Senior Editor Bill Brenner] The headlines are full of doom and gloom about attacks against Twitter, Facebook and LinkedIn users. Take this threat seriously, but don't let the alarming headlines drive you away. </li></ul>
  21. 21. This is like everything that came before… <ul><li>E-mail, Web 1.0-2.0 etc. </li></ul><ul><li>Social engineering never fails the attacker </li></ul><ul><li>User education is key </li></ul><ul><li>Companies might want to start thinking about social networking cans and can’ts in the official user policy. </li></ul>
  22. 22. And now, a few words from jack_daniel <ul><li>That’s his Twitter handle, BTW </li></ul>
  23. 23. Thanks! <ul><li>Questions? </li></ul><ul><li>Comments? </li></ul><ul><li>Tweets? </li></ul>