This document discusses social networking security and privacy issues. It recommends users carefully adjust their privacy settings on social networks as the default settings often reveal too much information. It also advises users to be aware of what information is visible to friends, friends of friends, and public viewers. The document provides examples of security issues like identity theft and discusses some proposed models for improving social network security and privacy, including one that uses an independent agent to analyze user account activity logs while preserving user privacy.
2. Social Networking Security
Secure your Social environment.
Facebook, MySpace, My Life, Google +
Privacy and Security Settings
Do not leave settings as default
Go through the custom settings
87% of Facebook users have Friends of Friends
set.
Settings change when Facebook changes
need to check these as we all know
how often Facebook changes
3. Social Networking Security
To whom is your information available?
Friends, groups, friends of friends, everyone
Applications – privacy policies
What’s available?
Where you are and long you will be there
“Checking in”
Vacations – I’m going to be away, so I’m
not HOME!
Confidential Information Useful for:
ID Theft or answers to your secret
questions
Posing as friend
4. Table of Contents
Definition of social networking sites
Potential threats
Real life examples
Related work
A proposed model
5. Fig. 1 Fast growing number of patent applications in social network
6. Social Network Sites/Services (SNS)
continued
Mimicking in-person interactions
Storing large amount of personal
information
Violating the principle of least privilege
Users inclined to reveal private
info/activities to someone they know
Bringing security issues
7. Security issues from SNS
Accidental data release
Intentional use of private data for
marketing purposes
Identity theft
Worms and viruses
And many more
8. A recent famous case:
M16 chief’s wife blows his
cover on Facebook
Details on where they live
and work, their friends’
identities
Sir John Sawer on the beach
in one of the family photos
9. Another case
US Marines prohibits Twitter,
MySpace, Facebook. Effective
immediately. (As of Aug 03, 2009 )
Will last a year.
A waiver is
possible.
11. Facebook Options
Facebook User
Facebook Page
Facebook Group
Open: All content is public
Closed: Limited public content; members
can see all content.
Secret: Members and content are
private.
12. Facebook Group Problems
1. Members can add friends
Friends could add you to the new group
2. When Facebook group administrators
step down, anyone else can take over
For small groups, administrators can edit
group name or info
moderate discussion
message group members
13. Are there other risks?
“Checking In” shares your current location
on…
Foursquare and Facebook Places
Benefits: Discounts and Offers
Risks: Confrontations and Break-ins
14. Cyberbullying vs. Traditional
Bullying
The perpetrator can be anonymous
The size of the audience is enormous
The perpetrator has finer access to
the target
There are no non-verbal cues
(gestures, tone of voice, etc.) to
clarify communication
The perpetrator does not witness the
harm directly – no opportunity for
empathy
15. Why don’t young people report it?
Adults are incapable of Technology
Young people are digital natives while
adults are digital immigrants
They expected solution - “just don’t
use the device or site”
Misunderstanding the importance of
technology to young people
16. Minimize chances of being a
victim
Setting privacy settings carefully
Do NOT share passwords
Avoid websites that are designed for
malicious
Be vigilant
Report abuse on websites when it occurs
Save “cyber-footprints”
Block or de-friend offenders.
17. Facebook – the new
background check
Employers are using social networks
to screen job applicants – 91%
Screening is done early on
Facebook, Twitter, Flickr, YouTube
give employers a personal view of
candidates
Social Intelligence Corp., scours the
Internet
18. Work that is being done
Matthew M. Lucas - flyByNight
Encrypts private information
separates sensitive data from
Facebook servers and public access
Users must install a javascript client
The vulnerability of the flyByNight
server is unknown
19. Work that is being done, cont’d
Andrew Besmer - user-to-application
policy, in addition to existing user-to-
user policy and default application
policy
Effectively limits the applications’
access to users private information
Complex, time-consuming settings for
applications may impel users to skip
applying proper policies
20. Facebook Security
Facebook provides easy tools to help
you:
Keep track of your activity
Keep track of your logins
Control the information you share
Prove your identity if you ever lose
access to your account
23. A User-Server-Agent Model Audits all
access
Server audits users’ activities information
Log in time, duration, IP
addresses, access information
Users can view activities SERVER
related to their own accounts
Provides
log upon
Agents can view all activities request
of specified accounts
24. A User-Server-Agent Model
What a user sees What an agent sees
Kevin’s visit Kevin visits Sara
Bella’s visit Kevin visits Mike
Sara’s visit Kevin visits Dave
Mike’s visit Kevin visits Alice
Dave’s visit
. .
USER INDEPENDENT
. .
INVESTIGATOR
. .
(AGENT)
25. A User-Server-Agent Model
Accepts
Investigation Step I
Requests
Step III Provides
Results to
User
Step II
INDEPENDENT
INVESTGATOR
(AGENT)
Analyze
Information
On server
26. A User-Server-Agent Model
Agent receives decrypted request from user
Alice sends request for concern about Kevin’s
activities
Agent will see “03tn90a” and “01ad53h” in stead
of “Alice” and “Kevin”, in the request
Agent connects to server, asks for
information on account 01ad53h
After decryption server recognizes account
name is Kevin
27. A User-Server-Agent Model
What action can an agent perform?
Use combined policies to detect unusual
activities: IP address, multiple profiles access in
a short term, inactive socializing activities
How can an agent help a user?
Simplest: suggest revoking “friend” label of
malicious users
Suggest server take action on malicious
accounts
Report to authorities when necessary