Infocom Security

  • 315 views
Uploaded on

Opportunities & threats of Social Nets

Opportunities & threats of Social Nets

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
315
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Opportunities and threats of Social Networks Very popular: 70% of web users visit social networks Internet social networks (web 2.0) - FaceBook 500+M - MySpace 200+M - Twitter ~100M (excellent revolution tool !!!) - LinkedIn 90M - YouTube, Hi5, Xing and many others by Michalis Mavis, MSc Telecommunications & IT Security ProfessionalINFOCOM Security 5th April 2011 1
  • 2. THE ENISA Report (Feb-2010) • According to ENISA report experiencing online Social Networking Sites (SNSs) has become one of the most popular activities carried out on the Internet, for staying in touch with business and personal contacts. • According to recent statistics more than 65 million active users are accessing Facebook through their mobile devices => European Network and Information Security AgencyINFOCOM Security 5th April 2011 2
  • 3. Agenda• Understanding the dangers of social networks (SNs) to corporate security and personal privacy.• Discussing methods to protect you and your business.• Identify the dangers for the industry.• Legal and illegal methods used to get confidential information by using SNs.• Opportunities of SNs in investigations.INFOCOM Security 5th April 2011 3
  • 4. Definition - Social Network ( web 2.0 ) It is an online community that allows people, through a built-up profile, to meet, communicate, keep in touch, share pictures and videos with other community members with whom a connection is sharedINFOCOM Security 5th April 2011 4
  • 5. Attack to privacy from: • Third parties that gain fraudulent access to personal data. • Other users • Platform provider personnel that may override privacy settings and gain access to information (e.g. IP address, browser type, etc.) leaking this info to search engines, third parties.INFOCOM Security 5th April 2011 5
  • 6. Major risks and threats• Identity theft.• Malware propagation• Corporate data leakage and reputation risk.• User’s position tracking (when the user mobile phone is equipped with the necessary technology – map function ).• Data misuse.INFOCOM Security 5th April 2011 6
  • 7. Computer wormINFOCOM Security 5th April 2011 7
  • 8. Malicious ApplicationsFrom time to time, social networks are hit with malicious applications. Trend Micro has recentlyfound a number of rogue apps on Facebook (with names such as “Stream” and “BirthdayInvitations”) that sent users to a known phishing domain, with a page claiming they needed to entertheir login credentials to use the application. Victims would then be directed to the Facebook site.Facebook removed six of the apps identified by Trend. Unfortunately, more popped up. Usersshould be aware of apps from unknown developers, especially those that request personalinformation.Rogue applications on Facebook (Stream, Birthday invitations), that sent users to known phishing domains. INFOCOM Security 5th April 2011 8
  • 9. Faked facebook web site to steal your credentials…INFOCOM Security 5th April 2011 9
  • 10. INFOCOM Security 5th April 2011 10
  • 11. The study by ISACA (Information Systems Audit and Control Association) ISACA (2010 study) isnt warning companies not to use Web 2.0 tools or to not fully embrace social networking. However, they need to go into it with their eyes wide open to the risks as well as the benefits.INFOCOM Security 5th April 2011 11
  • 12. Golden Rules• Pay attention to what you post and upload. Consider carefully which images, videos and information you choose to publish.• Never post sensitive info and if needed use a pseudonym.• Verify all your contacts and do not accept friend requests from people you don’t know.• Protect your work environment and avoid reputation risk• Use privacy and security oriented settings in your profile.• Deactivate location bases services of your mobile phone if you don’t need them.INFOCOM Security 5th April 2011 12
  • 13. Facebook faces legal action in Germany for mining information of non users saving private information of individuals who dont use the site and havent granted it access to their detailsINFOCOM Security 5th April 2011 13
  • 14. Where and how … ?• Intelligence gathering. Sometimes there is no reason to spend a lot of money to gather useful information. It is available free on the Internet, by using the right tools.• With the use of the right tools and techniques you may find extremely useful information about competitors, individuals, governments, companies and not only.• It is possible by using legitimate or illegal ways.• But you should know how and where to search for…INFOCOM Security 5th April 2011 14
  • 15. O.S.INT (Open Source INTelligence) gathering Be alerted by Google ! Google Alerts (Email updates of latest relevant results) http://www.google.com/alerts • Keeping current on a competitor or industry. • Getting the latest on an event. • Keeping tabs on your favorite issues. • Monitoring a developing news story. A good source on mining news on the net can be found here : http://www.spylogic.net/2009/10/enterprise-open-source-intelligence-gathering- part-1-social-networks/ http://www.spylogic.net/2009/10/enterprise-open-source-intelligence-gathering- %E2%80%93-part-2-blogs-message-boards-and-metadata/ http://www.spylogic.net/2009/10/enterprise-open-source-intelligence-gathering- part-3-monitoring/INFOCOM Security 5th April 2011 15
  • 16. BLOGS postings• Blogs can be searched via any traditional search engine, however, the challenge with blogs are not the posts themselves but the comments.• Especially comments coming from current or former employees or customers on highly sensitive public relations issues.• It is important to be monitoring blogs and their comments, before they go viral.INFOCOM Security 5th April 2011 16
  • 17. “I hate my Job. My boss is a total…”INFOCOM Security 5th April 2011 17
  • 18. Leakage of confidential Info• Do you know what is being posted by your employees, customers, or your competition?• What does the Internet say about your company ?• We all know information or intelligence gathering is one of the most important phases of a penetration test.• However, gathering information and intelligence about your own company is even more valuable and can help an organization proactively determine the information that may damage your brand, reputation and help mitigate leakage of confidential information.INFOCOM Security 5th April 2011 18
  • 19. Serious FaceBook Security leak (UK)His wife published their holiday photo on FaceBook INFOCOM Security 5th April 2011 19
  • 20. Company data loss 17% of experienced company data loss is related to social networks (Source: Proofpoint Inc. - 2009 Survey). WHAT IS POSTED ON THE INTERNET ? Complaints by employees (e.g. In Twiter) Security Vulnerabilities of company network. Exposure of Confidential Information. Documents on the Internet contain METADATA !!!INFOCOM Security 5th April 2011 20
  • 21. The Super Cookies Risk• Some web sites put on your computer an invisible “super cookie” stored in a secret area of your computer or smart phone.• Specific Internet servers keep track of all your search history (associating your searches with this supper cookie).• When you built your profile on a Social Network these super cookies are connecting your pc cookie with your profile (name).• So some people may know what exactly you have searched on the Internet for many years in the past.INFOCOM Security 5th April 2011 21
  • 22. Internet postings metadata• Metadata (data about data) are in documents traditionally used for indexing files, and finding out information about : – The document creator. – s/w used to create the document, and many more...• By reading metadata you may discover – vulnerable versions of s/w, that can be used for client side attacks, – OS versions, – path disclosure, – user id’s and more…INFOCOM Security 5th April 2011 22
  • 23. Metadata (the silent Killer…)• Metadata are hidden from the user.• There are lots of tools to pull out metadata from documents and pictures (see paper by Larry Pesce in www.sans.org).• On a posted document a lot of revealing metadata may exist, like user id, OS, s/w version number, telephone number & email address of document owner, MAC address, document path, Location (city), etc…INFOCOM Security 5th April 2011 23
  • 24. WHAT SHOULD BE DONE ?• Removal of Internet postings, metadata.• Setting up a simple (cheap) monitoring program.• Built an Internet Posting Policy (who is responsible for authorization, what is confidential – when).INFOCOM Security 5th April 2011 24
  • 25. Ciscos’s Internet Postings Policy http://blogs.cisco.com/news/comments/ciscos_internet_postings_policy/INFOCOM Security 5th April 2011 25
  • 26. Social Networks as opportunity for investigations • Socnet Search Engines - RSS feeds/Google Hacks (Google Alerts + Google Reader) - Facebook status updates. - Photo Search. - YouTube Video Search. - Maltego + Mesh = WININFOCOM Security 5th April 2011 26
  • 27. Social Network Search Engines Search engines specifically look for “public” information on some of the major social networks. They only pull public information that can be easily indexed. While there are other ways to search specific social networks (like search.twitter.com or FriendFeed) there are search engines that search multiple networks and go beyond public information… Private information like the Facebook cannot be indexed without violating the TOS (Terms of Service) but … there are tools like Maltego that can have transforms written to “page scrape” private information. See : www.ethicalhcacker.net/content/view/204/24/INFOCOM Security 5th April 2011 27
  • 28. What is Maltego• Maltego is an open source intelligence and forensics application.• It allows to identify unknown key relationships between information elements.• Probably the best tool to “visually” show you information found on some of the social networks and the relationships that information has connected to it.• It works well for Twitter, Facebook, LinkedIn and MySpace profiles (publicly available).• The Twitter transforms are probably the highlight since you can dig into conversations as well.• The Facebook transform was specifically written to search within the Facebook network using a real user account. However, this transform doesn’t work anymore due to recent structural changes to the way Facebook HTML was coded. This transform violates Facebook TOS since it did screen scraping but when it did work it was a great way to search status and group updates not available to public search engines !• Hackers are trying to update the transform so it works again !!!INFOCOM Security 5th April 2011 28
  • 29. Maltego relationships• Maltego is an information gathering tool that allows you to enumerate network and domain information like: – Domain names – Whois information – DNS names – Netblocks – IP Addresses• Maltego also allows you to enumerate people information like: – Email address with person’s name – Web sites associated with a person’s name – Social groups associated with a person’s name – Companies and organizations associated with a person’s name. INFOCOM Security 5th April 2011 29
  • 30. Emails belonging to a person - Don Denzal (forensics information provided by Maltego tool)INFOCOM Security 5th April 2011 30
  • 31. Computer Based Social Engineering Tools: Maltego Mesh• Maltego answers the question ‘what binds these 10 email addresses together?’• Maltego also answers the question ‘what can you find on this IP address?’• By default Maltego Mesh searches for the following entities within a page: – IP Addresses – Email Addresses – Netblocks (IP addresses under a block) – Named entity Extraction (SillyNer) – Phone Numbers – Websites – DatesINFOCOM Security 5th April 2011 31
  • 32. More information…• For more information on Maltego and how to use it check out the work Chris Gates has done in his Maltego tutorials : www.ethicalhacker.net/content/view/251/24• Keep in mind, Maltego works great for finding information if you need it for a specific scope, like a penetration testing.• For automating monitoring, use Google or Yahoo Pipes.INFOCOM Security 5th April 2011 32
  • 33. INFOCOM Security 5th April 2011 33
  • 34. Why youd want to use Metago Mesh Its free (always a plus). It helps you find information quickly within a large page (no need to read an entire blog to find email addresses) Quickly have options like search on facebook with email addresses instead of having to browse to each site. The ability to add your own entities (eg, if you are looking for an internal customer-id and you know the format, you can add your own regular expression for it) Exploiting Human Vulnerabilities http://www.social-engineer.org/INFOCOM Security 5th April 2011 34
  • 35. CONCLUSIONS• Social Networks (SNs) is a useful but also risky environment.• Companies should establish rules and polices on the way they are used by their staff.• SNs may be an opportunity for information gathering in fraud investigations. Attention, a business oriented Social Network…THANK YOU. Michalis Mavishttp://gr.linkedin.com/in/mmavisINFOCOM Security 5th April 2011 35