Social networks security risksPresentation Transcript
SECURITY & 1PRIVACYON SOCIALNETWORKS Omar M Alsuhaibany CISSP, GCFA, ISO 27001 LA
It’s not only about Facebook :)2
Before Social Networks3 Social Networks
A Social Networks definition4 Defines itself on Wiki: A social network is a social structure made up of individuals (or organizations) called "nodes", which are tied (connected) by one or more specific types of interdependency, such as friendship, kinship, common interest, financial exchange, dislike, or relationships of beliefs, knowledge or prestige.
Examples of Social Networks?5 Facebook LinkedIn Twitter Even more media: RSS Feeds Blogs Wikis Web Chat Podcasts Mashups Photo/Video-sharing Virtual Worlds
Common Web 2.06 Vulnerabilities Phishing Spam Malwares Cross Site Scripting SQL Injection Authentication and Authorization Flaws Information Leakage Insecure Storage Insecure Communications
Some Web 2.0 Specific7 Vulnerabilities On top of that list we do have some specific Web 2.0 vulnerabilities: XSS Worms Feed Injections Mashup and Widget Hacks
Well First thing first:8 Passwords!!! Is it new thing? No, however its different. Password sloth. Using the same password on several sites is like trusting the weakest link in a chain to carry the same weight. Use same password as your email when the login username is your email!! According to FB stats. More than 50% use the same password. Avoid using the same password on multiple sites Do not synchronize account information with organization login credentials.
Phishing11 cont’d Major phishing attempts Simple "look at this" message Users directed to fbstarter.com, fbaction.net Phished credentials used to automatically log in, send more mail Some users report passwords changed Phishtank reports Facebook 7th most common target Behind only banks, PayPal eBay "Socail Phishing" is far more effective
Phishing12 cont’d 72% successful in controlled study No TLS for login page No Anti-phishing measures Frequent genuine emails with login links Users dont consider social networks passwords as valuable Web 2.0 sites encourage password sharing… Facebook is doing a good job but still!
Spam15 Spam is not only for spamming purposes! Although annoying. All new types: followers, friend requests, fake accounts
Cross Site Scripting (XSS)17 New to Web 2.0? No Is this worse in Web 2.0? Yes XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content.
XSS Worms18 New to Web 2.0? Yes Self propagating XSS code injected into a web application which will spread when users visits a page. First XSS worm, 4 years ago spread through MySpace 1 million+ infections in 24 hours
Feed Injections19 New to Web 2.0? Yes Feed aggregators have data coming from various untrusted sources. The data being received can be malicious and exploit users. Remote Zone Risks Web browsers or web based readers in this category Attacks such as XSS and CSRF possible
Mashup and Widget20 New to Web 2.0? Yes Mashups and Widgets are core components in Web 2.0 sites. The rich functionality they provide can be exploited by attackers through attacks such as XSS.
Mashup and Widget21 cont’d Mashups site is the middleman, do you trust it? Multiple inputs, one output Mashup communications could leak data Mashups require cross domain access.
Mashup and Widget22 cont’d
Information Leakage23 New to Web 2.0? No Is this worse in Web 2.0? Yes Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems.
Information Leakage24 cont’d A simple lack of error handling leaking information http://www.examplesite.com/home.html?day=Mon dayDrivers(0x80040E14) I add a little something onto the URL http://www.examplesite.com/home.html?day=Mon day AND userscolumn=2 No error handling = information leakage Microsoft OLE DB Provider for ODBC Drivers(0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]Invalid column name/examplesite/login.asp, line 10
Information Leakage25 cont’d What makes this worse in Web 2.0? Business logic and validation moved to the client side Web 2.0 apps will do a lot of work on the client side Validation of data, business logic and sensitive data You need to back these up with server side checks Never assume sensitive data will be safe client
Authentication and Authorization Flaws26 New to Web 2.0? No Is this worse in Web 2.0? Yes These flaws can lead to the hijacking of user or accounts, privilege escalation, undermine authorization and accountability controls, and cause privacy violations.
Authentication and Authorization Flaws27 cont’d Authentication and Authorization Weaknesses Passwords with no max age, reasonable lengths and complexity Lack of brute force protection Broken CAPTCHA systems Security through obscurity Session Management Weaknesses Lack of sufficient entropy in session ID’s Predictable session ID’s Lack of sufficient timeouts and maximum lifetimes for ID’s Using one session ID for the whole session
Authentication and Authorization Flaws28 cont’d What makes this worse in Web 2.0? CAPTCHA’s used to provide strong A+A but are often weak More access points in Web 2.0 applications The use of single sign on leads to single point of failure Growth in other attacks further undermines A+A
Insecure Storage andCommunications29 New to Web 2.0? No Is this worse in Web 2.0? Yes These flaws could allow sensitive data to be stolen if the appropriate strong protections aren’t in place.
Insecure Storage and Communications30 cont’d Insecure storage of data Not encrypting sensitive data Hard coding of keys and/or insecurely storing keys Using broken protection mechanisms (i.e. DES) Failing to rotate and manage encryption keys Insecure communications Not encrypting sensitive data in transit Only using SSL/TLS for the initial logon request Failing to protect keys whilst in transit Emailing clear text passwords
Insecure Storage and Communications31 cont’d What makes this worse in Web 2.0? More data in more places, including client side storage Mixing secure and insecure content on a page And now with the Cloud!!!
Browsing Habits and Experience32 have Changed… Trigger finger (clicking on everything). Inboxes contain everything from drink requests to cause requests, do not get into the click habit unless you are ready to deal with drive-by downloads and zero-day attacks.
A little on Privacy …33 3rd Party Apps on Facebook Anyone can create a Facebook app Many of the agreement you must accept gives the company the right to monitor your data and sell it without informing you. Tracker information can be built into any application. Mixing personal with professional; Commonly on Facebook, where one’s friends included business associates, family members and friends. Engaging in Tweet (or Facebook/LinkedIn/Myspace) rage. Imagine you are at a party where everyone is listening, including your boss, spouse and future employer.
Data = $$$36 Steal your money directly Sell your data Trick your friends and family into supplying personal data Sell your identity Use your accounts to spread spam, malware and more data theft scams Sell your organizations data or sensitive information Blackmail individuals and organizations
URL Shortners Risks37 bit.ly, hex.io, zi.ma …etc Where the URL will take you? dubious link via email? Hover your mouse or check the HTML A new way for email Phishing scams DDOS with iframe Easily escaping spam filters Even more dangerous! what if the site got hacked? “See before you click” functionality or extensions Example: j.mp
Malware example: Koobface38 The Koobface worm and its associated botnet have gained notoriety in security circles for its longevity and history of targeting social networking sites. First surfacing in 2008 within MySpace and Facebook, the worm resurfaced in early 2009, this time targeting Twitter users. By using Phishing techniques, the message directs the recipients to a third- party website, where they are prompted to download what is purported to be an update of the Adobe Flash player. 11/10/2009 - As part of a new Koobface attack, links to Google Reader URLs controlled by cyber-criminals are being spammed by Koobface onto social network sites, including Facebook and MySpace. The hundreds of Google accounts involved host a page with a fake YouTube video. Attempts to view this supposed video expose Windows users to infection by Koobface. Koobface ultimately attempts, upon successful infection, to gather sensitive information from the victims such as credit card numbers.
Facebook Widget Installing39 Spyware Prompts users to install the infamous "Zango" adware/spyware.
Twitter hacking example:40 Select victim group using any one of a number of Twitter trend tools. Select malware based on device or location info. Upload malware to dropbox.com and request a public link for the uploaded file. Use a URL shortening service to obfuscate the URL. Send tweet to target referencing information or post with keywords so that all individuals “tracking” the keywords will be notified of a new tweet on the subject they are tracking.
Scareware Tweets41 Scareware is fake anti-virus – instead of protecting your computer it infects it Scammers create multiple tweets that direct you to a scareware page. They then try to frighten you into believing you have a security problem and need their software to address it Other scareware attacks aim to: Take control of your computer to send spam Hold your computer to ransom Result: Malware infection
Security analysis difficulties42 with Web 2.0 More code and complexity in Web 2.0 apps At least two languages to analyze (client and server) User supplied code might never be reviewed Dynamic nature increases risk of missing flaws Increased amount of input points
Basics of Social Networking43 Security Never Post Personal Information Online Everything you post is public information If you don’t feel comfortable with everyone seeing it, then don’t put it online Configure security settings on all sites Most websites you log into have security configurations Set the privacy levels in accordance to what you are posting Change your Password Regularly Use Phrases, not words Do not keep a “Master” password Never Trust E-mails asking for personal information An official organization will never ask you to disclose any private information in order to correct a error
Basics of Social Networking Security44 cont’d Do not friend anyone you do not know and trust Hackers and spammers are more clever then you think. There is a reason many online scams are called “Social engineering” Clean out your friend list regularly Watch For Hacked Friend Accounts Unusual posts or requests Posting “Shock Sites” Beware of Third Party Apps Many require you to sign a agreement giving them the right to sell your information Malicious code can be written in the program Delete unused Apps If you are not using them, then why let them potentially mine data about you? If you are unsure a app or a post or anything, then Google is your best friend
Basics of Social Networking Security45 cont’d Caution about posting your location online People are watching you where you will be and more importantly where you will not be Check your security settings monthly Facebook sets all profiles to public with each site redesign Apps may disable your security settings Viruses and Malware may disable your security settings Consider using Private Browsing Private Browsing allows you to view websites without storing your history or installing cookies Private Browsing Shortcuts: Firefox – Ctrl + Shift + P Internet Explore 8 – Ctrl + Shift + P Opera – Ctrl + Shift + N Google Chrome – Ctrl+Shift+N Don’t stay logged on