Social Media Security
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Social Media Security

on

  • 1,243 views

Presentation by Jim McDougal at the November 10th 2009 Social Media in State Government Idea Exchange - held at the SC State Library

Presentation by Jim McDougal at the November 10th 2009 Social Media in State Government Idea Exchange - held at the SC State Library

Statistics

Views

Total Views
1,243
Views on SlideShare
1,183
Embed Views
60

Actions

Likes
0
Downloads
37
Comments
0

8 Embeds 60

http://curtisrogers.blogspot.com 43
http://www.slideshare.net 6
http://curtisrogers.blogspot.fr 3
http://curtisrogers.blogspot.in 3
http://curtisrogers.blogspot.co.il 2
http://curtisrogers.blogspot.co.nz 1
http://curtisrogers.blogspot.com.br 1
http://curtisrogers.blogspot.co.uk 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Social Media Security Presentation Transcript

  • 1.
  • 2. Introduction to Social Networking
    Massive adoption in the consumer market
    MySpace, Facebook, LinkedIn, Friendster
    SecondLife
    Ning , etc.
    Statistics on Facebook
    Over 64,000,000 users
    Over 250,000 new registrations per day
    Over 200,000 developers have submitted some sort of Facebook application using basic programming skills and there are over 15,000 official apps
    Users can add up to 20 friends per day
    Facebook apps can be considered as XHTML snippets that inherit all the properties of web applications
  • 3. Ideal Exploitation Platform?
    Social networks have intrinsic properties that make them ideal to be exploited by an adversary:
    Difficult to police: very large and distributed user base
    Trust network: clusters of users sharing the same social interests developing trust with each other
    Platform openness for developing applications that are attractive the general users who will install them
  • 4. Other Precedents?
    One of the ways to think about the broader risks of social networking against critical infrastructure is related to the problems of state-sponsored attackers
    “People’s War” concept a la Dragon Bytes – many home computers used as soldiers
    Similar problem seen with Gnutella used as a DDOS platform
    A rogue social network app could be used in the same manner or worse
  • 5. Two Social Networking Sites91 Percent of Phishing Attacks
    In an analysis of cyber crime activity in the 2nd half of 2007, security vendor Symantec Corp. found that two social networking sites together were the target of 91 percent of U.S.-based phishing Web sites. Social networking sites also were the leading targets of phishing sites located in four other countries listed by Symantec in its phishing Top 10.
    Source: Symantec Corp.
    Hijacked social networking pages often are used to host malicious software or "malware" directly or to host links phishing or malware sites that are then advertised in messages sent to all of the contacts in the victim's social network.
  • 6. Top Targeted Phishing Sites
  • 7. Why Don’t We Just Ban It All
    Banning public social networking sites from corporate use may help with the distraction factor and with some of the other technical issues, but..
    In many cases, there is just too much personal information posted on these sites
    Information such as the full names of parents, pets, schools and other “keys” that are used to unlock personal and professional accounts
    Embarrassing or inappropriate pictures that could be used in blackmail scenarios (think Cold War)
    Lifestyle information that may create personal or professional problems
  • 8. Taking It to the Extreme
    If an adversary were able to develop an application as successful as FunWall, for example, a victim host would have to cope with about 23 Mbit/sec of unsolicited traffic and nearly 248GB a day of unwanted data
    Of course, this assumes a lot about bandwidth and the lack of proper network and security management…
    But, adversaries don’t need all that bandwidth.
  • 9. Here's a look at the seven most lethal social networks hacks:
    1) Impersonation and targeted personal attacks
    2) Spam and bot infections
    3) WeaponizedOpenSocial and other social networking applications
    4) Crossover of personal to professional online presence
    5) XSS, CSRF attacks
    6) Identity theft
    7) Corporate espionage
    Social Networking
  • 10. Social Networking
    Because of its huge base -- last month Facebook said it had more than 300 million users -- the site is a frequent target for hackers and identity thieves
    10-28-2009
    Researchers at several security firms have uncovered a spam campaign targeting Facebook users. The e-mails, which pose as communications from Facebook about password resets, contain a nasty downloader that ultimately makes users part of a notorious botnet.
    10-02-2009
    Facebook Attackers May Have Cracked CAPTCHAResearchers at AVG Technologies may have uncovered a scheme by attackers to circumvent the CAPTCHA protections on Facebook to create fraudulent accounts.
    02-09-2009
    Rik Ferguson, senior security advisor for Trend Micro, said the social networking Web site based in Palo Alto, Calif., has been hit in the past week with four malicious applications and a new version of the Koobface virus that was first detected in December 2008, the BBC reported Monday
  • 11. Avoiding Social Engineering and Phishing Attacks
    How do you avoid being a victim?
    Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
    Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
    Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
    Don't send sensitive information over the Internet before checking a website's security (see Protecting Your Privacy for more information).
    Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
    Social Networking
  • 12. If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
    Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (see Understanding Firewalls, Understanding Anti-Virus Software, and Reducing Spam for more information).
    Take advantage of any anti-phishing features offered by your email client and web browser.
    Social Networking
  • 13. http://www.staysafeonline.org/blog/staying-safe-social-media-web-sites
    http://www.thetechherald.com/article.php/200938/4434
    http://www.us-cert.gov/cas/tips/ST04-014.html
    http://www.justaskgemalto.com/us/focus/managing-your-digital-identity-social-media-sites
    http://edition.cnn.com/2009/TECH/07/16/twitter.hack/
    Social Networking