1. October 29, 2022
Social Networks: Minimizing The Risks Of The
New Frontier
Venkatasubrahmanyam Krishnapur
Senior Director Engineering, Consumer
McAfee India Pvt. Ltd.
2. Confidential McAfee Internal Use Only
October 29, 2022
2
Contents
• Social networks – interesting stats and facts
• Social networks – why the craze – a members view
• Social networks – philosophy , motivation and where privacy is headed
- a site creators or owners perspective
• Social networks – the risks – Identity and reputation – social engineering
• Social networks – the different attack vectors – malware , xss,csrf
• Social networks – how do you minimise the risks ?
4. Confidential McAfee Internal Use Only
“MySpace is a place for friends.”
“MySpace is Your Space.”
“MySpace keeps you connected.”
“Twitter is a service for friends, family,
and co-workers to communicate and
stay connected through the exchange
of quick frequent answers to one
simple question:
What are you doing?”
“Your professional network of
trusted contacts gives you an
advantage in your career, and is
one of your most valuable
assets. LinkedIn exists to help
you make better use of your
professional network and help
the people you trust in return.”
“Delicious is a Social
Bookmarking service, which
means you can save all your
bookmarks online, share them
with other people, and see
what other people are
bookmarking.”
“Giving people the power to
share and make the world
more open and connected.”
6. Confidential McAfee Internal Use Only
2/3rd US households
use social networks,
twice as many as a
year ago
Facebook has over 500
MILLION “active” users, -
surpassing Google today
There are 126 Million
blogs on the internet
People spend over 700
BILLION minutes per
month on Facebook
10 BILLION+ Tweets
Sent on Twitter Since
2006
2 BILLION Videos Are
Streamed each day on
YouTube
The number of e-mails
sent since 2006 – 90
TRILLION
Social Networking facts – Believe it or not !
2.5 BILLION photos are
uploaded to Facebook
every month = 1000
per SECOND !
By 2014 social networking services will
replace e-mail as the primary vehicle for
interpersonal communications for 20
percent of business users
There are more than 75
million professionals on
Linkedin and over 1
million companies
8. Confidential McAfee Internal Use Only
Why Use Social Media?
• It’s where the Friends are
• Allows you to be part of a network with
common interests, bonds, affiliations
• Provides a sense of community
• Seen as a forum to postulate views
• Fun way to stay connected with old
friends or make new friends
• Forum for communication
(individual/group/mass) and
collaboration
• Allows for self-expression and self-
representation
• “Democratizing innovation”
• “Crowdsourcing”
• Job hunting
9. Social Networks – Their
Philosophy and motivation.
Privacy – ha!ha!ha !
10. Confidential McAfee Internal Use Only
Social Network “A”
Additionally, you grant Social Network “A” a nonexclusive, irrevocable,
worldwide, perpetual, unlimited, assignable, sublicenseable, fully paid up and
royalty-free right to us to copy, prepare derivative works of, improve, distribute,
publish, remove, retain, add, process, analyze, use and commercialize, in any
way now known or in the future discovered, any information you provide, directly
or indirectly to Social Network “A”, including but not limited to any user
generated content, ideas, concepts, techniques or data to the services, you
submit to Social Network “A”, without any further consent, notice and/or
compensation to you or to any third parties. Any information you submit to us is
at your own risk of loss.
Social Network “B”
“You hereby grant Social Network “B” an irrevocable, perpetual, non-
exclusive, transferable, fully paid, worldwide license (with the right to
sublicense) to (a) use, copy, publish, stream, store, retain, publicly
perform or display, transmit, scan, reformat, modify, edit, frame,
translate, excerpt, adapt, create derivative works and distribute (through
multiple tiers), any User Content you (i) Post on or in connection with
the Social Network “B” Service or the promotion thereof subject only to
your privacy settings or (ii) enable a user to Post, including by offering
a Share Link on your website and (b) to use your name, likeness and
image for any purpose, including commercial or advertising, each of (a)
and (b) on or in connection with Social Network “B” Service or the
promotion thereof. You may remove your User Content from the Site at
any time. If you choose to remove your User Content, the license
granted above will automatically expire, however you acknowledge that
the Company may retain archived copies of your User Content.”
Privacy Policy Protection? LOL
11. Confidential McAfee Internal Use Only
(blue =
default
availability of
your
personal
data)
The Evolution of “Network “A” “Privacy”
14. Confidential McAfee Internal Use Only
Information People Post in On-line Social Networks
for Others to View – Identity loss
• Name
• Geography
• Status
• Sex
• Year
• Concentration
• Residence
• Birthday
• Hometown
• State
• Zip
• High School
• Email
• Preferred Email
• Screen Name
• Cell Phone
• Address
• Other Phone
• Website
• Sexual Preference
• Relationship Interest
• Relationship Status
• Political Views
• Interest
• Clubs
• Favorite Movies
• Favorite TV Shows
• Favorite Books
• Favorite Quotes
• About Me
• Job Type
• Company Job Title
• Job Description
• Work History
• Pictures
October 29, 2022
16
All or a combination of
these can be used to
construct a profile of
yourself that can be
used for nefarious
activities by criminals !!
Phishing attacks
Picture stealing for porn sites
Location tracking
Financial fraud
Reputation analysis (HR)
Reputation damage
Password stealing
Predators in the guise of friends
Government Agencies (Tax evasion)
Literally anyone interested
16. Confidential McAfee Internal Use Only
October 29, 2022
18
What is a Network?
node
node
node
node
node
node
node
node
node
node
node
node
node
node
node
node
node
Web Definition : A set of nodes, points, or locations connected by means of
data, voice, and video communications for the purpose of
exchange.
17. Confidential McAfee Internal Use Only
Friends
Viewers
KEEPING
IN TOUCH
STAYING
UP TO
DATE
LEAVING
MESSAGES
SENDING
INVITATIONS
ADDING TO
SOCIAL
GROUP
ENCOURAGE
MENT
JUST TO
SAY HI
LOOK AT
NEW
PICTURES
LOOKING
FOR
PERSONAL
INFORMATION
SEXUAL
ASSAULT
KEEPING
TABS ON
INDIVIDUAL
OR GROUP
STALKING
SELLING
DEVULGED
INFORMATION
PREDATORS
HARASSMENT
ATTEMPTING
TO LOCATE
OLD
FRIENDS
Unaffiliated
USER
Exposure possible due to :
- a ‘friend’s account being compromised – now controlled by an impersonator
- Inadvertently added someone as a friend – but not someone you know
- Breach of trust by real friend (s)
- Poor identity management ( privacy controls)
18. Confidential McAfee Internal Use Only
October 29, 2022
21
Dangers and Misuse of On-line Social Networks
Profile content and information could be gathered and used for the
following:
• Stalking
• Arming Predators
• Harassment
• Sexual Assault
• Slander
Internet connectivity and a trusting attitude toward this technology
can facilitate:
• IP Tracking
• Dangerous links
• Spy ware threats
• ID Theft
• Information sold to third party
19. Confidential McAfee Internal Use Only
What Are The Security Risks?
• Malware distribution
• Cyber-bullying (“trolling,”
emotional abuse)
• “Shelf-life” of information (lives forever in cyberspace)
• Privacy concerns
– Information about you that you post
– Information about you that others post
– Information about you the social networking sites collect and share with
others
20. Confidential McAfee Internal Use Only
Who’s peeking?
• Friendsfamily
• Friends of friendsfamily
• Parents
• Employers and co-workers
– Dec 2009 study commissioned by Microsoft
said 79% of recruiters & hiring mgrs
researched applicants online
– CareerBuilder.com study – 45% of employers
use social networks to screen job candidates
• Customers
• Universities
• Marketing companiesvendors
• Criminalshackers
• Government agencies (IRS, SRS!)
• EVERYONE ELSE
23. Confidential McAfee Internal Use Only
Legal Issues
• Copyright violations
• COPPA (Children’s Online Privacy Protection Act) covers sites
directed to children under age 13 or general audience sites that know
they’re dealing with kids younger than 13.
• Cyberbullyingstalking laws (recent)
24. Confidential McAfee Internal Use Only
Oh no! URL Shorteners
• bit.ly, TinyUrl, ReadThisURL, NotLong
• Hides the true destination URL – no way to tell where you’re
going until you click!
http://www.hacker.com/badsite?%20infect-your-pc.html
is now
http://bit.ly/aaI9KV
25. Confidential McAfee Internal Use Only
Malware Distribution
• Similar to other threats that can lead to downloading/installing
malware
– Malicious ads
– Clickjacking (aka “likejacking”)
– Wall posts, inbox or chat messages with malicious links from “Friends”
(hijacked user account)
– “My wallet was stolen and I’m stuck in Rome. Send me cash now.”
– Spam email pretending to be from Facebook admins
27. Confidential McAfee Internal Use Only
Malware Distribution
• Koobface is a well known malware targeting the biggest social
network ; continues to evolve and infect today
• Suspicious friend or follow request, or link
• Bogus FB groups/Pages/profiles to entice you
• Suspicious/malicious application
mashable.com/2010/05/29/xxxxx-hilarious-video/
28. Confidential McAfee Internal Use Only
XSS, CSRF Attacks – Inheritance of all the Web
2.0 vulnerabilities
• Web 2.0 increased the power of dynamic and shareable content
taking the internet to a different level.
• However, the flat serial structure of html documents that included
scripting amongst formatting and content introduced many risks.
• Poor programming of Web 2.0 applications without proper validation
can result in attack vectors like :
– Cross site scripting attacks and cross-site request forgery attacks are
serious concerns
– These are attacks that exploit the trust the user has for a given site ( CSS)
or the trust the site has in a user’s browser (CSRF)
– SQL injection at the database layer
• Hackers use a combination of social engineering and slick scripting to
fool victims into running malicious code in their browsers.
October 29, 2022
31
29. Confidential McAfee Internal Use Only
3rd Party Applications
• Games, quizzes, cutesy stuff
• Untested by the Social
Networks – anyone can write
one
• No Terms and Conditions – you
either allow or you don’t
• Installation gives the
developers rights to look at your
profile and override your privacy
settings!
31. Confidential McAfee Internal Use Only
How technology helps ( SMB / Enterprises )
• Application control:
– Granular application control, based upon the business and regulatory requirements of the
organization, gives organizations the ability to create access policies specific to user identities,
and to reduce risks for some employees without restricting participation for others.
• Next-generation firewalls:
– Many firewalls today don’t provide effective protection for Web 2.0 technologies. Organizations
should consider next-generation firewalls that provide more sophisticated discovery, control, and
visualization of applications, along with predictive threat protection for network infrastructures.
• Endpoint protection:
– The shared and highly participatory nature of Web 2.0 requires that businesses protect their
endpoints against multiple threats, including spam, viruses, malicious software, spyware,
rootkits, and hacker attacks. Endpoint protection remains a critical piece of information
assurance and security in organizations.
• Data loss protection:
– Data exfiltration is a continuing challenge of organizations participating in the Web 2.0
environment. Protecting the integrity and confidentiality of organizational information from theft
and inadvertent loss is a key issue today. Data loss protection guards private, sensitive, and
confidential information and data from accidental or malicious loss.
October 29, 2022
34
32. Confidential McAfee Internal Use Only
How technology helps ( SMB / Enterprises )
• Encryption:
– Important data should be encrypted, as should communication channels, with keying material
kept separate from the encrypted material. Compromise or loss of endpoints should not
automatically give access to sensitive information.
• Authentication:
– Strong, non-password based authentication should be deployed and used for access to
sensitive information and resources. Web2.0 applications usually employ weak authentication,
and are targets for a chain of penetration and social engineering attacks that can compromise
valuable resources. Requiring appropriate token-based or biometric authentication at key points
can help to prevent incidents.
• Integrity Monitoring and Whitelisting:
– Many current attacks against Web2.0-enabled hosts involve the installation or modification of
code to enable access, or to install malware. Traditional anti-malware technologies are not
sufficient to prevent these threats, so additional methods that use configuration integrity
monitoring or application whitelisting should be considered. Solutions that monitor and control
patching and upgrades should also be considered.
• Gateway Anti-malware:
– Proactive scanning of code in web pages for malicious intent. By analyzing the code at the web
gateway—a gateway located physically in the enterprise or in the cloud as a hosted service,
malware can be detected and blocked before it reaches the endpoint or other network assets.
October 29, 2022
35
33. Confidential McAfee Internal Use Only
Tips for Safer Social Networking ( Consumers )
• Use a strong, unique password
• Provide as little personal information as possible – avoid
revealing exact birth date, address – in general
information that can be used to determine your identity.
• Understand and customize the privacy settings in all of
your social networking accounts
• Use extreme care with 3rd party applications that access
your information and change settings
• Be careful about what you post
– Photos of self or others
– Opinions on controversial topics
– Don’t rip classmates, professors, coworkers,
employers …– it WILL come back to haunt you
• Do not post anything related to your
employer (unless you’re authorized)
• Segregate your network – friends, colleagues, family
• Supervise your kids’ use of social
networking sites
• Be a ‘friend’ of your kid
• Use Family Protection Software .
34. Confidential McAfee Internal Use Only
Tips for Safer Social Networking (Consumers )
• Be suspicious of friend/follow requests, ads, 3rd party
applications, chat messages, etc.
• Minimize exploration – don’t carelessly click on lots of
ads, videos, games, etc.
• Use built-in and add-on features in web browsers to
warn you of malicious sites
– Anti-phishing filters in IE and Firefox
– Web of Trust
– NoScript
– Adblock Plus
– Preview features of bit.ly, TinyURL
• Use Web reputation software with real time analysis
and remediation capability
• Visit websites that have been scanned and certified
• Google for your name frequently and look for privacy
violations
35. Confidential McAfee Internal Use Only
October 29, 2022
38
Conclusion
• In conclusion , the value of social networking far outweighs the risks.
• Use social networking effectively and positively to establish new relationships,
strengthen existing ones, innovate, learn, collaborate,
and have fun.
• But beware of the risks so you can do your best to steer clear of
them
– Some of the dangers can easily be mitigated through common sense and discipline
on the internet.
– Use software products that rate and certify links and applications
And importantly
– think before you post and
– think before you click !!