Outline <ul><li>Introduction </li></ul><ul><ul><li>Overview of Facebook </li></ul></ul><ul><ul><li>motivation </li></ul></...
Overview of Facebook <ul><li>Introduction of Facebook </li></ul><ul><ul><li>A  social networking  website </li></ul></ul><...
Motivation  <ul><li>Exponential increasing rate  of Social Networks members leads many  privacy threats  of online users <...
Problem 1: Cleartext Password Interception Facebook sends user’s email address and login password in clear text  to the de...
Data Collection & Information Transport <ul><li>Data collection:  </li></ul>M H(M) Transmit : Secured protocol such as  Se...
Data Collection & Information Transport <ul><li>Add salt to the MD5 data </li></ul><ul><li>A salt typically means, in cont...
Data Collection & Information Transport <ul><li>Secured Socket Layer (SSL) protocol is not secure any longer, </li></ul><u...
Problem 2: Privacy Policy Facebook’s two features Using email address book to find friends on Facebook   New feeds
Improper Features:  Access to Email address book http://elronsviewfromtheedge.wordpress.com/ 2007/04/13/the-modern-faceboo...
Improper Features: New Feeds http://www.schneier.com/blog/archives/2006/09/facebook_and_da.html
Facebook’s Privacy Policy Facebook’s Privacy Policy is  3700  words long, and ends with a notice that it can  change at an...
Privacy Policy <ul><li>Import the third party to supervise online networking websites </li></ul><ul><li>Online Privacy All...
Problem 3: Database Reverse-Engineering <ul><li>Facebook’s  “advanced search”  allows one to query the database of users u...
Reverse-Engineering Problem <ul><li>This problem is a security hole in Facebook, reported by many users </li></ul><ul><li>...
Problem 4: Incomplete Access Controls <ul><li>In searching for user photos in Facebook, service uses following URL </li></...
Mobile Facebook <ul><li>Facebook has launched a mobile version of their website at  www.m.facebook.com   </li></ul><ul><li...
Security of Mobile Facebook <ul><li>Encryption by using secret-key is one of the best tools for authenticating wireless us...
Security Challenges of using Facebook from mobile <ul><li>The challenges for the Mobile Application Security of Facebook m...
Problems of WEP <ul><li>WEP uses the RC4 encryption algorithm (stream cipher). mode of operation makes stream ciphers vuln...
News on Recent Threats <ul><li>Criminal hackers now view social networking sites as their best target for personal attacks...
Conclusions <ul><li>Highly personal nature of social networks and their amplifying effects make it crucial and urgent that...
Thank you !
Upcoming SlideShare
Loading in …5
×

Security presentation

1,465 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,465
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Now, we will begin with the outline. In today’s presentation, there are 3 main sections. In first section, we will give a short introduction of Facebook, and describe our motivation that is why we choose this topic. and then we will talk about the privacy problems and threats Facebook confront now. After analyzing these problems, we proposed our suggestions and solutions .
  • Then it is the overview of Facebook. Facebook is a social network community which is launched on February 4,2004. And this website allows users to easily connect with their friends by joining into different social graphs, like school, place of employment, or geographic regions. Thanks to this kind of social graphs their users made, the website has more than 64million active users all over the world. For the main functions, I cut the description from Facebook, they list the uses as follows: Keep up with friends, share photos, control privacy (whether can really control is still depends), rests are communications and make plans. We believe most of us are familiar with Facebook, if you have not use it before, I hope after my introduction, you already have a outline of Facebook.
  • After the introduction of Facebook, I will explain why we choose this topic. Nowadays, people are very likely to ask for privacy in real life, but when they face the online social communities, most of them have not realized that online privacy is the same important as in real life, or even more important. I abstract the reasons into 2 points. First, this kind of internet social graph are different from original face to face interactions, because A user can be easily involved into a extremely large social graph. For example, if you only add one person who already has 500 other friends, and then the 500 persons can easily see your privacy information from the web links. So it brings large numbers of unknown factors and threats in an much more easy and hidden way. The second point is just like a famous computer security specialist Bruce have said: “ Whenever you put data on a computer , you lose some control over it. And when you put it on the internet , you lose a lot of control over it. ” The information transmit with a hard copy may limit by different geographic regions, or difficultes of seaching, but t he information spread on the internet is no need to think about these limits at all. So, while enjoying the convenience of internet, people need to prevent the corresponding threats. So we choose this topic, because we believe concerning the online privacy is necessary and important.
  • For the above problem, we know privacy is more about control than about secrecy. But it is only one side of networking security. For the following problem, secrecy becomes the most important part of concern. That is: Facebook sends user’s email address and login password in clear text to the developer&apos;s server! After we have finished this course, we all know: sending passwords in clear text is a horrible idea.
  • Information protection at the time of data collection The first level of data protection shall begin at the point of data collection. When the data is transmitted, hash functions such as message digest, MD5 algorithm [10] shall be utilized to protect the data for additional security. For transmitting, Secured protocol such as Secured Socket Layer (SSL) [10] shall be implemented in order to protect the data entered at the client&apos;s browser. So the hashed data transmitted over SSL would be the first level of protection for personal data. However, the MD5 is not one hundred percentages protective, because of its nature, where MD5 makes only one pass over the data. It is possible to create a rainbow table for the MD5 encrypted data and potentially, the password can be cracked. Here, we need to ensure one word: rainbow table A rainbow table: A rainbow table is a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function. A common application is to make attacks against hashed passwords feasible.
  • To overcome this problem, one may wish to add more complexity to the encryption by the way of adding salt to the MD5 data. A salt typically means, in context with MD5 encryption, a secret key added to the password in order to complicate the dictionary attack on the password tables. Each bit of salt added to the original password doubles the amount of computation needed for one to break the passwords.
  • SSL protocol is established between client browser and server to protect subsequent communications, but as we have learnt from our course, a sophisticated phishing scam has already used the valid SSL certificate in Feb 2006. But fortunately, in the end of our 5 module, we learnt a perfect secure protocol. That is: Secure Remote Password (SRP) protocol. It is one of the best password-authenticated key establishment protocol available but have not used today. For its advantages, it can be abstracted into 3 points:
  • When talking about Facebook’s privacy policy, let’s look at two Facebook’s features first. They are
  • When people sign up for a Facebook account, his first option is to enter his third party email address and the password to the facebook site, so that Facebbok can login to this email and search the address book for Facebook users he’s already known. We understand that Facebook are trying to find a way to import user’s contacts who already use Facebook in order to make user’s initial experience more convenient , but this violates the first principle of anti-phishing behaviour … “NEVER enter your passwords ANYWHERE but the specific site they are designed for”. That means, regardless of how many safeguards they put in place, the idea of giving email password to ANYONE else for any reason is a serious breach of security protocol.
  • Early September 2006, Facebook introduced a new feature called &amp;quot;News Feeds&amp;quot; that shows an aggregation of everything members do on the site: For example, on the screen is my profile in Facebook. In the “mini feed” window, every action I have ever done is displayed, like: added and deleted friends, a change in relationship status, Give somebody some gifts, and so on. Then, these changes are all broadcasted to my friends’ home pages automatically. Though Facebook give user some control, like user can delete this kind of report, but they have to delete the items one by one. Moreover, when press the cancel button, the pop up dialog is like this, we can only hide this information, and we do not even have the choice to completely delete it.
  • After discussion the above problems, maybe we will ask: “ Is not there any privacy policy? ” Unfortunately, Facebook can change the rules whenever it wants. Its Privacy Policy is 3700 words long, and ends with a notice that it can change at any time. How many members ever read that policy, let alone read it regularly and check for changes? For these two features, privacy is more about control than about secrecy. So the website should give user the real right to control their privacy.
  • If the third party’s surveillance are gradually improved and standardized, the online network developers will not bring as many threats as nowadays.
  • Facebook’s “advanced search” allows one to query the database of users using any of the fields in a profile. When people hide their profile page, they expect the information on it remain private. For example if some a user set “getting drunk” as an interest and set his profile visible only for his friends, an advanced search for “getting drunk”, will list his name as well. But if some one search for example “getting drunk”, as an interest
  • It is interesting to know that If encryption on WAP (wireless application protocol) is set by default, 96% of users employ it. But 3.4% times the number do that when it is not set by default.
  • WEP uses the RC4 encryption algorithm, which is known as a stream cipher. A stream cipher operates by expanding a short key into an infinite pseudo-random key stream. The sender XORs the key stream with the plaintext to produce ciphertext. The receiver has a copy of the same key, and uses it to generate identical key stream. XORing the key stream with the ciphertext yields the original plaintext. This mode of operation makes stream ciphers vulnerable to several attacks. If an attacker flips a bit in the ciphertext, then upon decryption, the corresponding bit in the plaintext will be flipped. Also, if an eavesdropper intercepts two ciphertexts encrypted with the same key stream, it is possible to obtain the XOR of the two plaintexts. Knowledge of this XOR can enable statistical attacks to recover the plaintexts. The statistical attacks become increasingly practical as more ciphertexts that use the same key stream are known. Once one of the plaintexts becomes known, it is trivial to recover all of the others.
  • After having the introduction, and motivation about social networkes, I am going to discuss about some recent attacks to such social networks and the present the list of some possible security and privacy threats for such kind of highly-used Social Networks (such as Facebook, MySpace, and…)
  • Amplifying : increase in size
  • Security presentation

    1. 1. Outline <ul><li>Introduction </li></ul><ul><ul><li>Overview of Facebook </li></ul></ul><ul><ul><li>motivation </li></ul></ul><ul><li>Problems & Solutions </li></ul><ul><ul><ul><li>Cleartext Password Interception </li></ul></ul></ul><ul><ul><ul><li>Privacy Policy </li></ul></ul></ul><ul><ul><ul><li>Database-Reverse Engineering </li></ul></ul></ul><ul><ul><ul><li>Incomplete Access Control </li></ul></ul></ul><ul><li>New Applications and News </li></ul><ul><ul><ul><li>Facebook Mobile Application </li></ul></ul></ul><ul><ul><ul><li>Most Recent Threats </li></ul></ul></ul><ul><li>Conclusion </li></ul>
    2. 2. Overview of Facebook <ul><li>Introduction of Facebook </li></ul><ul><ul><li>A social networking website </li></ul></ul><ul><ul><li>launched on February 4, 2004 </li></ul></ul><ul><ul><li>allows users to join one or more networks to easily connect with other people in the same network. </li></ul></ul><ul><ul><ul><li>a school </li></ul></ul></ul><ul><ul><ul><li>place of employment </li></ul></ul></ul><ul><ul><ul><li>geographic region </li></ul></ul></ul>[http://en.wikipedia.org/wiki/Facebook#cite_note-jonessoltren-96] -- The website has more than 64 million active users worldwide. -- Main functions of Facebook
    3. 3. Motivation <ul><li>Exponential increasing rate of Social Networks members leads many privacy threats of online users </li></ul><ul><li>Whenever you put data on a computer , you lose some control over it. And when you put it on the internet , you lose a lot of control over it. [Bruce schneier ] </li></ul>In social network communities, almost people did not realize the importance of protecting their privacy online. And due to the extreme complexity , It is a big challenge for net-work security.
    4. 4. Problem 1: Cleartext Password Interception Facebook sends user’s email address and login password in clear text to the developer's server! http://valleywag.com/tech/great-moments-in-public-relations/facebook-calls-reporters-question-harassing-316488.php
    5. 5. Data Collection & Information Transport <ul><li>Data collection: </li></ul>M H(M) Transmit : Secured protocol such as Secured Socket Layer (SSL) shall be implemented in order to protect the data entered at the client's browser MD5 A rainbow table: a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function. A common application is to make attacks against hashed passwords feasible. MD5 algorithm
    6. 6. Data Collection & Information Transport <ul><li>Add salt to the MD5 data </li></ul><ul><li>A salt typically means, in context with MD5 encryption, a secret key added to the password in order to complicate the dictionary attack on the password tables. </li></ul><ul><li>Each bit of salt added to the original password doubles the amount of computation needed for one to break the passwords. </li></ul>the user‘s password : myfacebook instead of being stored as: the hash of “ myfacebook ” being stored as: the hash of 128 characters of random unicode string + “ myfacebook ” It now completely immunes to rainbow table attack.
    7. 7. Data Collection & Information Transport <ul><li>Secured Socket Layer (SSL) protocol is not secure any longer, </li></ul><ul><li>Secure Remote Password (SRP) protocol </li></ul><ul><li>Advantages: </li></ul><ul><ul><ul><li>a) SRP will not compromise the secret key even if the communications are intercepted. </li></ul></ul></ul><ul><ul><ul><li>b) This protocol has a password to achieve authenticated key exchange, and it still not vulnerable to dictionary attack. </li></ul></ul></ul><ul><ul><ul><li>c) The verifier does not need to store the passwords in clear. </li></ul></ul></ul><ul><li>According to the three advantages above, this protocol is one of the best password authenticated key establishment protocols available. </li></ul>
    8. 8. Problem 2: Privacy Policy Facebook’s two features Using email address book to find friends on Facebook New feeds
    9. 9. Improper Features: Access to Email address book http://elronsviewfromtheedge.wordpress.com/ 2007/04/13/the-modern-facebook-of-security/ The first principle of anti-phishing behaviour: NEVER enter your passwords ANYWHERE but the specific site they are designed for
    10. 10. Improper Features: New Feeds http://www.schneier.com/blog/archives/2006/09/facebook_and_da.html
    11. 11. Facebook’s Privacy Policy Facebook’s Privacy Policy is 3700 words long, and ends with a notice that it can change at any time . We reserve the right to change our Privacy Policy and our Terms of Use at any time. <ul><li>How many members ever read that policy? </li></ul><ul><li>How many read it regularly and check for changes? </li></ul>
    12. 12. Privacy Policy <ul><li>Import the third party to supervise online networking websites </li></ul><ul><li>Online Privacy Alliance </li></ul><ul><li>1. more than 30 global corporations and associations join </li></ul><ul><li>2. come together to foster the protection of individuals‘ </li></ul><ul><li>privacy online. </li></ul><ul><ul><li>Guidelines for Online Privacy Policies </li></ul></ul><ul><ul><ul><li>Adoption and Implementation of a Privacy Policy </li></ul></ul></ul><ul><ul><ul><li>2. Notice and Disclosure </li></ul></ul></ul><ul><ul><ul><li>Choice/Consent </li></ul></ul></ul><ul><ul><ul><li>Data Security </li></ul></ul></ul><ul><ul><ul><li>Data Quality and Access </li></ul></ul></ul>
    13. 13. Problem 3: Database Reverse-Engineering <ul><li>Facebook’s “advanced search” allows one to query the database of users using any of the fields in a profile. </li></ul><ul><ul><li>For example advance search for “getting drunk” as an interest, will list all users who have set “getting drunk” in their profile, even if their profile is set to private and visible only to their friends. </li></ul></ul>
    14. 14. Reverse-Engineering Problem <ul><li>This problem is a security hole in Facebook, reported by many users </li></ul><ul><li>Further research found a student that employed this strategy to create of other local schools. And he was able to systematically build up a database from queries on Facebook’s database. </li></ul><ul><li>Solutions: </li></ul><ul><ul><li>When users set their profile to “private”, all information saved under their name should be withheld from being searched by “advanced search” </li></ul></ul>
    15. 15. Problem 4: Incomplete Access Controls <ul><li>In searching for user photos in Facebook, service uses following URL </li></ul><ul><ul><li>http://mit.facebook.com/photo_search.php&name = John </li></ul></ul><ul><li>Access controls are not applied to “My Photos”, and there is No privacy for user photographs. Any one can access other users personal photos by editing the above query URL. </li></ul><ul><li>Solutions: </li></ul><ul><ul><li>Privacy should extend to “My photos” as well and </li></ul></ul><ul><ul><li>Search by name feather should be disabled </li></ul></ul>
    16. 16. Mobile Facebook <ul><li>Facebook has launched a mobile version of their website at www.m.facebook.com </li></ul><ul><li>WAP site allow users to access most features of Facebook from a mobile phone such as uploading photos and notes to facebook via SMS and MMS, as well as receiving new messages and wall posts on mobile device through SMS. </li></ul><ul><li>If encryption on WAP (wireless application protocol) is set by default, 96% of users employ it. But 3.4% times the number do that when it is not set by default. </li></ul>
    17. 17. Security of Mobile Facebook <ul><li>Encryption by using secret-key is one of the best tools for authenticating wireless users, which is used beside password for authenticated key establishment. </li></ul><ul><li>This method also adds a layer of privacy by preventing eavesdroppers from easily watching network traffic </li></ul><ul><li>Most widely employed encryption method on wireless networks is WEP encryption (wired equivalent privacy). </li></ul><ul><li>WEP uses a shared 40- or 104-bit WEP key to encrypt data between the access point and client. </li></ul><ul><li>key is composed of a 24-bit initialization vector (IV) and WEP key. The IV is changed periodically so packets won't be encrypted with the same cipher stream </li></ul>
    18. 18. Security Challenges of using Facebook from mobile <ul><li>The challenges for the Mobile Application Security of Facebook mainly includes: </li></ul><ul><ul><li>Interception of Data between </li></ul></ul><ul><ul><li>access point and Mobile or </li></ul></ul><ul><ul><li>Wi-Fi device </li></ul></ul><ul><ul><li>Data Encryption and </li></ul></ul><ul><ul><li>Authentication for mobile users </li></ul></ul>
    19. 19. Problems of WEP <ul><li>WEP uses the RC4 encryption algorithm (stream cipher). mode of operation makes stream ciphers vulnerable to several attacks. </li></ul><ul><ul><li>Solution: Using Integrity Check (IC) field and Initialization Vector (IV) </li></ul></ul><ul><li>key is composed of a 24-bit initialization vector (IV) and a 40-bit WEP key. The IV is chosen by the sender is changed periodically so every packet won't be encrypted with the same cipher stream </li></ul><ul><li>Using the same long-term secret key for confidentiality </li></ul><ul><ul><li>Solution: Establishing a new session key after authentication </li></ul></ul>
    20. 20. News on Recent Threats <ul><li>Criminal hackers now view social networking sites as their best target for personal attacks (iTnews, 4/03/2008) </li></ul><ul><li>Bugs in the ActiveX controls on popular social networking sites Facebook and MySpace can be used by hackers to snatch control of Windows PCs. ( Computerworld, 01/31/08) </li></ul><ul><li>Unpatched PCs running Internet Explorer could fall victim extra copies of the browser starting, and ads being served when visiting social networking site Facebook. (ZDNet Australia, 17 /09/2007) </li></ul><ul><li>No matter what level of privacy you have set on your email address, it is visible on the contacts page (seen on a Windows Mobile device). (ZDNet UK, 12/01/2008) </li></ul>
    21. 21. Conclusions <ul><li>Highly personal nature of social networks and their amplifying effects make it crucial and urgent that their platform be very secure from various attacks (such as third-party attacks, pass word interception…) </li></ul><ul><li>Some privacy policies in Social Networks needs to be reviewed and some changes may be need in order to provide more privacy for users </li></ul>
    22. 22. Thank you !

    ×