Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Social networks security risks

1,131 views

Published on

Published in: Technology
  • Be the first to comment

Social networks security risks

  1. 1. SECURITY & 1PRIVACYON SOCIALNETWORKS Omar M Alsuhaibany CISSP, GCFA, ISO 27001 LA
  2. 2. It’s not only about Facebook :)2
  3. 3. Before Social Networks3 Social Networks
  4. 4. A Social Networks definition4  Defines itself  on Wiki: A social network is a social structure made up of individuals (or organizations) called "nodes", which are tied (connected) by one or more specific types of interdependency, such as friendship, kinship, common interest, financial exchange, dislike, or relationships of beliefs, knowledge or prestige.
  5. 5. Examples of Social Networks?5  Facebook  LinkedIn  Twitter Even more media:  RSS Feeds  Blogs  Wikis  Web Chat  Podcasts  Mashups  Photo/Video-sharing  Virtual Worlds
  6. 6. Common Web 2.06 Vulnerabilities  Phishing  Spam  Malwares  Cross Site Scripting  SQL Injection  Authentication and Authorization Flaws  Information Leakage  Insecure Storage  Insecure Communications
  7. 7. Some Web 2.0 Specific7 Vulnerabilities  On top of that list we do have some specific Web 2.0 vulnerabilities:  XSS Worms  Feed Injections  Mashup and Widget Hacks
  8. 8. Well First thing first:8 Passwords!!!  Is it new thing? No, however its different.  Password sloth. Using the same password on several sites is like trusting the weakest link in a chain to carry the same weight.  Use same password as your email when the login username is your email!!  According to FB stats. More than 50% use the same password.  Avoid using the same password on multiple sites  Do not synchronize account information with organization login credentials.
  9. 9. Phishing9
  10. 10. Phishing10 cont’d
  11. 11. Phishing11 cont’d  Major phishing attempts  Simple "look at this" message  Users directed to fbstarter.com, fbaction.net  Phished credentials used to automatically log in, send more mail  Some users report passwords changed  Phishtank reports Facebook 7th most common target  Behind only banks, PayPal eBay  "Socail Phishing" is far more effective
  12. 12. Phishing12 cont’d  72% successful in controlled study  No TLS for login page  No Anti-phishing measures  Frequent genuine emails with login links  Users dont consider social networks passwords as valuable  Web 2.0 sites encourage password sharing…  Facebook is doing a good job but still!
  13. 13. Phishing13 cont’d
  14. 14. Phishing14 cont’d
  15. 15. Spam15  Spam is not only for spamming purposes! Although annoying.  All new types: followers, friend requests, fake accounts
  16. 16. Spam16 cont’d  Fighting the Spam  Automatically detect spammer profiles:  analyze link history  analyze graph structure  analyze profile  Aggressivelyrequest CAPTCHAs  Users feedback  Classifiers  Stringblocking  Hashing  Machine Learning
  17. 17. Cross Site Scripting (XSS)17  New to Web 2.0? No  Is this worse in Web 2.0? Yes  XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content.
  18. 18. XSS Worms18  New to Web 2.0? Yes  Self propagating XSS code injected into a web application which will spread when users visits a page.  First XSS worm, 4 years ago spread through MySpace  1 million+ infections in 24 hours
  19. 19. Feed Injections19  New to Web 2.0? Yes  Feed aggregators have data coming from various untrusted sources. The data being received can be malicious and exploit users.  Remote Zone Risks  Web browsers or web based readers in this category  Attacks such as XSS and CSRF possible
  20. 20. Mashup and Widget20  New to Web 2.0? Yes Mashups and Widgets are core components in Web 2.0 sites. The rich functionality they provide can be exploited by attackers through attacks such as XSS.
  21. 21. Mashup and Widget21 cont’d  Mashups site is the middleman, do you trust it?  Multiple inputs, one output  Mashup communications could leak data  Mashups require cross domain access.
  22. 22. Mashup and Widget22 cont’d
  23. 23. Information Leakage23  New to Web 2.0? No  Is this worse in Web 2.0? Yes Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems.
  24. 24. Information Leakage24 cont’d  A simple lack of error handling leaking information  http://www.examplesite.com/home.html?day=Mon dayDrivers(0x80040E14)  I add a little something onto the URL  http://www.examplesite.com/home.html?day=Mon day AND userscolumn=2  No error handling = information leakage Microsoft OLE DB Provider for ODBC Drivers(0x80040E14) [Microsoft][ODBC SQL Server Driver][SQL Server]Invalid column name/examplesite/login.asp, line 10
  25. 25. Information Leakage25 cont’d  What makes this worse in Web 2.0?  Business logic and validation moved to the client side  Web 2.0 apps will do a lot of work on the client side  Validation of data, business logic and sensitive data  You need to back these up with server side checks  Never assume sensitive data will be safe client
  26. 26. Authentication and Authorization Flaws26  New to Web 2.0? No  Is this worse in Web 2.0? Yes These flaws can lead to the hijacking of user or accounts, privilege escalation, undermine authorization and accountability controls, and cause privacy violations.
  27. 27. Authentication and Authorization Flaws27 cont’d  Authentication and Authorization Weaknesses  Passwords with no max age, reasonable lengths and complexity  Lack of brute force protection  Broken CAPTCHA systems  Security through obscurity  Session Management Weaknesses  Lack of sufficient entropy in session ID’s  Predictable session ID’s  Lack of sufficient timeouts and maximum lifetimes for ID’s  Using one session ID for the whole session
  28. 28. Authentication and Authorization Flaws28 cont’d  What makes this worse in Web 2.0?  CAPTCHA’s used to provide strong A+A but are often weak  More access points in Web 2.0 applications  The use of single sign on leads to single point of failure  Growth in other attacks further undermines A+A
  29. 29. Insecure Storage andCommunications29  New to Web 2.0? No  Is this worse in Web 2.0? Yes These flaws could allow sensitive data to be stolen if the appropriate strong protections aren’t in place.
  30. 30. Insecure Storage and Communications30 cont’d  Insecure storage of data  Not encrypting sensitive data  Hard coding of keys and/or insecurely storing keys  Using broken protection mechanisms (i.e. DES)  Failing to rotate and manage encryption keys  Insecure communications  Not encrypting sensitive data in transit  Only using SSL/TLS for the initial logon request  Failing to protect keys whilst in transit  Emailing clear text passwords
  31. 31. Insecure Storage and Communications31 cont’d  What makes this worse in Web 2.0?  More data in more places, including client side storage  Mixing secure and insecure content on a page  And now with the Cloud!!!
  32. 32. Browsing Habits and Experience32 have Changed…  Trigger finger (clicking on everything). Inboxes contain everything from drink requests to cause requests, do not get into the click habit unless you are ready to deal with drive-by downloads and zero-day attacks.
  33. 33. A little on Privacy …33  3rd Party Apps on Facebook  Anyone can create a Facebook app  Many of the agreement you must accept gives the company the right to monitor your data and sell it without informing you.  Tracker information can be built into any application.  Mixing personal with professional; Commonly on Facebook, where one’s friends included business associates, family members and friends.  Engaging in Tweet (or Facebook/LinkedIn/Myspace) rage. Imagine you are at a party where everyone is listening, including your boss, spouse and future employer.
  34. 34. Privacy34 cont’d
  35. 35. Privacy35 cont’d
  36. 36. Data = $$$36  Steal your money directly  Sell your data  Trick your friends and family into supplying personal data  Sell your identity  Use your accounts to spread spam, malware and more data theft scams  Sell your organizations data or sensitive information  Blackmail individuals and organizations
  37. 37. URL Shortners Risks37  bit.ly, hex.io, zi.ma …etc  Where the URL will take you?  dubious link via email? Hover your mouse or check the HTML  A new way for email Phishing scams  DDOS with iframe  Easily escaping spam filters  Even more dangerous! what if the site got hacked?  “See before you click” functionality or extensions  Example: j.mp
  38. 38. Malware example: Koobface38  The Koobface worm and its associated botnet have gained notoriety in security circles for its longevity and history of targeting social networking sites. First surfacing in 2008 within MySpace and Facebook, the worm resurfaced in early 2009, this time targeting Twitter users.  By using Phishing techniques, the message directs the recipients to a third- party website, where they are prompted to download what is purported to be an update of the Adobe Flash player.  11/10/2009 - As part of a new Koobface attack, links to Google Reader URLs controlled by cyber-criminals are being spammed by Koobface onto social network sites, including Facebook and MySpace. The hundreds of Google accounts involved host a page with a fake YouTube video. Attempts to view this supposed video expose Windows users to infection by Koobface.  Koobface ultimately attempts, upon successful infection, to gather sensitive information from the victims such as credit card numbers.
  39. 39. Facebook Widget Installing39 Spyware  Prompts users to install the infamous "Zango" adware/spyware.
  40. 40. Twitter hacking example:40  Select victim group using any one of a number of Twitter trend tools.  Select malware based on device or location info.  Upload malware to dropbox.com and request a public link for the uploaded file.  Use a URL shortening service to obfuscate the URL.  Send tweet to target referencing information or post with keywords so that all individuals “tracking” the keywords will be notified of a new tweet on the subject they are tracking.
  41. 41. Scareware Tweets41  Scareware is fake anti-virus – instead of protecting your computer it infects it  Scammers create multiple tweets that direct you to a scareware page. They then try to frighten you into believing you have a security problem and need their software to address it  Other scareware attacks aim to:  Take control of your computer to send spam  Hold your computer to ransom  Result: Malware infection
  42. 42. Security analysis difficulties42 with Web 2.0  More code and complexity in Web 2.0 apps  At least two languages to analyze (client and server)  User supplied code might never be reviewed  Dynamic nature increases risk of missing flaws  Increased amount of input points
  43. 43. Basics of Social Networking43 Security  Never Post Personal Information Online  Everything you post is public information  If you don’t feel comfortable with everyone seeing it, then don’t put it online  Configure security settings on all sites  Most websites you log into have security configurations  Set the privacy levels in accordance to what you are posting  Change your Password Regularly  Use Phrases, not words  Do not keep a “Master” password  Never Trust E-mails asking for personal information  An official organization will never ask you to disclose any private information in order to correct a error
  44. 44. Basics of Social Networking Security44 cont’d  Do not friend anyone you do not know and trust  Hackers and spammers are more clever then you think. There is a reason many online scams are called “Social engineering”  Clean out your friend list regularly  Watch For Hacked Friend Accounts  Unusual posts or requests  Posting “Shock Sites”  Beware of Third Party Apps  Many require you to sign a agreement giving them the right to sell your information  Malicious code can be written in the program  Delete unused Apps  If you are not using them, then why let them potentially mine data about you?  If you are unsure a app or a post or anything, then Google is your best friend
  45. 45. Basics of Social Networking Security45 cont’d  Caution about posting your location online  People are watching you where you will be and more importantly where you will not be  Check your security settings monthly  Facebook sets all profiles to public with each site redesign  Apps may disable your security settings  Viruses and Malware may disable your security settings  Consider using Private Browsing  Private Browsing allows you to view websites without storing your history or installing cookies  Private Browsing Shortcuts:  Firefox – Ctrl + Shift + P  Internet Explore 8 – Ctrl + Shift + P  Opera – Ctrl + Shift + N  Google Chrome – Ctrl+Shift+N  Don’t stay logged on
  46. 46. Basics of Social Networking Security46 cont’d  Set your settings to high privacy and/or enable security settings on the sites you use.  Review a given Website’s privacy policy, you may be surprised on what you are actually agreeing to.  Log off when you leave.  Install and update antivirus software.  Keep system software AND applications up to date.  Make sure the connection you use is secure.
  47. 47. ? ? ?? ? ? ? ? ? ?

×