Smart Mirror, profile picture
Uploaded bySmart Mirror
PPT, PDF1,636 views

Security presentation

The document summarizes security and privacy issues related to the social networking site Facebook. It outlines problems such as cleartext password interception, incomplete access controls allowing unauthorized access to user photos, and vulnerabilities in the mobile Facebook application. Solutions proposed include implementing encrypted protocols for password transmission, restricting unauthorized database searches, and strengthening encryption and access controls for mobile users. The document also notes recent threats targeting social networking sites reported in various news sources.

Embed presentation

Downloaded 29 times
Outline Introduction Overview of Facebook motivation Problems & Solutions Cleartext Password Interception Privacy Policy Database-Reverse Engineering Incomplete Access Control New Applications and News Facebook Mobile Application Most Recent Threats Conclusion
Overview of Facebook Introduction of Facebook A social networking website launched on February 4, 2004 allows users to join one or more networks to easily connect with other people in the same network. a school place of employment geographic region [http://en.wikipedia.org/wiki/Facebook#cite_note-jonessoltren-96] -- The website has more than 64 million active users worldwide. -- Main functions of Facebook
Motivation Exponential increasing rate of Social Networks members leads many privacy threats of online users Whenever you put data on a computer , you lose some control over it. And when you put it on the internet , you lose a lot of control over it. [Bruce schneier ] In social network communities, almost people did not realize the importance of protecting their privacy online. And due to the extreme complexity , It is a big challenge for net-work security.
Problem 1: Cleartext Password Interception Facebook sends user’s email address and login password in clear text to the developer's server! http://valleywag.com/tech/great-moments-in-public-relations/facebook-calls-reporters-question-harassing-316488.php
Data Collection & Information Transport Data collection: M H(M) Transmit : Secured protocol such as Secured Socket Layer (SSL) shall be implemented in order to protect the data entered at the client's browser MD5 A rainbow table: a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function. A common application is to make attacks against hashed passwords feasible. MD5 algorithm
Data Collection & Information Transport Add salt to the MD5 data A salt typically means, in context with MD5 encryption, a secret key added to the password in order to complicate the dictionary attack on the password tables. Each bit of salt added to the original password doubles the amount of computation needed for one to break the passwords. the user‘s password : myfacebook instead of being stored as: the hash of “ myfacebook ” being stored as: the hash of 128 characters of random unicode string + “ myfacebook ” It now completely immunes to rainbow table attack.
Data Collection & Information Transport Secured Socket Layer (SSL) protocol is not secure any longer, Secure Remote Password (SRP) protocol Advantages: a) SRP will not compromise the secret key even if the communications are intercepted. b) This protocol has a password to achieve authenticated key exchange, and it still not vulnerable to dictionary attack. c) The verifier does not need to store the passwords in clear. According to the three advantages above, this protocol is one of the best password authenticated key establishment protocols available.
Problem 2: Privacy Policy Facebook’s two features Using email address book to find friends on Facebook New feeds
Improper Features: Access to Email address book http://elronsviewfromtheedge.wordpress.com/ 2007/04/13/the-modern-facebook-of-security/ The first principle of anti-phishing behaviour: NEVER enter your passwords ANYWHERE but the specific site they are designed for
Improper Features: New Feeds http://www.schneier.com/blog/archives/2006/09/facebook_and_da.html
Facebook’s Privacy Policy Facebook’s Privacy Policy is 3700 words long, and ends with a notice that it can change at any time . We reserve the right to change our Privacy Policy and our Terms of Use at any time. How many members ever read that policy? How many read it regularly and check for changes?
Privacy Policy Import the third party to supervise online networking websites Online Privacy Alliance 1. more than 30 global corporations and associations join 2. come together to foster the protection of individuals‘ privacy online. Guidelines for Online Privacy Policies Adoption and Implementation of a Privacy Policy 2. Notice and Disclosure Choice/Consent Data Security Data Quality and Access
Problem 3: Database Reverse-Engineering Facebook’s “advanced search” allows one to query the database of users using any of the fields in a profile. For example advance search for “getting drunk” as an interest, will list all users who have set “getting drunk” in their profile, even if their profile is set to private and visible only to their friends.
Reverse-Engineering Problem This problem is a security hole in Facebook, reported by many users Further research found a student that employed this strategy to create of other local schools. And he was able to systematically build up a database from queries on Facebook’s database. Solutions: When users set their profile to “private”, all information saved under their name should be withheld from being searched by “advanced search”
Problem 4: Incomplete Access Controls In searching for user photos in Facebook, service uses following URL http://mit.facebook.com/photo_search.php&name = John Access controls are not applied to “My Photos”, and there is No privacy for user photographs. Any one can access other users personal photos by editing the above query URL. Solutions: Privacy should extend to “My photos” as well and Search by name feather should be disabled
Mobile Facebook Facebook has launched a mobile version of their website at www.m.facebook.com WAP site allow users to access most features of Facebook from a mobile phone such as uploading photos and notes to facebook via SMS and MMS, as well as receiving new messages and wall posts on mobile device through SMS. If encryption on WAP (wireless application protocol) is set by default, 96% of users employ it. But 3.4% times the number do that when it is not set by default.
Security of Mobile Facebook Encryption by using secret-key is one of the best tools for authenticating wireless users, which is used beside password for authenticated key establishment. This method also adds a layer of privacy by preventing eavesdroppers from easily watching network traffic Most widely employed encryption method on wireless networks is WEP encryption (wired equivalent privacy). WEP uses a shared 40- or 104-bit WEP key to encrypt data between the access point and client. key is composed of a 24-bit initialization vector (IV) and WEP key. The IV is changed periodically so packets won't be encrypted with the same cipher stream
Security Challenges of using Facebook from mobile The challenges for the Mobile Application Security of Facebook mainly includes: Interception of Data between access point and Mobile or Wi-Fi device Data Encryption and Authentication for mobile users
Problems of WEP WEP uses the RC4 encryption algorithm (stream cipher). mode of operation makes stream ciphers vulnerable to several attacks. Solution: Using Integrity Check (IC) field and Initialization Vector (IV) key is composed of a 24-bit initialization vector (IV) and a 40-bit WEP key. The IV is chosen by the sender is changed periodically so every packet won't be encrypted with the same cipher stream Using the same long-term secret key for confidentiality Solution: Establishing a new session key after authentication
News on Recent Threats Criminal hackers now view social networking sites as their best target for personal attacks (iTnews, 4/03/2008) Bugs in the ActiveX controls on popular social networking sites Facebook and MySpace can be used by hackers to snatch control of Windows PCs. ( Computerworld, 01/31/08) Unpatched PCs running Internet Explorer could fall victim extra copies of the browser starting, and ads being served when visiting social networking site Facebook. (ZDNet Australia, 17 /09/2007) No matter what level of privacy you have set on your email address, it is visible on the contacts page (seen on a Windows Mobile device). (ZDNet UK, 12/01/2008)
Conclusions Highly personal nature of social networks and their amplifying effects make it crucial and urgent that their platform be very secure from various attacks (such as third-party attacks, pass word interception…) Some privacy policies in Social Networks needs to be reviewed and some changes may be need in order to provide more privacy for users
Thank you !

More Related Content

PPTX
Email: still the favourite route of attack
byClaranet UK
 
DOC
Eseminar1
byShiva Krishna Chandra Shekar
 
PDF
IRJET - Detecting Spiteful Accounts in Social Network
byIRJET Journal
 
PPT
Hack Firefox to steal websecrets
byguestb3d416
 
PPT
Web security ppt sniper corporation
bysharmaakash1881
 
PDF
Classification Methods for Spam Detection in Online Social Network
byIRJET Journal
 
PDF
Hiroshima University Information Security & Compliance 2018
byimc-isec-comp
 
PDF
Hiroshima University Information Security & Compliance 2018
byimc-isec-comp
 
Email: still the favourite route of attack
byClaranet UK
 
Eseminar1
byShiva Krishna Chandra Shekar
 
IRJET - Detecting Spiteful Accounts in Social Network
byIRJET Journal
 
Hack Firefox to steal websecrets
byguestb3d416
 
Web security ppt sniper corporation
bysharmaakash1881
 
Classification Methods for Spam Detection in Online Social Network
byIRJET Journal
 
Hiroshima University Information Security & Compliance 2018
byimc-isec-comp
 
Hiroshima University Information Security & Compliance 2018
byimc-isec-comp
 

What's hot

PDF
Hiroshima University Information Security & Compliance 2018
byimc-isec-comp
 
PPTX
Basic Internet_Baabtra.com template
byJijo Joseph
 
PDF
Guide to pc_security
byFlora Runyenje
 
PDF
Domain 4 of CEH V11: Network and Perimeter Hacking
byShivamSharma909
 
PDF
A guide to email spoofing
byMattChapman50
 
PDF
How to Protect Your PC from Malware, Ransomware, Virus
byHabFg
 
PDF
Domain 5 of the CEH: Web Application Hacking
byShivamSharma909
 
PDF
Facebook privacy
byaibad ahmed
 
PDF
Hacker halted2
bysamsniderheld
 
PPT
Email Effective Security Practices: 10 Concrete Steps to Consider
bywebhostingguy
 
PDF
Wannacry Virus
byEast West University
 
PPT
Understanding SaaS Concepts
byguest0e7119
 
PPTX
Email threats
byShivam Tomar
 
PDF
[IJET V2I5P15] Authors: V.Preethi, G.Velmayil
byIJET - International Journal of Engineering and Techniques
 
PPTX
Social networks security risks
byosuhaibany
 
PPTX
The need for security
bySaman Sara
 
DOCX
hire a hacker
byhackany1
 
Hiroshima University Information Security & Compliance 2018
byimc-isec-comp
 
Basic Internet_Baabtra.com template
byJijo Joseph
 
Guide to pc_security
byFlora Runyenje
 
Domain 4 of CEH V11: Network and Perimeter Hacking
byShivamSharma909
 
A guide to email spoofing
byMattChapman50
 
How to Protect Your PC from Malware, Ransomware, Virus
byHabFg
 
Domain 5 of the CEH: Web Application Hacking
byShivamSharma909
 
Facebook privacy
byaibad ahmed
 
Hacker halted2
bysamsniderheld
 
Email Effective Security Practices: 10 Concrete Steps to Consider
bywebhostingguy
 
Wannacry Virus
byEast West University
 
Understanding SaaS Concepts
byguest0e7119
 
Email threats
byShivam Tomar
 
[IJET V2I5P15] Authors: V.Preethi, G.Velmayil
byIJET - International Journal of Engineering and Techniques
 
Social networks security risks
byosuhaibany
 
The need for security
bySaman Sara
 
hire a hacker
byhackany1
 

Similar to Security presentation

PPTX
Third parties are actively seeking out end-user information using Facebook
byDaniel Ilunga
 
PDF
Facebook white paper2011
byCPPGroup Plc
 
PDF
Creating Secure Social Applications
byTyler Browning
 
PPT
Week 6: Digital Privacy
byRay Brannon
 
PPTX
Attacking the Privacy of Social Network users (HITB 2011)
byMarco Balduzzi
 
PDF
Facebook Security Essay - Umut Baris Akkaya
byUmut Baris Akkaya
 
PPTX
Facebook Privacy
byWaqar Akram
 
PPT
Hum 140: Social Media: Privacy
byRay Brannon
 
PPT
Facebook security
byPRESENTATIONSFORESL
 
PPTX
Online privacy & security
byPriyab Satoshi
 
PDF
Trusted Friend Attack: Guardian Angels Strike
byMSc Ashar Javed
 
PPT
Cafenumerique presents Facebook Privacy Settings by Zoltan Janosi
byZoltán Jánosi
 
PDF
fissea-conference-2012_srinivasan.pdf
byRobin540999
 
PPTX
Multitenency - Solving Security Issue
byMANVENDRA PRIYADARSHI
 
PDF
The Introductory Guide to Social Login
byLoginRadius
 
PPTX
Exploring Facebook Workshop at Scotch Plains Public Library
byLeora Wenger
 
PDF
Week 7: Privacy-rev2013
byRay Brannon
 
PDF
Social engineering via social media
byb coatesworth
 
PPT
Basic Digital Security
byUjjwal Acharya
 
PDF
Social Insecurity Panel, Lee Tien, EFF
byAliAttention
 
Third parties are actively seeking out end-user information using Facebook
byDaniel Ilunga
 
Facebook white paper2011
byCPPGroup Plc
 
Creating Secure Social Applications
byTyler Browning
 
Week 6: Digital Privacy
byRay Brannon
 
Attacking the Privacy of Social Network users (HITB 2011)
byMarco Balduzzi
 
Facebook Security Essay - Umut Baris Akkaya
byUmut Baris Akkaya
 
Facebook Privacy
byWaqar Akram
 
Hum 140: Social Media: Privacy
byRay Brannon
 
Facebook security
byPRESENTATIONSFORESL
 
Online privacy & security
byPriyab Satoshi
 
Trusted Friend Attack: Guardian Angels Strike
byMSc Ashar Javed
 
Cafenumerique presents Facebook Privacy Settings by Zoltan Janosi
byZoltán Jánosi
 
fissea-conference-2012_srinivasan.pdf
byRobin540999
 
Multitenency - Solving Security Issue
byMANVENDRA PRIYADARSHI
 
The Introductory Guide to Social Login
byLoginRadius
 
Exploring Facebook Workshop at Scotch Plains Public Library
byLeora Wenger
 
Week 7: Privacy-rev2013
byRay Brannon
 
Social engineering via social media
byb coatesworth
 
Basic Digital Security
byUjjwal Acharya
 
Social Insecurity Panel, Lee Tien, EFF
byAliAttention
 

Recently uploaded

PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 

Security presentation

  • 1.
    Outline Introduction Overviewof Facebook motivation Problems & Solutions Cleartext Password Interception Privacy Policy Database-Reverse Engineering Incomplete Access Control New Applications and News Facebook Mobile Application Most Recent Threats Conclusion
  • 2.
    Overview of FacebookIntroduction of Facebook A social networking website launched on February 4, 2004 allows users to join one or more networks to easily connect with other people in the same network. a school place of employment geographic region [http://en.wikipedia.org/wiki/Facebook#cite_note-jonessoltren-96] -- The website has more than 64 million active users worldwide. -- Main functions of Facebook
  • 3.
    Motivation Exponentialincreasing rate of Social Networks members leads many privacy threats of online users Whenever you put data on a computer , you lose some control over it. And when you put it on the internet , you lose a lot of control over it. [Bruce schneier ] In social network communities, almost people did not realize the importance of protecting their privacy online. And due to the extreme complexity , It is a big challenge for net-work security.
  • 4.
    Problem 1: CleartextPassword Interception Facebook sends user’s email address and login password in clear text to the developer's server! http://valleywag.com/tech/great-moments-in-public-relations/facebook-calls-reporters-question-harassing-316488.php
  • 5.
    Data Collection &Information Transport Data collection: M H(M) Transmit : Secured protocol such as Secured Socket Layer (SSL) shall be implemented in order to protect the data entered at the client's browser MD5 A rainbow table: a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function. A common application is to make attacks against hashed passwords feasible. MD5 algorithm
  • 6.
    Data Collection &Information Transport Add salt to the MD5 data A salt typically means, in context with MD5 encryption, a secret key added to the password in order to complicate the dictionary attack on the password tables. Each bit of salt added to the original password doubles the amount of computation needed for one to break the passwords. the user‘s password : myfacebook instead of being stored as: the hash of “ myfacebook ” being stored as: the hash of 128 characters of random unicode string + “ myfacebook ” It now completely immunes to rainbow table attack.
  • 7.
    Data Collection &Information Transport Secured Socket Layer (SSL) protocol is not secure any longer, Secure Remote Password (SRP) protocol Advantages: a) SRP will not compromise the secret key even if the communications are intercepted. b) This protocol has a password to achieve authenticated key exchange, and it still not vulnerable to dictionary attack. c) The verifier does not need to store the passwords in clear. According to the three advantages above, this protocol is one of the best password authenticated key establishment protocols available.
  • 8.
    Problem 2: PrivacyPolicy Facebook’s two features Using email address book to find friends on Facebook New feeds
  • 9.
    Improper Features: Access to Email address book http://elronsviewfromtheedge.wordpress.com/ 2007/04/13/the-modern-facebook-of-security/ The first principle of anti-phishing behaviour: NEVER enter your passwords ANYWHERE but the specific site they are designed for
  • 10.
    Improper Features: NewFeeds http://www.schneier.com/blog/archives/2006/09/facebook_and_da.html
  • 11.
    Facebook’s Privacy PolicyFacebook’s Privacy Policy is 3700 words long, and ends with a notice that it can change at any time . We reserve the right to change our Privacy Policy and our Terms of Use at any time. How many members ever read that policy? How many read it regularly and check for changes?
  • 12.
    Privacy Policy Importthe third party to supervise online networking websites Online Privacy Alliance 1. more than 30 global corporations and associations join 2. come together to foster the protection of individuals‘ privacy online. Guidelines for Online Privacy Policies Adoption and Implementation of a Privacy Policy 2. Notice and Disclosure Choice/Consent Data Security Data Quality and Access
  • 13.
    Problem 3: DatabaseReverse-Engineering Facebook’s “advanced search” allows one to query the database of users using any of the fields in a profile. For example advance search for “getting drunk” as an interest, will list all users who have set “getting drunk” in their profile, even if their profile is set to private and visible only to their friends.
  • 14.
    Reverse-Engineering Problem Thisproblem is a security hole in Facebook, reported by many users Further research found a student that employed this strategy to create of other local schools. And he was able to systematically build up a database from queries on Facebook’s database. Solutions: When users set their profile to “private”, all information saved under their name should be withheld from being searched by “advanced search”
  • 15.
    Problem 4: IncompleteAccess Controls In searching for user photos in Facebook, service uses following URL http://mit.facebook.com/photo_search.php&name = John Access controls are not applied to “My Photos”, and there is No privacy for user photographs. Any one can access other users personal photos by editing the above query URL. Solutions: Privacy should extend to “My photos” as well and Search by name feather should be disabled
  • 16.
    Mobile Facebook Facebookhas launched a mobile version of their website at www.m.facebook.com WAP site allow users to access most features of Facebook from a mobile phone such as uploading photos and notes to facebook via SMS and MMS, as well as receiving new messages and wall posts on mobile device through SMS. If encryption on WAP (wireless application protocol) is set by default, 96% of users employ it. But 3.4% times the number do that when it is not set by default.
  • 17.
    Security of MobileFacebook Encryption by using secret-key is one of the best tools for authenticating wireless users, which is used beside password for authenticated key establishment. This method also adds a layer of privacy by preventing eavesdroppers from easily watching network traffic Most widely employed encryption method on wireless networks is WEP encryption (wired equivalent privacy). WEP uses a shared 40- or 104-bit WEP key to encrypt data between the access point and client. key is composed of a 24-bit initialization vector (IV) and WEP key. The IV is changed periodically so packets won't be encrypted with the same cipher stream
  • 18.
    Security Challenges ofusing Facebook from mobile The challenges for the Mobile Application Security of Facebook mainly includes: Interception of Data between access point and Mobile or Wi-Fi device Data Encryption and Authentication for mobile users
  • 19.
    Problems of WEPWEP uses the RC4 encryption algorithm (stream cipher). mode of operation makes stream ciphers vulnerable to several attacks. Solution: Using Integrity Check (IC) field and Initialization Vector (IV) key is composed of a 24-bit initialization vector (IV) and a 40-bit WEP key. The IV is chosen by the sender is changed periodically so every packet won't be encrypted with the same cipher stream Using the same long-term secret key for confidentiality Solution: Establishing a new session key after authentication
  • 20.
    News on RecentThreats Criminal hackers now view social networking sites as their best target for personal attacks (iTnews, 4/03/2008) Bugs in the ActiveX controls on popular social networking sites Facebook and MySpace can be used by hackers to snatch control of Windows PCs. ( Computerworld, 01/31/08) Unpatched PCs running Internet Explorer could fall victim extra copies of the browser starting, and ads being served when visiting social networking site Facebook. (ZDNet Australia, 17 /09/2007) No matter what level of privacy you have set on your email address, it is visible on the contacts page (seen on a Windows Mobile device). (ZDNet UK, 12/01/2008)
  • 21.
    Conclusions Highly personalnature of social networks and their amplifying effects make it crucial and urgent that their platform be very secure from various attacks (such as third-party attacks, pass word interception…) Some privacy policies in Social Networks needs to be reviewed and some changes may be need in order to provide more privacy for users
  • 22.

Editor's Notes

  • #2 Now, we will begin with the outline. In today’s presentation, there are 3 main sections. In first section, we will give a short introduction of Facebook, and describe our motivation that is why we choose this topic. and then we will talk about the privacy problems and threats Facebook confront now. After analyzing these problems, we proposed our suggestions and solutions .
  • #3 Then it is the overview of Facebook. Facebook is a social network community which is launched on February 4,2004. And this website allows users to easily connect with their friends by joining into different social graphs, like school, place of employment, or geographic regions. Thanks to this kind of social graphs their users made, the website has more than 64million active users all over the world. For the main functions, I cut the description from Facebook, they list the uses as follows: Keep up with friends, share photos, control privacy (whether can really control is still depends), rests are communications and make plans. We believe most of us are familiar with Facebook, if you have not use it before, I hope after my introduction, you already have a outline of Facebook.
  • #4 After the introduction of Facebook, I will explain why we choose this topic. Nowadays, people are very likely to ask for privacy in real life, but when they face the online social communities, most of them have not realized that online privacy is the same important as in real life, or even more important. I abstract the reasons into 2 points. First, this kind of internet social graph are different from original face to face interactions, because A user can be easily involved into a extremely large social graph. For example, if you only add one person who already has 500 other friends, and then the 500 persons can easily see your privacy information from the web links. So it brings large numbers of unknown factors and threats in an much more easy and hidden way. The second point is just like a famous computer security specialist Bruce have said: “ Whenever you put data on a computer , you lose some control over it. And when you put it on the internet , you lose a lot of control over it. ” The information transmit with a hard copy may limit by different geographic regions, or difficultes of seaching, but t he information spread on the internet is no need to think about these limits at all. So, while enjoying the convenience of internet, people need to prevent the corresponding threats. So we choose this topic, because we believe concerning the online privacy is necessary and important.
  • #5 For the above problem, we know privacy is more about control than about secrecy. But it is only one side of networking security. For the following problem, secrecy becomes the most important part of concern. That is: Facebook sends user’s email address and login password in clear text to the developer's server! After we have finished this course, we all know: sending passwords in clear text is a horrible idea.
  • #6 Information protection at the time of data collection The first level of data protection shall begin at the point of data collection. When the data is transmitted, hash functions such as message digest, MD5 algorithm [10] shall be utilized to protect the data for additional security. For transmitting, Secured protocol such as Secured Socket Layer (SSL) [10] shall be implemented in order to protect the data entered at the client's browser. So the hashed data transmitted over SSL would be the first level of protection for personal data. However, the MD5 is not one hundred percentages protective, because of its nature, where MD5 makes only one pass over the data. It is possible to create a rainbow table for the MD5 encrypted data and potentially, the password can be cracked. Here, we need to ensure one word: rainbow table A rainbow table: A rainbow table is a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function. A common application is to make attacks against hashed passwords feasible.
  • #7 To overcome this problem, one may wish to add more complexity to the encryption by the way of adding salt to the MD5 data. A salt typically means, in context with MD5 encryption, a secret key added to the password in order to complicate the dictionary attack on the password tables. Each bit of salt added to the original password doubles the amount of computation needed for one to break the passwords.
  • #8 SSL protocol is established between client browser and server to protect subsequent communications, but as we have learnt from our course, a sophisticated phishing scam has already used the valid SSL certificate in Feb 2006. But fortunately, in the end of our 5 module, we learnt a perfect secure protocol. That is: Secure Remote Password (SRP) protocol. It is one of the best password-authenticated key establishment protocol available but have not used today. For its advantages, it can be abstracted into 3 points:
  • #9 When talking about Facebook’s privacy policy, let’s look at two Facebook’s features first. They are
  • #10 When people sign up for a Facebook account, his first option is to enter his third party email address and the password to the facebook site, so that Facebbok can login to this email and search the address book for Facebook users he’s already known. We understand that Facebook are trying to find a way to import user’s contacts who already use Facebook in order to make user’s initial experience more convenient , but this violates the first principle of anti-phishing behaviour … “NEVER enter your passwords ANYWHERE but the specific site they are designed for”. That means, regardless of how many safeguards they put in place, the idea of giving email password to ANYONE else for any reason is a serious breach of security protocol.
  • #11 Early September 2006, Facebook introduced a new feature called "News Feeds" that shows an aggregation of everything members do on the site: For example, on the screen is my profile in Facebook. In the “mini feed” window, every action I have ever done is displayed, like: added and deleted friends, a change in relationship status, Give somebody some gifts, and so on. Then, these changes are all broadcasted to my friends’ home pages automatically. Though Facebook give user some control, like user can delete this kind of report, but they have to delete the items one by one. Moreover, when press the cancel button, the pop up dialog is like this, we can only hide this information, and we do not even have the choice to completely delete it.
  • #12 After discussion the above problems, maybe we will ask: “ Is not there any privacy policy? ” Unfortunately, Facebook can change the rules whenever it wants. Its Privacy Policy is 3700 words long, and ends with a notice that it can change at any time. How many members ever read that policy, let alone read it regularly and check for changes? For these two features, privacy is more about control than about secrecy. So the website should give user the real right to control their privacy.
  • #13 If the third party’s surveillance are gradually improved and standardized, the online network developers will not bring as many threats as nowadays.
  • #14 Facebook’s “advanced search” allows one to query the database of users using any of the fields in a profile. When people hide their profile page, they expect the information on it remain private. For example if some a user set “getting drunk” as an interest and set his profile visible only for his friends, an advanced search for “getting drunk”, will list his name as well. But if some one search for example “getting drunk”, as an interest
  • #17 It is interesting to know that If encryption on WAP (wireless application protocol) is set by default, 96% of users employ it. But 3.4% times the number do that when it is not set by default.
  • #20 WEP uses the RC4 encryption algorithm, which is known as a stream cipher. A stream cipher operates by expanding a short key into an infinite pseudo-random key stream. The sender XORs the key stream with the plaintext to produce ciphertext. The receiver has a copy of the same key, and uses it to generate identical key stream. XORing the key stream with the ciphertext yields the original plaintext. This mode of operation makes stream ciphers vulnerable to several attacks. If an attacker flips a bit in the ciphertext, then upon decryption, the corresponding bit in the plaintext will be flipped. Also, if an eavesdropper intercepts two ciphertexts encrypted with the same key stream, it is possible to obtain the XOR of the two plaintexts. Knowledge of this XOR can enable statistical attacks to recover the plaintexts. The statistical attacks become increasingly practical as more ciphertexts that use the same key stream are known. Once one of the plaintexts becomes known, it is trivial to recover all of the others.
  • #21 After having the introduction, and motivation about social networkes, I am going to discuss about some recent attacks to such social networks and the present the list of some possible security and privacy threats for such kind of highly-used Social Networks (such as Facebook, MySpace, and…)
  • #22 Amplifying : increase in size