The document discusses various security threats that exist on social networks, including phishing attacks, vulnerabilities in third-party applications, weak password security, cross-site scripting attacks, clickjacking, insecure frameworks, SQL injections, and DDOS attacks. It provides examples of each type of attack, such as phishing links that install malware, apps that access too much user data if hacked, passwords being easily guessed, malicious JavaScript that can be installed through photo tags, and privacy settings being exploited to view other profiles. The document emphasizes that with over a billion users exchanging personal information, social networks face many potential threats but that Facebook focuses heavily on security to prevent hacks of its own system.

1. What are the security threats that exist
in social networks?

2. A Billion users… a million
threats
1.2 billion users on a single site – exchanging information
about their lives, their work, and a lot more.
Security is one of the biggest strongpoints of Facebook even
if privacy isn’t.

3. Privacy Vs Security
Facebook, over the years, has been criticised for several
privacy flaws. For example: who sees my photograph?
But a hack on Facebook itself is not one of them.
Facebook’s concentration of security has been a
constant endeavour for years.
We look at how Facebook stays safe in the next few
slides.

4. Types of attacks
Some common risk and security
issues that social networks are
vulnerable to.

5. Types of attacks
• Phishing Attacks:
– People who visit the site expect to see new things, click on links
and open apps, but they often don’t know if they’re clicking on is
legit. So, a click might lead them to a malware site and open them
up to spamming.
• Facebook apps
– When a user opens up an app they provide the app with some
level of access to information. However, an app is as secure as the
people behind it. So, if the app itself gets hacked, the users are
also vulnerable to attacks.
• Poor Password Security
– A fair number of accounts are compromised because someone
guessed their password.

6. Types of attacks
• Cross site scripting:
• Photo tagging is a popular feature in FB and also one of the favourites
of hackers. ‘Self XSS’ hacks come in the form of messages that ask
‘why are you tagged in this post?’ and on click trick you into cutting
and pasting a malicious JavaScript into your computer allowing you to
malware installation.
• Facebook security
• In an ironic twist, hackers have also pretended to be FB security team
to hack into user’s accounts. FB has an algorithm that forbids the use
of such words like ‘Facebook Security’ in a person’s name, but hackers
have used special unicode characters that spell ‘Facebook Security’
and send a message saying ‘“Last Warning: Your Facebook account will
be turned off because someone has reported you. Please do re-confirm
your account security by: (link)”. This links lead them to an
external site that clones the Facebook look and makes them click on
malicious links.

7. Types of attacks
• Cross Site Request Forgery (CSRF)
• The CSRF attacks exploit the trust that a website has in
a browser and its request. Whenever a request comes
from a user’s browser with a valid session, the web
server accepts the request and processes it. The web
server has no way of knowing if a request was
deliberately made by a user or if a hidden script on a
website issued the command covertly in the
background, without the user noticing it. When a user
is constantly logged in and do not log out of their social
networking site, they are targeted for CSRF attacks.

8. Types of attacks
• Clickjacking
• A clickfraud is where a user is tricked into clicking on
things that they do not see or are aware off. Usually, an
invisible frame is loaded along with some content and
laid over a simple game. When the user thinks he/she
has clicked somewhere in the game multiple times,
they actually end up clicking on the invisible layer and
starts some action. For example, unknowingly a user
might be coerced to change his/her privacy settings.

9. Types of Attacks
• Insecure frameworks
• As social networks get more complex, it is not astonishing to find vulnerabilities in their
frameworks. In May 2010, Facebook encountered a privacy glitch. The privacy setting
tool allowed a user to test out his modified privacy settings by previewing how his profile
looks to another person. This provided a read only access to someone else’s account and
increased the chance of seeing private chat conversations or pending friend requests.
• SQL injections
• Another conceivable attack type is SQL injections where an attacker would find his way
to pass his or her own SQL queries to the linked database.
• DDOS attacks
• The distributed denial of service (DDoS) are external attacks that can interfere with a
social network’s activities. The intention of a DDoS attack is to interrupt or suspend
services of a host connected to the internet. Under this attack, a multitude of
compromised systems attack a single host thereby causing denial of service for users of
the host. Twitter came under a DDoS attack and remained suspended for 2 days in
August 2009. DDoS have also been used by the Hacker group Anonymous against the
Scientology organisation.

10. Thank You