The document appears to be a syllabus for a course on social media security basics. It includes sections on definition of terms, risks, common attacks, and what can be done to protect yourself. Some common social media attacks mentioned are malware distribution, command and control of malware, compromise of sensitive data, social media worms like KoobFace that spread through messages/posts, targeted attacks, password/account hacking, and spam. The syllabus suggests users should avoid random links, use strong unique passwords, and not trust unsolicited messages. Vendors and enterprises are encouraged to implement better security practices while more research should be done on social media threats.
When it comes to social media, most of us expect that we are in control of what we share about ourselves, and who we share with. In this hands-on workshop, we will dispel common myths and misconception about social media privacy as well as discuss step-by-step instructions for securing out social media selves.
How to Like Social Media Network SecurityBrian Honan
This is my presentation from Source Dublin 2014 on cyber crime and social media.
Social media networks provide individuals and businesses with exciting opportunities to communicate and collaborate with others throughout the world. But with these opportunities come a number of security challenges and risks. This talk will outline how social media networks can pose various threats to businesses, from information leakage, reputational damage, to social engineering profiling, and vectors for enabling compromise of corporate systems. Social media networks also enable the rapid dissemination of news which in the event of an information security breach could either save or destroy an organisations reputation. Understanding and dealing with these challenges will enable companies to like and favourite social media networks in a secure way.
There is no argument about the popularity of the social platforms such as Facebook, YouTube, twitter, etc. These platforms can be used to stay in touch with your friends, increase sales revenues for organizations and as a collaboration tool to stay connected with the public. However, each of these benefits comes at a cost, putting your private information at a risk/ exposed. We aim to discuss the common security risks associated with usage of these platforms including risk mitigation strategies.
Intro Video : https://www.youtube.com/watch?v=zxpa4dNVd3c
Presentation for Computer Society of Sri Lanka on 24 Feb 2015
Online Social Networks: 5 threats and 5 ways to use them safelyTom Eston
I spent the last few months doing research on various social networks specifically MySpace, Facebook, LinkedIn. Many of us either use these sites or know others that do. Users of these sites have been increasing at a dramatic rate for several years. For example, MySpace was the most visited website in the US with more than 114 million global visitors in 2007, and Facebook increased its global unique visitor numbers by 270% last year alone. With this massive increase in social network usage, online social networking is now becoming the fastest growing area of privacy concerns and security threats.
When it comes to social media, most of us expect that we are in control of what we share about ourselves, and who we share with. In this hands-on workshop, we will dispel common myths and misconception about social media privacy as well as discuss step-by-step instructions for securing out social media selves.
How to Like Social Media Network SecurityBrian Honan
This is my presentation from Source Dublin 2014 on cyber crime and social media.
Social media networks provide individuals and businesses with exciting opportunities to communicate and collaborate with others throughout the world. But with these opportunities come a number of security challenges and risks. This talk will outline how social media networks can pose various threats to businesses, from information leakage, reputational damage, to social engineering profiling, and vectors for enabling compromise of corporate systems. Social media networks also enable the rapid dissemination of news which in the event of an information security breach could either save or destroy an organisations reputation. Understanding and dealing with these challenges will enable companies to like and favourite social media networks in a secure way.
There is no argument about the popularity of the social platforms such as Facebook, YouTube, twitter, etc. These platforms can be used to stay in touch with your friends, increase sales revenues for organizations and as a collaboration tool to stay connected with the public. However, each of these benefits comes at a cost, putting your private information at a risk/ exposed. We aim to discuss the common security risks associated with usage of these platforms including risk mitigation strategies.
Intro Video : https://www.youtube.com/watch?v=zxpa4dNVd3c
Presentation for Computer Society of Sri Lanka on 24 Feb 2015
Online Social Networks: 5 threats and 5 ways to use them safelyTom Eston
I spent the last few months doing research on various social networks specifically MySpace, Facebook, LinkedIn. Many of us either use these sites or know others that do. Users of these sites have been increasing at a dramatic rate for several years. For example, MySpace was the most visited website in the US with more than 114 million global visitors in 2007, and Facebook increased its global unique visitor numbers by 270% last year alone. With this massive increase in social network usage, online social networking is now becoming the fastest growing area of privacy concerns and security threats.
Cyber Security aware society is the need of the hour, there is a growing need for Cyber Security awareness, every user of internet should know at least the basics of cyber security, an educated and aware user can help in minimizing the impact and rate of cyber crimes, particularly of those that are related with online transactions and phishing…
Social Network Privacy, Security and Reputation Management.
What are the threats on social networks?
How can you help your customers manage their online identity?
A presentation given by LIFARS at a conference MEPA EU Police Academy conference on May 2016. It covers the dangers that the internet and social media pose to children and adolescents. More and more, we're seeing that social media are opening the gates to cyberbullying, cyber extortion, sextortion, cyber stalking and more. Any parts of this presentation can be adopted and reused as long as attribution is given. For inquiries, please contact pr@lifars.com.
Basic tips for staying safe and protecting personal privacy on popular social media sites, including Facebook, Twitter, and Instagram. Designed for casual users of social media.
This is a presentation Bill gave at the May 2009 NAISG meeting on the security dangers of such social networking entities as Facebook, LinkedIn and Twitter.
Humorous discussion presenting some of the kids of risks that face public facing Web sites for corporations ranging from hacking to legal to social media scares. Slides are illustrative in nature and the aim of the talk is more awareness than anything else.
Cyber Security aware society is the need of the hour, there is a growing need for Cyber Security awareness, every user of internet should know at least the basics of cyber security, an educated and aware user can help in minimizing the impact and rate of cyber crimes, particularly of those that are related with online transactions and phishing…
Social Network Privacy, Security and Reputation Management.
What are the threats on social networks?
How can you help your customers manage their online identity?
A presentation given by LIFARS at a conference MEPA EU Police Academy conference on May 2016. It covers the dangers that the internet and social media pose to children and adolescents. More and more, we're seeing that social media are opening the gates to cyberbullying, cyber extortion, sextortion, cyber stalking and more. Any parts of this presentation can be adopted and reused as long as attribution is given. For inquiries, please contact pr@lifars.com.
Basic tips for staying safe and protecting personal privacy on popular social media sites, including Facebook, Twitter, and Instagram. Designed for casual users of social media.
This is a presentation Bill gave at the May 2009 NAISG meeting on the security dangers of such social networking entities as Facebook, LinkedIn and Twitter.
Humorous discussion presenting some of the kids of risks that face public facing Web sites for corporations ranging from hacking to legal to social media scares. Slides are illustrative in nature and the aim of the talk is more awareness than anything else.
Creating a digital toolkit for users: How to teach our users how to limit the...Justin Denton
Ever wonder what you should or shouldn’t share on the internet? Do you see users who are posting everything thing they possibly could on the internet and wonder how to help educate them to protect themselves?
All of this collective sharing, creates a data gold mine for hackers to do their evil bidding. In this session we will talk about what to post on the internet and what not too. We will also look into what hackers can use from the information you’ve posted on the internet and how they can use it to gain access to your and your users personal lives, accounts, credit cards, and more. During this session, we’ll dive into building a strategy plan to help limit and hopefully eliminate these references from your digital footprint to help ensure you are more secure than you were when you first started this session.
By the end of this webinar, attendees will have a virtual toolkit and strategies to help educate users on protecting themselves while online.
Coverage of the following topics: Tech growth, social media, Internet of things, how business are using social media in HR, how people expose their information online, privacy, the ramifications of your online life, how criminals, terrorist, governments and organizations use your online information, cyberbullying, data breaches, and Hacktivisim.
Special Topics Day for Engineering Innovation Lecture on CybersecurityMichael Rushanan
This particular presentation covers, at a high level, our national cybersecurity initiative. The content targets prospective high school students and delves into areas of computer science, information systems, and policy.
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library. There's a focus on practical ways to secure yourself, browsers and other things. Also some dicussion on privacy
"Know Thy Enemy" - Module 1 of my Cybersecurity Primer Presentations. Who is Trying to Hack You? The Seven Types of Hackers on the Internet, their profiles and motivations.
Reining in the Data ITAG tech360 Penn State Great Valley 2015 Andrew Schwabe
Social impact of the privacy crisis in the post snowden era. What we thought was secure has been compromised. We think we want anonymity, but that promotes bad activity.
Cybercrime and the Developer: How to Start Defending Against the Darker Side...Steve Poole
JavaOne 2016 Talk
In the world of DevOps and the cloud, most developers have to learn new technologies and methodologies. The focus tends to be on adding capabilities such as resilience and scaling to an application. One critical aspect consistently overlooked is security. In this session, learn about a few of the simple actions you can take (and some behaviors you must change) to create a more secure Java application for the cloud. The world of the cybercriminal is closer than you realize. Hear how at risk your application may be, see practical examples of how you can inadvertently leave the doors open, and understand what you can do to make your Java solution more secure.
Similar to Social Media Basics: Security Loopholes with Twitter & Other Social Media (20)
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
10. Viral Adoption
Refers to a system architecture that can
be adopted incrementally, and gains
momentum as it scales.
http://dl.media.mit.edu/viral/viral.pdf - Viral Communications, Media Laboratory Research Draft May 19th
2003
11. Meme
Acts as a unit for carrying cultural ideas,
symbols or practices, which can be
transmitted from one mind to another
through writing, speech, gestures, rituals
or other imitable phenomena.
http://en.wikipedia.org/wiki/Meme
12. Social Media Security Basics
Syllabus
• Definition of Terms
• What is the Risk?
• Common Attacks
• What Can Be Done
14. Social Networking vs Social Malware
• Decentralized
• Interconnected
• Mobile
• Quick Content
Publishing
• Decentralized
• Interconnected
• Mobile
• Has Access to Data
15. KoobFace
• Social media worm
• Propagation via Facebook messages
• Propagation via Facebook wall posts
• Spams your friend list to an “update for
Adobe Flash”
• Installs pay per install malware on target
• Infected computers operate as a botnet
16. Targeted Attack
• Defamation of brand
• What is your follower count?
• Further social engineering efforts
• Leveraging power nodes
• Data disclosure
• What types of data do you have online?
• As a primary point of entry into your
organization
17. Matt (Hacker) Rakesh (Target)
Hi, What‟s
up?! Hi Matt.
Everything OK?
Well, I‟m really stuck here in london.
I had to visit a resort here in London
and I got robbed at the hotel I‟m
staying Ack that‟s
terrible! Sorry to
hear that.
We need some help flying
back home. All our money is
stuck in our checking account
and we can‟t get at it!
Is this really
you? It doesn‟t
sound legit…
It sure is! Lauren is
here with me and so
are the kids. We‟re
really stuck will you
help ?
http://rake.sh/blog/2009/01/20/facebook-fraud-a-transcript/
18. Social Media Security Basics
Syllabus
• Definition of Terms
• What is the Risk?
• Common Attacks
• What Can Be Done
19. History of Twitter Hacks
• 4/2007: SMS updates vulnerable
• 8/2008: Trojan download attacks begin
• 2/2009: Clickjacking attacks begin
• 4/2009: XSS worm released
• 4/2009: Internal admin tool hack
• 6/2009: Trending topic abuse begins
• 7/2009: Koobface
• 1/2010: Banned 370 passwords
• 5/2010: Force follow bug
• 9/2010: Mouseover exploits found
• 3/2011: Added option to require SSL
• 9/2011: Of top 10 most followed, only 2 have
never been hacked
• 9/2011: script_kiddiez rampage
http://mashable.com/2011/03/23/twitter-malware-history/
http://www.veracode.com/resources/twitter-infographic
20. Abuse of Trending Topics
Observe Twitter‟s trending topics
Create an account (or use hacked one)
Spam malicious links with trending topic content
Unsuspecting users click link…
They have been hacked!
Variation: Use trending topics to register
new malware hosting domains in real-time
21. Passwords and Password Reuse
Passwords STINK!
• Passwords < 6 characters long ~30%
• Passwords from limited alpha-numeric key set ~60%
• Used names, slang words, dictionary words
trivial passwords, consecutive digits, etc. ~50%
• Not only a user problem
• Secret questions – bad idea!
• SQL Injection compromises up 43% year over year
• HBGary, Xfactor, Fox.Com, PBS, FBI, Pron.com, …
• Sony, Sony, Sony… oh.. Yeah.. SONY!
• Password reuse?
http://www.scmagazineus.com/hacker-attacks-against-retailers-up-43-percent/article/214125/
22. Own The Borg, Own The WORLD!
In 2009, Twitter gets COMPLETELY owned… TWICE!
Brute force password attack of targeted user reveals a password of
“Happiness” – User is a Twitter admin… OWNED!
A French hacker owns the Yahoo email account of a user on twitter. He then
resets that users twitter password and views the email in the Yahoo account.
User is a twitter admin… OWNED!
23. LikeJacking (Click Jacking with a twist)
Your friend “likes” a video
This posts a link to it on his wall
You click the link….
You get redirected to the video
You watch the video
Associated with the video is a like button
You inadvertently post your “like” of this same video
You have been LikeJacked
24. Top 5 categories for Facebook Spam
1) Stalking (Who is looking at your profile?)– 34.7%
2) Free stuff social games (Free Farmville dollars!!) –
16.2%
3) Shocking curiosities (OMG free porn) – 14.1%
4) Features that Facebook doesn‟t offer ( “Who „poked‟ me
the most”) – 12.5%
5) Games not actually offered Facebook (Super Mario
Bros.) – 8.4%
25. Social Media Security Basics
Syllabus
• Definition of Terms
• What is the Risk?
• Common Attacks
• What Can Be Done
26. The Vendor
• Implement better heuristics and
anomaly detection
• Better warnings and alerts
• Lock accounts when appropriate
• Explode and analyze shortened links
• Fix passwords and secret questions
Much more public research should
be done in this area
https://www.facebook.com/blog.php?post=403200567130 – Blog post from Facebook re: their SPAM prevention practices
27. The Enterprise
• Lock down the big players??
• Monitor and analyze outbound traffic
• EDUCATION
Much more public research should
be done in this area
28. How To Protect Yourself
• Don’t click random links
• Passwords STINK! Use a safe.
• Never trust a message as safe
• Be selective about your “friends”
• Keep to the basics (avoid add-ons)
Don’t forget the social networking
“Golden Rule”
Good morning everyone. My name is Tyler Shields; I’m a Senior Researcher at Veracode. My day-to-day responsibilities involve keeping up with the latest attacks and defenses and determining how Veracode can enhance its product offerings to match what we are seeing in the wild. I have what I think is a pretty interesting presentation for you today. We’re going to be going over social media security basics. What are some of the real, in the wild, attack scenarios. What has been compromised, how has it been compromised and how can you keep from being the next target.
First let’s start off with a little game. When I was putting this slide together I kept thinking of that song from Seasame Street… “One of these things is not like the other, one of these things is not the same..” Funny enough, they ARE all the same. Facebooks twitter feed, Britney’s, USA TODAY, and even the Dalai Lama himself have all had the same issue.
They have all been hacked. That’s right.. each of the previous slides twitter accounts have at some point in the past been hacked. Once hacked, they were generally used as practical jokes or to distribute spam or malware. I only put a sample set of the screen shots on here because I couldn’t fit them all in. You can spend hours reading the funny comments and twitter posts from these hacked accounts with some basic Google searching. However, that all being said.. this is supposed to be an instructional lecture… so let’s move on from the fun and get into some real meat.
Since this Webinar series is a back to security basics series, I chose a blackboard theme and even have a syllabus for us to review. For today’s syllabus we’re going to first go over some definition of terms. We’ll touch on a true definition of social media and what the impact of social media is on the security threat landscape. Next we’ll go over the risks of social media. What is there to really be afraid of? What are the risks of compromise and what can be the downside of using (or being abused on) social media sites? Third we’ll look at some of the more common attack scenarios that have happened in the wild and how those scenarios effect the targets. What are the motivations of the attacker and what goals is he trying to achieve. Finally we’ll briefly discuss what can be done to help solve the problem. Sadly there are no silver bullets in these slides, but education is a first step to hopefully making people aware of the issues involved.
First let’s begin with an outline of social networking. What is it, what are the associated terms, and why is it a real problem that needs to be secured?
When I say “Social Networking”, what are the first companies that come to mind. Nearly everyone thinks of Facebook, LinkedIn, Twitter, and possibly MySpace. That’s about it. These are the big guns. These are the guys that have the huge subscriber counts. The owners of these sites are the guys that have the very difficult decision to make “How many private jets should I buy?” I would argue that these are only a small selection of “social networks” that exist in reality. I would argue that social networking is much much larger than just a few web properties. Let’s expand the picture out a bit more and see what it looks like..
So this looks a bit better. We’ve expanded out to include sides such as YouTube, Blogger.com, Apple’s Ping, FourSquare, Vimeo, and even Google. This looks like a much better picture of what the real social networking world entails. Well again, I would argue that it’s much much more than this. I found one photo online that really depicts what I think the reality of social networking really looks like…
THIS picture is much closer to my view of social networking. Social networking really isn’t about web sites. It’s not about mobile apps. Social networking is really a paradigm shift. It’s less about creating individual isolated avenues for people to socialize and is more about adding a social aspect to every piece of technology and modern innovation that we can. The first few pieces of this puzzle have been the social networking sites themselves and more recently followed by the growing adoption of mobile devices. When we take those two components and place them next to cloud based technologies we get a picture of social networking that really is becoming ubiquitous. It’s rapidly approaching a state where social computing is becoming a core component of any successful Internet innovation.
I’m guessing the majority of the folks on this call today are security practitioners of one type or another. I’m sure we have some security managers, consultants, researchers, and even CSO and CISO title holders on the call. So let’s shift the conversation from social networking as a concept to the security impacts of social networking. I’m sure you have heard this before, but I consider it so important a paradigm shift that it bears repeating whenever possible. The perimeter is dead. When I say dead, I mean completely dead. It’s six feet under and won’t be coming back for Halloween kind of dead. The concept of one external perimeter that we have to secure from a horde of inbound attackers is passé. Thanks to a few specific things, the perimeter has shrunk to the point that it sits on each individual device. The specific things that have driven this change are mobility, the cloud, and social networking. Mobility has taken our devices and made them smaller, lighter, and more nimble. Along with they have become decentralized. Our devices are all now mobile devices, connecting to a WIFI hot spot at Starbucks one afternoon, an airport WIFI the following morning, our corporate network each work morning, and our home network each night. Next we add in the cloud and we see that the data doesn’t even reside in our networks any longer. Gone are the days when our personal photos reside on our own servers, going away is the time in which we edit documents and store them locally on our machine hard drives. We’re moving all this data into the cloud. We have service providers that hose all of our photos (Flickr), we have service providers that hold all of our personal documents (DropBox, our online bank, etc.). From a corporate standpoint we are moving more and more of our corporate data into the cloud on a daily basis. It’s lower cost of ownership and less overhead… it just makes sense. Finally add to this social networking and all of our personal thoughts, feelings, ideas, etc are all stored externally. Security has become, and will continue to be data centric. We must now look at the location of our sensitive data, and how we can properly secure that data wherever it may reside. This is the reality of today’s interconnected, highly social, Internet world.
Along with the destruction of the perimeter comes the issue of viral adoption. Adoption of concepts occurs faster than ever before thanks to technology and in particular social media sites. Viral adoption is one of the core issues in the socially networked world. Previous to the adoption of social interconnections, proliferation of malware would be relatively rate limited. It was only with the advent of contact lists and address books that the majority of really big worms sprang to life. The more interconnected we get, the faster the possible viral adoption rates, and the faster propagation of malicious activities may occur. Add to this the fact that the malware will likely appear to come from a trusted source, and we really see that the viral nature of social media is a perfect breeding ground for a new age of malware.
One final term I’d like to identify is the concept of a meme. A meme is basically an idea, concept, symbol, phrase, or story that is passed from one person to another. In the world of social media there are tons of memes. There are even web sites dedicated to knowing what the meme of the day means and where it came from (see knowyourmeme.com). From a security perspective, meme’s are a great way to transmit malware. If you can package your malware in the meme, trend, or otherwise hot topic of the day, you will likely have a much higher rate of infection. We’ll see more details on this when we get into some of the later slides.
Back to our syllabus. Now that we are all in agreement with what the terms are and what they mean, let’s turn our attention to the risks of social media. Why should we really care at all? Is there really any inherent risk with the adoption of this new paradigm?
The first and most obvious risk with regards to social media is malware. Malware authors continually embrace the technologies that will allow them to propagate their code the most effectively. In the last few years we have seen malware code that uses social networking sites as distribution centers. We’ve seen malware that uses social networking sites as a method of executing command control towards their compromised zombie systems. And we’ve also seen malware directly compromising the sensitive data that is saved specifically within social networking systems in an attempt to directly monetize the attacks. This begs the question, why is social networking such a good platform for malware distribution.
When I began to think about this question.. I started to think about what makes the best malware distribution system? If I were writing malware and wanted to attempt to distribute my malware as rapidly and as widely as possible, what exactly would I want in my distribution system. I would want a system that was decentralized, I don’t want to have a central system where if my malware is discovered it can easily be shutdown. I would have to have a distribution system that is as interconnected as possible. The more links between social nodes, the faster I can distribute my attack. Mobility would allow me jump network gaps and air boundaries that may exist. And finally I would want a distribution system that would get me as close as possible to sensitive data that I can hopefully eventually make money off of. Social networks do exactly this. Social networks designs are decentralized, highly interconnected, and mobile while allowing super fast content publication and communications. My ideal malware distribution system is decentralized, highly interconnected, mobile, and gets me close to sensitive data. This sounds like a GREAT fit for an attacker.
KoobFace. KoobFace (which is an anagram for FaceBook for those that didn’t catch it) is a great example of a social media worm. KoobFace propagated from target to target by sending FaceBook messages to everyone in your FaceBook friends list. It also would periodically put wall posts on your wall so friends of friends that might see your wall also would have the potential to be infected. These links that were spammed out would contain information on an update for Adobe Flash in an attempt to get the target to patch their system. In reality this would infect their system and cause them to FaceBook spam all of their friends. Once infected, a pay per install malware would be installed on the compromised system and the computer would operate in a larger botnet. What makes this really interesting is that the attackers and botnet operators are estimated to have made over 2 million dollars between June of 2009 and June of 2010 alone. Significant numbers variants have continued to be released since then and that monetary estimate is likely low. Social networking malware can be very financially lucrative.
How about targeted attacks. What we have discussed so far has really been mass malware, and mass infection style attacks. What if someone really wanted to target your company or your person? What would happen if someone decided to attack my business brand? With the viral nature of social networking negative messaging travels just as quickly as positive messaging. Because of this, it is imperative for businesses to keep a pulse on the social networking world to determine if something that could be detrimental to their brand or company exists. Let alone if your official twitter feed or FaceBook page were to be hacked. What is your follower count? Target has 117K followersWalmart has 96K followers It’s gets even more dangerous when we talk about personal brand: Tiger Woods has 1.3m followersJustin Bieber has 13m followersBarack Obama has 10m followers When attacks against social networking sites are successful, brand impact can be huge. Additionally we see the issue of follow on social engineering efforts. If a target account is hacked, a smart attacker will be able to leverage this account to facilitate hacks against other accounts by abusing trust relationships between these two accounts. If you were to receive a direct message tweet from your wife, chances are you would believe the source of the message. I mean after all they have to have a password to be able to send a message. Data disclosure is another major issue. We talked a lot about leveraging the attacks from one account target to the next, but what about the data you have within your account directly. Most people don’t clean out their direct messages box on twitter or the messages folders on FaceBook. Some of that information can be damaging to your organization or your personal brand as well. Finally, an attacker could attempt to leverage the compromise as a pivot point into the rest of your organization as a whole.
This slide depicts a perfect example of a targeted attack. A blogger by the name of Rakesh posted this a short while ago about a targeted attack that happened to him. Via FaceBook chat he received a message from one of his personal friends, Matt. Matt claimed to be stuck in London after being robbed outside the hotel he was staying at. He no longer has access to his checking account and needs some money to fly back home. This is a pretty common scam. What makes it exceptionally dangerous is the personal information that was available via Matt’s account. Since the hacker had compromised Matt’s FaceBook account he had access to personal information such as Matt’s wife’s name, potentially his kids names, where he went to school, and who most of his friends were. It is much easier to create a feeling of trust and to create a strong backstory to a con when you have significant personal information about the target. The slide, as you see it, isn’t the entire transcript and I have adapted it somewhat for presentation purposes. The link at the bottom of the slide contains the full transcript as Rakesh recorded it.
Back to our syllabus again. Now let’s go over what some of the common attacks are and what we’ve actually seen happen in the wild.
Let’s take a look at a timeline of some of the more notable Twitter hacks over the years. The attacks date back to the start of twitter with the first real issues occurring as early as 2007, the year after Twitter was created. By 2008 we began to see the start of Trojan style downloads hitting twitter. In 2009, ClickJacking and XSS style attacks were common place, and in April of 2009, the first major twitter internal hack occurred. This pace continues through 2001 when we see the script_kiddiez hacking group appear and begin to hack twitter accounts at a semi rapid pace. One interesting point on this slide is the fact that as of September 2011, of the top 10 most followed people on twitter, only TWO of those haven’t yet been hacked.
So let’s dig into some of the more interesting attacks that Twitter hase seen since 2007. One of the more social networking based attacks it the abuse of twitter trends. Twitter keeps track of what the most trending topics are at any given time and presents these to the users. This allows people to keep up with the meme of the day or the latest news breaks in an easy manner. Some attackers have begun to abuse the trending topics features by spamming out tweets with these trending topics in them. This places them in the search list fo these trending topics causing people who may be tracking or reading the trending topic to click on the link that is embedded into the tweet. As you might guess, this link is a malware delivery site. A variation of this attack model is using the trending topics to create new domain names that are pertinent to the current hot trend. These domains will host the malware and are most likely to be clicked on based on the sheer interest of the user that receives the link spam.
By now, this slide is going to feel a bit old. It’s the same thing that’s been said for a while now regarding passwords and the overall concept of passwords. Namely, passwords STINK! There really isn’t any other way to put it. And these horrible passwords are what is leading to a significant number of compromises in the social media world. In 2009, there was a major online property breached that lead to the disclosure of 32 million passwords. The compromised passwords were then analyzed by the security company Imperva and these are the highlights. 30% of all passwords were under 6 characters.60% of the passwords were basic alphanumeric in nature.And half of them were what is considered “easily guessed” by brute force dictionary style attacks. This isn’t the only place where these types of user mistakes have occurred Similar numbers were observed in the lulzsec data dumps of the last 12 months. People don’t choose strong passwords. It’ll never happen. This isn’t only a user problem. Take for example secret questions. Paris Hilton’s phone and Sarah Palins email account were both hacked due to easily guessed secret questions. With the ubiquity of social networking, the personal information that is commonly used in these so called “secret questions” is easily data mined by a determined attacker. Scarlet Johannsens’ naked pictures, Christina Agullira’s and Mila Kuniz email accounts along with up to fifty other celebrities were recently hacked. Just yesterday they arrested the man that attacked these accounts. In nearly every case the attacker used what is being termed “open source information” about the celebrities to break in through the reset password feature of the account. Also, In the last year we’ve seen a big uptake in SQL injection style attacks, and in these attacks a number of the companies weren’t storing their users passwords with any reasonable form of encryption. Additionally most people reuse passwords from site to site. This is a huge mistake. Once a large data breach has occurred, and your password is compromised, it’s trivial for attackers to continue to leverage this data trove for further intrusions.
When an attacker gets bored of targeted individual user accounts, they make take a few risks and go straight for the mother load. Since it’s inception in 2006, Twitter has been completely compromised, not once, but TWICE. In these compromises, the attacker had the ability to abuse any account of the system, read private messages between users, even hijack any account of his or her choosing. In both of these case studies, the attacker abused password resets and/or social engineering to gain access to the administrative system. In the early 2009 example, an attacker wrote a script and targeted what he thought was just a highly connected user of the system. He noticed that this particular user was connected to a lot of other highly connected people on the site. He wrote a basic brute force script that used dictionary passwords, let it run over night, and by morning had gained access to the account. It turns out that this account belonged to one of the Twitter admins and he was also granted access to the administrative side of Twitter. A similar event happened later that same year. A French hacker used the password reset and secret questions attack to gain control of the Yahoo email account of a particular targeted Twitter user. Once the user’s email was compromised, the attacker simply reset the users Twitter password and had the new password sent to his email account. From there the administrative panel was again accessible.
Picture this scenario. Your best friend has “liked” a video on his Facebook wall. Attached to the like message is some text about how funny this video is and how it will make them “LoL”. You naturally want to see the video so you click it. It redirects you to a web site where you click the play button and watch the video. What you don’t see is the iFrame that is created that holds a hidden like button. This iFrame either sits above or behind the play button of the video, or possibly hovers with the mouse as you move it around the screen. As soon as you click the play button, you also inadvertently “like” the video on your Facebook wall. You’ve been LikeJacked
Finally, I wanted to put a little information out there that surrounds what are the most frequently used topics for Facebook Spam. While this certainly isn’t a complete list, it should give you an idea of the types of links and messages that are currently being abused on Facebook. The most frequent attempt at social engineering you into running a spam app or going to a spam site is Stalking – This usually takes the form of “Want to see who is looking at your profile?” The next most common method is free stuff in social games. Many times the spammer will offer you free items in games like FarmVille or CityVille if you click the link. Don’t do it. The third one is very obvious; porn is always a big draw, especially around celebrities. The last two somewhat run together. Spammers often attempt to entice you to click links to get at features or games that aren’t actually offered by Facebook. By leveraging your desire for these additional features, they can spread their spam or malware to your system.
And now we are finally onto the last part of our curriculum. “What can be done?”, “How can we protect ourselves”.
First and foremost, what can the Vendor do to help secure your data. Right now the major social networking players are actively using data heuristics to attempt to determine if accounts are spamming or otherwise attacking other users of the system. The link at the bottom of the slide is a blog post created by Facebook security that talks, at a high level, about the types of efforts they are putting forth in this area. This is a great start. Let’s do more of it! Another key point to this slide is the concept of short links. Right now there is little being done in the area of analysis of short links. Sites have to consider exploding, analyzing, and securing link shortened URLs as this is a common way for attackers to hide the full URL information from the intended target. Of course we need to fix passwords and secret questions.. This is without question the most important thing on the list.
The sad reality is that we can never fully rely on the provider to implement security on our behalf and honestly the enterprise side isn’t much better. As an enterprise we can lockdown access to the major social networking sites and environments, but that is generally easier said than done. The impact on the business culture could be rough and it doesn’t really solve the problem due to the mobility factor. Nothing stops the same people from accessing those sites while at home or mobile and taking your corporate data with them. We could begin to analyze outbound traffic and look at the problem as a data loss prevention issue, but again this doesn’t really get to the core of the issue. Sadly, right now the best defense from a corporate perspective is education. User’s need to be educated and become vigilant to the types of issues and attacks that exist in the socially connected world. This brings me to my final two slides.
How can you protect yourself? At the end of the day, security is still a user problem. This is actually why security as a problem can never be solved. That being said, here are the most important things you can do to protect yourself when using socially connected sites and devices. Number one, don’t click random links. This should hopefully be obvious to you by now.The second item is listed here as a problem but does have a real solution. Passwords STINK! Use a password safe, use passwords that are completely random, difficult to guess, and LONG. My passwords are all over 12 characters long, using mixed case and special characters and I never use a password twice. They are completely randomly generated. As such I don’t use the secret hits any longer. I just turn them off completely or put in garbage and forget it later.Next, never trust a message as safe. Question everything.Be very selective with your friends. Only put people you trust into your friends list and go through all of the permissions and tighten them down as much as possible. If there is no need to make something public, then don’t.If possible, don’t use add ons. If you MUST use them, try to choose ones from reputable creators and not just add any random FaceBook app you can to your profile. Last but certainly not least.. ALWAYS remember what I call the social networking golden rule…
If you wouldn’t yell it from the rooftops, don’t post it on the Internet. The Internet and especially social media is permanent. Anything that hits the Internet can and will be there forever. If you wouldn’t broadcast your comment on the radio or put your photo on the television for the world to see.. it has no place on social media and the Internet. If you live by this golden rule… you should be just fine.
My email address is tshields@veracode.com and my twitter is @txs. Feel free to reach me at either of those places. Any questions?!