social networking security issues

Social Networking Security

Issues-Mangesh Gunjal

Social Networking Site…???

Threats Posing Risk to Social Networks

Digital Database Collection

Secondary Data Collection

Face Recognition

Content Based Image Retrieval

Image Data Linkability

Complete Account Deletion

Profile Squatting and Reputation Slander through ID

Theft

Continued…

Stalking

Bullying

Corporate Espionage

Spam

Cross Side Scripting

Spear Phishing

Infiltration of Networks

Digital Database Collection

Digital dossier of Personal Data for immoral

purposes

Regular Snapshots of entire network

Private Attributes can be accessed directly via

search

Miss out on Employment Opportunities

Information for negative use

E.g. Miss New Jersey Case

Secondary Data Collection

Personal Information to the Network Operator

E.g. time and length of connections

IP Address, other users’ profile visited

Messages sent and received

Powerful Data warehouse

Lack of Transparency about Data Collection

Privacy Policies tend to be vague

Transfer of Information to third party through resale

Example of Privacy Statement

“[SNS Provider] also logs non-personally identifiable

information including IP address, profile information,

aggregate

user data, and browser type, from users and visitors

to the site.

This data is used to manage the website, track

usage and

improve the website services. This non-personally-

identifiable

information may be shared with third-parties to

provide more

Face Recognition & CBIR

Face Recognition

User Provided Digital Images

They indentify the profile holder

Linking of Images Instances across services and websites

Content Based Image Recognition

Able to match features from Large Databases of Images

No Privacy control on the accountability on CBIR

Possibility of deducing User Location

May lead to Stalking, Blackmailing, Unwanted Marketing,

etc.

Image Data Linkability

Tag Images with metadata

Name of the person in the photo

Link to their profile

Their e-mail address

No control over images posted by others

Difficulty in Complete Account Deletion

Easy to remove Primary Pages

Secondary Info remains

Ambiguity over Information deletion upon account

closure

Facebook Privacy policy Statement:

“Removed information may persist in backup copies

for a reasonable period of time but will not be

generally available to members of Facebook.”

Manual Deletion is the only solution

Spam

Unsolicited messages

Free Traffic for the Spammers

Use of Specialized Spamming software – FriendBot

Provides links to Pornographic or other product sites

Links to phishing websites

Flood with Comments and Posts

Stealing Member’s Passwords to advertise on others profiles

Traffic Overload

Loss Of Trust

Reduce the value of SNS if no. of fake profiles Increases

Cross Side Scripting

Can post HTML code within profiles

SNS’s are vulnerable to XSS attacks

SAMY virus

Denial of Service

Spear Phishing

Highly personalized Phishing Attack

The worm JS/Quickspace.A was designed to

spread up through MySpace pages.

Effective Form of Phishing Attack

Identity Theft

Reputation Damage

Infiltration of Networks

Weak First line of Defense

FriendBot and FriendBlasterPro- commercial software

No implementations of CAPTCHA’s

SOPHOS- an Antivirus company Case Study

Polluting SNSs’ with irrelevant misleading Profiles

Allows to view Private Information

Conducts spamming and marketing campaigns

Profile Squatting & Reputation Slander

Fake Profiles

Profiles of Dead Celebrities

Galileo on MySpace (as well as over 3000 Friends)

Weak Authentication of Registration

Most unlikely the person

Easy to target the abuse at the people (e.g. Class

Teacher)

Damage Reputation

Phishing

Marketing under false pretences

Stalking

Involves threatening behaviour

Seeks repeated contacts through any means

SNSs’ are an easy means for stalking

SNSs’ emphasize on location data

Loss of Privacy

Physical Harm and psychological Damage

Bullying

Repeated and Purposeful acts of harm that are carried out using technology.

The ease of remaining anonymous

The one-stop-shop effect

The generation gap

Forms Of CyberBullying:

Flaming

Harassment

Denigration

Impersonation

Outing

Trickery

Exclusion

Corporate Espionage

Its an Underrated Risk to Corporate Infrastructure

Access Sensitive Enterprise Data; mostly by using Employees themselves

Privacy Settings are neglected

Threshold for gaining information is very lowLists of employees and connections between them

Stakeholders Information

Publication of information about its infrastructure, network directories.

Loss of Corporate Intellectual Property

Blackmailing

Access Physical assets

Which Social Network do you think poses the

biggest Risk to Security…???

Courtesy: SOPHOS Security Threat Report

2010

Social Networks Spam, Phishing and Malware

Report for year 2009

Courtesy: SOPHOS Security Threat Report

2010

Malwares, Number One Concern for the Firms

with Social Nerworks.

Courtesy: SOPHOS Security Threat Report

2010

Permission to Access Basic Information

Recommendations and Suggestions

Encourage Awareness raising and Educational Campaigns

Review and Reinterpret Regulatory Framework

Increase Transparency of Data handling Practices

Discourage Banning of SNSs’ in Schools

Promote Stronger Authentication and Access control

Implement Countermeasures against Corporate Espionage

Maximize Possibilities for Reporting and Detecting Abuse

Set Appropriate Defaults

Require the Consent of the Data Subject to include Profile Tags or e-mail Address Tags in Images

Social Networking Security Issues- Legal Aspects

Section 66A: Punishment for sending offensive messages through service, etc.

Imprisonment may extend to Three years and with fine

Section 66B: Punishment for dishonestly receiving stolen computer resource or communication device

Imprisonment may extend to Three years and with fine up to Rs.1Lakh or Both

Section 66C: Punishment for Identity TheftImprisonment of either description term up to 3 years and fine up to Rs.1Lakh

Section 66D: Punishment for cheating by personation by using computer resource

Imprisonment may extend to Three years and with fine up to Rs.1Lakh or with both

Section 66E: Punishment for violation of PrivacyImprisonment may extend to Three years and with fine up to Rs.1Lakh or with both

Continued…

Section 66F: Punishment for Cyber Terrorism

Imprisonment which may extend to imprisonment for life

Section 67: Punishment for publishing or transmitting Obscene material in electronic form

Imprisonment of either description up to three years and fine of up to Rs. 5Lakh.

Section 67A: Punishment for publishing or transmitting of material containing sexually explicit act, etc., in electronic form.

Imprisonment of either description up to five years and fine of up to Rs. 10Lakh.

Section 67B: Punishment for publishing or transmitting of material depicting children in sexually explicit act, etc., in electronic form.

Imprisonment of either description up to three years and fine of up to Rs. 5Lakh.

Conclusion

If used correctly enhances Data Privacy providing

Interactive User Generated Content to anyone, if not

it provides a dangerously powerful tool in the hands

of Spammers, unscrupulous marketers and other

who may take criminal advantages of Users.

References

SOPHOS Security Report 2010

European Network and Information Security Agency

Report

Questions…???