Social Networking:Risks and realities

Nick Barronnick.barron@pennantplc.co.uk

2

Who am I?

• Day job

– Employed by Pennant Plc www.pennantplc.co.uk– Head of Group IT, Security controller, software

developer• Meanwhile...

– Freelance security consultant/researcher– SC magazine columnist – IT advisor to DISA

• Disclaimers

– Views expressed are my own, not those of my employer– Don’t try this at work without consent– Check legal aspects

3

What am I talking about?

• What information can be obtained from online social networks?

• How can it be (ab)used?

• What can you do to address the risks

• Focus on corporate liabilities/risks

• Mainly about risks of online social networks, but many apply equally to old fashioned ones too!

4

The usual suspects

5

Not just for kids

Source: http://www.penn-olson.com/2010/02/19/the-social-media-age-distribution-stats/Used with permission

6

How data leaks: users

• Oversharing

• Short-temper syndrome

• Underestimated automation

Did you post it

online?

Did you post it

online?

Probably not private

Probably not private

Possibly private

Possibly private

7

How data leaks: hacks

8

How data leaks: loose lips

9

How data leaks: loose lips

http://www.weknowwhatyouredoing.com

10

How data leaks: apps

11

How data leaks: location

12

Facebook never forgets!

13

Feature creep

14

Risks are real…

http://news.bbc.co.uk/1/hi/8134807.stm

15

Risks are real… (2)

https://www.zdnet.com/blog/facebook/chinese-spies-used-fake-facebook-profile-to-friend-nato-officials/10389

16

Risks are real (3)

17

Risks are real (4)

18

Risks are real (5)

• “All Your Contacts Are Belong to Us” WWW2009http://www2009.eprints.org/56/

• Automatically create fake profiles and request friends

• Create profiles on other sites

19

Risks are real (6)

http://thecaucus.blogs.nytimes.com/2009/02/09/in-iraq-to-twitter-or-not-to-twitter/

20

Who cares?

21

Using the data (1)

22

Using the data (2)

• Online Privacy Foundation’s “Big 5” experimenthttps://www.onlineprivacyfoundation.org/?p=329

– Establish Myers-Briggs characteristics– Linguistic and post statistics analysis– Statistically significant link between FB habits and

personality test results (but…)– Twitter: are you a psychopath?!

• “Augmenting password recovery…”http://www.dfrws.org/2011/proceedings/08-340.pdf

– Use online profiles to help guess passwords– Early days but other research ongoing– What about those password reset questions…?

23

Using the data (3)

• Facebook analysis to determine Nigerian scammershttp://preview.tinyurl.com/specops-paper (PDF)http://preview.tinyurl.com/specops-vid (video)

24

Sanity check

• Your employees will use Facebook etc

– Even if blocked at work– Use takes place outside corporate network perimeter

• Social network users are not customers, they are product

• It is not in social network vendors’ commercial interests to make your privacy a priority

– Long record of truly awful security– Commercialisation is an incentive for more intrusion

25

Defences

26

Guidance

http://www.cpni.gov.uk/documents/publications/2010/2010032-gpg_online_social_networking.pdfhttp://preview.tinyurl.com/gpg27

27

Guidance (2)

http://preview.tinyurl.com/sophossmt

28

Countermeasures

• Education, education, educations

– Most users don’t actually want to breach privacy– Usually unaware of how much is available– Better privacy awareness increases personal security as

well as business security

Used with kind permission of Scott Hampson, www.agent-x.com.au

29

Countermeasures (2)

• Snoop yourself (Google, NodeXL, Maltego etc)

• Check exposure of key staff

• Include social networks in scope for penetration tests (but check with ethics/legal departments)

30

Countermeasures (3)

• Blur data where possible

– Your friends will already know most of the useful info– Minimise what goes into profile– Seed a few bogus “facts”– Turn off location features– Check password reset policies

• But….

– Not having DOB no help when people say “Happy Birthday” on your Facebook wall!

– May be breach of terms of service to lie

31

Countermeasures (4)

• Weed old accounts

– FriendsReunited, MySpace etc• Compartmentation where possible

– Facebook for home stuff– LinkedIn for business– Flickr for pictures

• Email

– Avoid the use of corporate mail addresses for social networking sites

– High value targets should consider use different email addresses

32

Countermeasures (5)

• “Placeholder” profiles on unused systems

• Look at ‘privacy’ settings

– KISS, don’t have too many options

– Assume privacy controls will fail, and consider impact

– If in doubt, don’t post

Used with kind permission of Scott Hampson, www.agent-x.com.au

33

Summary

• Online social networks are not going away any time soon

• There are real benefits to their use for many staff

• OSN vendors cannot be trusted to implement strong security

• Education and defensive monitoring are the best protections

• The risks apply to non-electronic social networks as well!

34

Links…

• www.44con.com (Sept 2012, lots of business level info too)

• www.agent-x.com.au for great cartoons!

• www.securityg33k.com

• www.facecrooks.com

• www.onlineprivacyfoundation.org

• harmonyguy.com

• www.social-engineer.org

• nodexl.codeplex.com (free Excel plugin for social network analysis)

• www.paterva.com (industry standard tool for network analysis)

35

Questions?