Security Issues in Social NetworkingBased on: Security issues in the future of social networking ENISA Position Paper for W3C workshop on the future of social networking By- Giles Hogben, ENISA

Privacy and social network sites : Follow the money ! By- Martin Pekarek, Ronald Leenes, TILT, Netherlands

Information Revelation and Privacy in Online Social Networks (The face book case). By- Ralph Gross, Alessandro Accquisti, CMU, PA.

Presenter : Moinul Zaber, Ph.D Student,Dept.of CS, Kent State University

WHAT TODAY’S TALK IS ABOUT Social Networking (SN) and its benefits SN is an Identity Management System But very much prone to vulnerabilities Discussion will be on : Some key security issues Reasons behind these vulnerabilities Attacking the vulnerabilities at the root

SOCIAL NETWORKING – WHAT’S THAT ALL ABOUT !

One can define his/her profile (interests, skills, etc..) Define relations to other

profiles (sometimes some access control may exist)

Interact with “Friends” via IM, wall posts, blogs.

SOCIAL NETWORKING IS A GREAT WAY TO SOCIALIZE AND TO STAY CONNECTED

SN has More privacy than a blog – one can restrict his/her data within ones network.

SN is an IDM tool Helps to discover like-minded individuals and

business partners. Biggest repository of personal images on the

internet is Facebook ( 30 billion images, 14 million new images are uploaded every day.)

Largest number of personal profiles is held in SNSs.

SOCIAL NETWORKS BUSINESS BENEFITS

Increase interactivityExploit the value of relationships

Publicise and test results in trusted circles

IDENTITY MANAGEMENT SYSTEM Storage of personal data Tools for managing how data is viewed Access control to personal data based on

credentials. Tools for finding out who has accessed

personal data.

SOCIAL NETWORKING IS AN IDENTITY MANAGEMENT SYSTEM.

Sensitive Personal data can be there:

Recognise these ?

(a) Racial or ethnic origin (b) Political opinions(c) Religious beliefs(e) Physical or mental health or condition(f) Sex life

TOOLS FOR ORGANISING THE PERSONAL DATA

TOOLS FOR MANAGING ACCESS BASED ON CREDENTIALS

SOCIAL NETWORKING IS AN IDENTITY MANAGEMENT SYSTEM.

But FULL of Vulnerabilities

INAPPROPRIATE (AND OFTEN IRREVERSIBLE) DISCLOSURE

10 MINUTES’ SURFING OF MYSPACE - EXAMPLE

INAPPROPRIATE DISCLOSURE

We might think it’s OK because only our own network can see our profile data

ACCESS CONTROL BASED ON CREDENTIALS?

LOW FRIENDING THRESHOLDS (POOR AUTHENTICATION)

WHO CAN SEE MY DATA?Do we know the size of our audience.

Only Everyone in the Kent Network? Only Everyone who pays for a LinkedIn Pro

account? Only Everyone in your email address book? Only Social Network employees? Only anyone who’s willing to pay for behavioural

advertising? Only Plastic green frogs?

Am I safe as I don’t use my real name?

DATA MINING TOOLS

MyFaceID application will automatically process your photos, find all faces, help you tag them and let you search for similar people.

WHICH FORTUNATELY DON’T WORK VERY WELL

Then... I can delete my embarrassing revelations, Can’t I?

“Social Networking is like the Hotel California. You can check out, but you can never leave”

Nipon Das to the New York Times

Lock-in – the Hotel California effect.

Caches Internet archives “Deactivation” of the account Delete comments from other

people’s walls?

Isn’t my privacy settings enough?

THE THREATS SN-based Spear phishing and corporate espionage Profile-squatting/theft Huge amounts of time wasted on corporate bills.

Global Security Systems estimates that SN costs UK Corporations 8 billion Euro every year in lost productivity (infosec 2008)

SN Spam XSS, widgets and other bad programming

threats. Extortion and bullying SN Aggregators – one password unlocks all

WHY THEY DO MORE DAMAGE ? The usual-suspects (Cross-site scripting,

SPAM, Social Engineering etc…) do more damage because: SN gives away the relationships for free SN is highly viral

WHY?

The value of the network (e.g. 15 billion US$ and counting) is: Its personal data Its ability to profile people for

advertising Its ability to spread information

virally

Economic success is inversely proportional to strength of privacy settings.

Speed of spread => Economic and Social Success

Privacy

SO WHAT COULD BE THE ALTERNATIVES

Portable networks (checking out of the Hotel California and going to another one)

Portable access-control and security.

Privacy and anonymity tools for social networks. Including more sophisticated authentication and encryption.

WHAT ELSE ?Clear corporate policies on social network usage inside AND out of the office. E.g.- Hours where SN usage is

allowed enforced by firewall.- Clearly define which corporate

data is not permitted on social networks.

- Recommend privacy settings to be used on networks

- Conduct awareness-raising campaigns

WHAT ELSE ?

Social Networking as a trust infrastructure: we can use the network to Authenticate people Provide testimonials and recommendations Provide a saleable trust architecture

Educating people on the risks is vital.

SUMMARY OF TYPES OF HARM

1. Information based Harm: others could abuse the mobile phone number you listed in your profile.

2. Information inequality: information about purchases and preferences can be used for marketing purposes without SNS user being aware.

3. Information injustice: risqué photographic report of a party!

4. Restriction of moral autonomy: SNS information effectively restricts people from presenting different “faces” in different contexts.

ATTACKER MODEL

1. Other Users: can harvest more or less personal information from the profile page of SSN members.

2. Third Parties: They have only minimal access and can only access publicly available data legitimately.

3. Platform Providers: The owners and operators of SNS itself.

MOTIVATIONS 1.Social : building social capital 2. Monetary: information trade. Few Facts:a. News Corporation’s $580 million cash

takeover of Myspaceb. Microsoft’s $240 million payment for 1.6

percent stake in Facebook, theoretically valuing the SNS provider at a staggering $15 billion.

c. Individuals disclose more information than they intend to (Norberg,Horne et al 2007),

d. Any techniques limiting social aspects of SNSs is doomed to fail : users are simply not interested in them. (Grimmelmann 2009).

RECOMMENDATIONS:

1. Restraining the monetary incentive to harvest information use

2. A transfer of SNS use to non commercial platforms.

3. Open source ! ( such as Elgg )Problem :SNS users have devoted time and energy to

build their current profile on their favorite SNSs, and it will take them once again much effort to build a comparable profile on the new network.

DISCUSSION 1

Is it realistic to dream of portable social networks where the user owns and controls his own data? Are there insurmountable security problems with this idea?

What policies should be applied to mitigate threats from inside SN's?

How to educate users to protect them from exposing themselves to threats on SN's?

DISCUSSION 2 What are the threats from 3rd party applications on SN's

and how can we address them?

What advice should we give to businesses about employee SN usage?

Can we imagine social networks where the social network provider does not see the data?

REFERENCES

Giles.hogben [at thingy] enisa.europa.euhttp://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_social_networks.pdf

, 2008 Security at the digital cocktail party social

networking meets IAM, Giles Hogben European Network and Information Security Agency, 2008.

Privacy and Social Network Sites: Follow the Money!, Martin Pekarek, Ronald Leenes, TILT, Netherlands, Position Paper W3C workshop, Jan ,2009.

Information Revelation and Privacy in Online Social Networks (The face book case). By- Ralph Gross, Alessandro Accquisti, CMU, PA.