Security Issues in Social Networking Based on: Security issues in the future of social networking ENISA Position Paper for W3C workshop on the future of social networking By- Giles Hogben, ENISA Privacy and social network sites : Follow the money ! By- Martin Pekarek, Ronald Leenes, TILT, Netherlands Information Revelation and Privacy in Online Social Networks (The face book case). By- Ralph Gross, Alessandro Accquisti, CMU, PA. Presenter : Moinul Zaber, Ph.D Student, Dept.of CS, Kent State University
WHAT TODAY’S TALK IS ABOUT Social Networking (SN) and its benefits SN is an Identity Management System But very much prone to vulnerabilities Discussion will be on : Some key security issues Reasons behind these vulnerabilities Attacking the vulnerabilities at the root
SOCIAL NETWORKING – WHAT’S THAT ALL ABOUT ! One can define his/her profile ( interests, skills, etc..) Define relations to other profiles (sometimes some access control may exist) Interact with “Friends” via IM, wall posts, blogs.
SOCIAL NETWORKING IS A GREAT WAY TO SOCIALIZE AND TO STAY CONNECTED SN has More privacy than a blog – one can restrict his/her data within ones network. SN is an IDM tool Helps to discover like-minded individuals and business partners. Biggest repository of personal images on the internet is Facebook ( 30 billion images, 14 million new images are uploaded every day.) Largest number of personal profiles is held in SNSs.
SOCIAL NETWORKS BUSINESS BENEFITS Increase interactivity Exploit the value of relationships Publicise and test results in trusted circles
IDENTITY MANAGEMENT SYSTEM Storage of personal data Tools for managing how data is viewed Access control to personal data based on credentials. Tools for finding out who has accessed personal data.
SOCIAL NETWORKING IS AN IDENTITY MANAGEMENT SYSTEM. Sensitive Personal data can be there: Recognise these ? (a) Racial or ethnic origin (b) Political opinions (c) Religious beliefs (e) Physical or mental health or condition (f) Sex life
TOOLS FOR ORGANISING THE PERSONAL DATA
TOOLS FOR MANAGING ACCESS BASED ON CREDENTIALS
SOCIAL NETWORKING IS AN IDENTITY MANAGEMENT SYSTEM. But FULL of Vulnerabilities
INAPPROPRIATE (AND OFTEN IRREVERSIBLE) DISCLOSURE
10 MINUTES’ SURFING OF MYSPACE - EXAMPLE
INAPPROPRIATE DISCLOSURE
We might think it’s OK because only our own network can see our profile data
ACCESS CONTROL BASED ON CREDENTIALS?
LOW FRIENDING THRESHOLDS (POOR AUTHENTICATION)
WHO CAN SEE MY DATA? Do we know the size of our audience. Only Everyone in the Kent Network? Only Everyone who pays for a LinkedIn Pro account? Only Everyone in your address book? Only Social Network employees? Only anyone who’s willing to pay for behavioural advertising? Only Plastic green frogs?
Am I safe as I don’t use my real name?
DATA MINING TOOLS MyFaceID application will automatically process your photos, find all faces, help you tag them and let you search for similar people.
WHICH FORTUNATELY DON’T WORK VERY WELL
Then... I can delete my embarrassing revelations, Can’t I?
“Social Networking is like the Hotel California. You can check out, but you can never leave” Nipon Das to the New York Times Lock-in – the Hotel California effect.
Caches Internet archives “Deactivation” of the account Delete comments from other people’s walls?
Isn’t my privacy settings enough?
THE THREATS SN-based Spear phishing and corporate espionage Profile-squatting/theft Huge amounts of time wasted on corporate bills. Global Security Systems estimates that SN costs UK Corporations 8 billion Euro every year in lost productivity (infosec 2008)
SN Spam XSS, widgets and other bad programming threats. Extortion and bullying SN Aggregators – one password unlocks all
WHY THEY DO MORE DAMAGE ? The usual-suspects (Cross-site scripting, SPAM, Social Engineering etc…) do more damage because: SN gives away the relationships for free SN is highly viral
WHY? The value of the network (e.g. 15 billion US$ and counting) is: Its personal data Its ability to profile people for advertising Its ability to spread information virally
Economic success is inversely proportional to strength of privacy settings. Speed of spread => Economic and Social Success Privacy
SO WHAT COULD BE THE ALTERNATIVES Portable networks (checking out of the Hotel California and going to another one) Portable access-control and security. Privacy and anonymity tools for social networks. Including more sophisticated authentication and encryption.
WHAT ELSE ? Clear corporate policies on social network usage inside AND out of the office. E.g. - Hours where SN usage is allowed enforced by firewall. - Clearly define which corporate data is not permitted on social networks. - Recommend privacy settings to be used on networks - Conduct awareness-raising campaigns
WHAT ELSE ? Social Networking as a trust infrastructure: we can use the network to Authenticate people Provide testimonials and recommendations Provide a saleable trust architecture Educating people on the risks is vital.
SUMMARY OF TYPES OF HARM 1. Information based Harm: others could abuse the mobile phone number you listed in your profile. 2. Information inequality: information about purchases and preferences can be used for marketing purposes without SNS user being aware. 3. Information injustice: risqué photographic report of a party! 4. Restriction of moral autonomy: SNS information effectively restricts people from presenting different “faces” in different contexts.
ATTACKER MODEL 1. Other Users: can harvest more or less personal information from the profile page of SSN members. 2. Third Parties: They have only minimal access and can only access publicly available data legitimately. 3. Platform Providers: The owners and operators of SNS itself.
MOTIVATIONS 1.Social : building social capital 2. Monetary: information trade. Few Facts: a. News Corporation’s $580 million cash takeover of Myspace b. Microsoft’s $240 million payment for 1.6 percent stake in Facebook, theoretically valuing the SNS provider at a staggering $15 billion. c. Individuals disclose more information than they intend to (Norberg,Horne et al 2007), d. Any techniques limiting social aspects of SNSs is doomed to fail : users are simply not interested in them. (Grimmelmann 2009).
RECOMMENDATIONS: 1. Restraining the monetary incentive to harvest information use 2. A transfer of SNS use to non commercial platforms. 3. Open source ! ( such as Elgg ) Problem : SNS users have devoted time and energy to build their current profile on their favorite SNSs, and it will take them once again much effort to build a comparable profile on the new network.
DISCUSSION 1 Is it realistic to dream of portable social networks where the user owns and controls his own data? Are there insurmountable security problems with this idea? What policies should be applied to mitigate threats from inside SN's? How to educate users to protect them from exposing themselves to threats on SN's?
DISCUSSION 2 What are the threats from 3rd party applications on SN's and how can we address them? What advice should we give to businesses about employee SN usage? Can we imagine social networks where the social network provider does not see the data?
REFERENCES Giles.hogben [at thingy] enisa.europa.eu sa_pp_social_networks.pdfhttp:// sa_pp_social_networks.pdf, 2008 Security at the digital cocktail party social networking meets IAM, Giles Hogben European Network and Information Security Agency, Privacy and Social Network Sites: Follow the Money!, Martin Pekarek, Ronald Leenes, TILT, Netherlands, Position Paper W3C workshop, Jan,2009. Information Revelation and Privacy in Online Social Networks (The face book case). By- Ralph Gross, Alessandro Accquisti, CMU, PA.