Social Networking Security
Milos Stankovic
Social Networking Security Secure your Social environment.
Facebook, MySpace, My Life, Google +
Privacy and Security Settings Do not leave settings as default
Go through the custom settings 87% of Facebook users have Friends of Friends
set.
Settings change when Facebook changes need to check these as we all know how often Facebook changes
Social Networking Security To whom is your information available?
Friends, groups, friends of friends, everyone Applications – privacy policies
What’s available? Where you are and long you will be there
“Checking in” Vacations – I’m going to be away, so I’m
not HOME! Confidential Information Useful for:
ID Theft or answers to your secret questions
Posing as friend
Table of Contents
Definition of social networking sites Potential threats Real life examples Related work A proposed model
Fig. 1 Fast growing number of patent applications in social network
Mimicking in-person interactions Storing large amount of personal
information Violating the principle of least privilege Users inclined to reveal private
info/activities to someone they know
Bringing security issues
Social Network Sites/Services (SNS)continued
Security issues from SNS
Accidental data release Intentional use of private data for
marketing purposes Identity theft Worms and viruses And many more
A recent famous case:
M16 chief’s wife blows his cover on Facebook
Details on where they liveand work, their friends’ identities
Sir John Sawer on the beachin one of the family photos
Another case
US Marines prohibits Twitter, MySpace, Facebook. Effective immediately. (As of Aug 03, 2009 )
Will last a year.
A waiver is possible.
Facebook’s new features Facebook: change in geography networks and new privacy features.
Facebook Options
Facebook User Facebook Page Facebook Group
Open: All content is public Closed: Limited public content; members
can see all content. Secret: Members and content are
private.
Facebook Group Problems
1. Members can add friends Friends could add you to the new group
2. When Facebook group administrators step down, anyone else can take over For small groups, administrators can edit group name or info moderate discussion message group members
Are there other risks? “Checking In” shares your current location
on… Foursquare and Facebook Places
Benefits: Discounts and Offers Risks: Confrontations and Break-ins
Cyberbullying vs. Traditional Bullying
The perpetrator can be anonymous The size of the audience is enormous The perpetrator has finer access to the
target There are no non-verbal cues (gestures,
tone of voice, etc.) to clarify communication
The perpetrator does not witness the harm directly – no opportunity for empathy
Why don’t young people report it?
Adults are incapable of Technology Young people are digital natives while
adults are digital immigrants They expected solution - “just don’t
use the device or site” Misunderstanding the importance of
technology to young people
Minimize chances of being a victim
Setting privacy settings carefully Do NOT share passwords Avoid websites that are designed for
malicious Be vigilant Report abuse on websites when it occurs Save “cyber-footprints” Block or de-friend offenders.
Facebook – the new background check
Employers are using social networks to screen job applicants – 91%
Screening is done early on Facebook, Twitter, Flickr, YouTube
give employers a personal view of candidates
Social Intelligence Corp., scours the Internet
Work that is being done Matthew M. Lucas - flyByNight Encrypts private information separates sensitive data from
Facebook servers and public access Users must install a javascript client The vulnerability of the flyByNight
server is unknown
Andrew Besmer - user-to-application policy, in addition to existing user-to-user policy and default application policy
Effectively limits the applications’ access to users private information
Complex, time-consuming settings for applications may impel users to skip applying proper policies
Work that is being done, cont’d
Facebook Security
Facebook provides easy tools to help you: Keep track of your activity Keep track of your logins Control the information you share Prove your identity if you ever lose
access to your account
Facebook Security Tips
A User-Server-Agent Model
USER SERVER
INDEPENDENTINVESTIGATOR (AGENT)
View Audition Log
Report Suspicious Activities
Report Investigation Inve
stig
atio
n
Server audits users’ activities Log in time, duration, IP
addresses, access information
Users can view activities related to their own accounts
Agents can view all activitiesof specified accounts
A User-Server-Agent Model
SERVER
Provideslog uponrequest
Audits all access information
USER INDEPENDENTINVESTIGATOR (AGENT)
A User-Server-Agent Model
Kevin’s visitBella’s visitSara’s visitMike’s visitDave’s visit
.
.
.
Kevin visits SaraKevin visits MikeKevin visits DaveKevin visits Alice
.
.
.
What a user sees What an agent sees
INDEPENDENTINVESTGATOR (AGENT)
ProvidesResults toUser
AcceptsInvestigationRequests
AnalyzeInformationOn server
Step I
Step II
Step III
A User-Server-Agent Model
Agent receives decrypted request from user Alice sends request for concern about Kevin’s
activities Agent will see “03tn90a” and “01ad53h” in
stead of “Alice” and “Kevin”, in the request
Agent connects to server, asks for information on account 01ad53h
After decryption server recognizes account name is Kevin
A User-Server-Agent Model
What action can an agent perform? Use combined policies to detect unusual
activities: IP address, multiple profiles access in a short term, inactive socializing activities
How can an agent help a user? Simplest: suggest revoking “friend” label of
malicious users Suggest server take action on malicious
accounts Report to authorities when necessary
A User-Server-Agent Model
Conclusion
Increasing use of SNS Security/privacy is a big issue User-Server-Agent model
Future work
Investigate/watch privacy frequently Other functions will be added
Thank you!
Any questions..