Security presentation

Outline1. Introduction

• Overview of Facebook• motivation

2. Problems & Solutions• Cleartext Password Interception• Privacy Policy• Database-Reverse Engineering• Incomplete Access Control

3. New Applications and News• Facebook Mobile Application• Most Recent Threats

4. Conclusion

Overview of Facebook

• Introduction of Facebook

– A social networking website

– launched on February 4, 2004

– allows users to join one or more networks to easily connect with other people in the same network.

• a school• place of employment• geographic region

[http://en.wikipedia.org/wiki/Facebook#cite_note-jonessoltren-96]

-- The website has more than 64 million active users worldwide.

-- Main functions of Facebook

Motivation

• Exponential increasing rate of Social Networks members leads many privacy threats of online users

• Whenever you put data on a computer, you lose some control over it. And when you put it on the internet, you lose a lot of control over it. [Bruce schneier ]

In social network communities, almost people did not realize the importance of protecting their privacy online.

And due to the extreme complexity, It is a big challenge for net-work security.

Problem 1: Cleartext Password Interception

Facebook sends user’s email address and login password in clear text to the developer's server!

http://valleywag.com/tech/great-moments-in-public-relations/facebook-calls-reporters-question-harassing-316488.php

Data Collection & Information Transport

Data collection:

MD5 algorithmM H(M)

Transmit : Secured protocol such as Secured Socket Layer (SSL)

shall be implemented in order to protect the data entered

at the client's browser

MD5

A rainbow table: a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function. A common application is to make attacks against hashed passwords feasible.

Data Collection & Information Transport

Add salt to the MD5 data

• A salt typically means, in context with MD5 encryption, a secret key added to the password in order to complicate the dictionary attack on the password tables.

• Each bit of salt added to the original password doubles the amount of computation needed for one to break the passwords.

the user‘s password：myfacebook

instead of being stored as:

the hash of “myfacebook”

being stored as:

the hash of 128 characters of random unicode string + “myfacebook”

It now completely immunes to rainbow table attack.

Data Collection & Information Transport

Secured Socket Layer (SSL) protocol is not secure any longer,

Secure Remote Password (SRP) protocol

Advantages:

a) SRP will not compromise the secret key even if the communications are intercepted.

b) This protocol has a password to achieve authenticated key exchange, and it still not vulnerable to dictionary attack.

c) The verifier does not need to store the passwords in clear.

According to the three advantages above, this protocol is one of the best password authenticated key establishment protocols available.

Problem 2: Privacy Policy

Facebook’s two features

Using email address book to find friends on Facebook

New feeds

Improper Features: Access to Email address book

http://elronsviewfromtheedge.wordpress.com/2007/04/13/the-modern-facebook-of-security/

The first principle of anti-phishing behaviour:

NEVER enter your passwords ANYWHERE but the specific site they are designed for

Improper Features: New Feeds

http://www.schneier.com/blog/archives/2006/09/facebook_and_da.html

Facebook’s Privacy Policy

Facebook’s Privacy Policy is 3700 words long, and ends with a notice that it can change at any time.

We reserve the right to change our Privacy Policy and our Terms of Use at any time.

• How many members ever read that policy?

• How many read it regularly and check for changes?

Privacy Policy

Import the third party to supervise online networking websites

Online Privacy Alliance

1. more than 30 global corporations and associations join

2. come together to foster the protection of individuals‘

privacy online.

Guidelines for Online Privacy Policies

1. Adoption and Implementation of a Privacy Policy

2. 2. Notice and Disclosure

3. Choice/Consent

4. Data Security

5. Data Quality and Access

Problem 3: Database Reverse-Engineering

• Facebook’s “advanced search” allows one to query the database of users using any of the fields in a profile.– For example advance

search for “getting drunk” as an interest, will list all users who have set “getting drunk” in their profile, even if their profile is set to private and visible only to their friends.

Reverse-Engineering Problem

• This problem is a security hole in Facebook, reported by many users

• Further research found a student that employed this strategy to create of other local schools. And he was able to systematically build up a database from queries on Facebook’s database.

• Solutions:– When users set their profile to “private”, all information saved

under their name should be withheld from being searched by “advanced search”

Problem 4: Incomplete Access Controls

• In searching for user photos in Facebook, service uses following URL

http://mit.facebook.com/photo_search.php&name = John

• Access controls are not applied to “My Photos”, and there is No privacy for user photographs. Any one can access other users personal photos by editing the above query URL.

• Solutions:– Privacy should extend to “My photos” as well and– Search by name feather should be disabled

Mobile Facebook

• Facebook has launched a mobile version of their website at www.m.facebook.com

• WAP site allow users to access most features of Facebook from a mobile phone such as uploading photos and notes to facebook via SMS and MMS, as well as receiving new messages and wall posts on mobile device through SMS.

• If encryption on WAP (wireless application protocol) is set by default, 96% of users employ it. But 3.4% times the number do that when it is not set by default.

Security of Mobile Facebook• Encryption by using secret-key is one of the best tools for

authenticating wireless users, which is used beside password for authenticated key establishment.

• This method also adds a layer of privacy by preventing eavesdroppers from easily watching network traffic

• Most widely employed encryption method on wireless networks is WEP encryption (wired equivalent privacy).

• WEP uses a shared 40- or 104-bit WEP key to encrypt data between the access point and client.

• key is composed of a 24-bit initialization vector (IV) and WEP key. The IV is changed periodically so packets won't be encrypted with the same cipher stream

Security Challenges of using Facebook from mobile

• The challenges for the Mobile Application Security of Facebook mainly includes:

– Interception of Data between

access point and Mobile or

Wi-Fi device

– Data Encryption and

Authentication for mobile users

Problems of WEP

• WEP uses the RC4 encryption algorithm (stream cipher). mode of operation makes stream ciphers vulnerable to several attacks.– Solution: Using Integrity Check (IC) field and Initialization

Vector (IV)

• key is composed of a 24-bit initialization vector (IV) and a 40-bit WEP key. The IV is chosen by the sender is changed periodically so every packet won't be encrypted with the same cipher stream

• Using the same long-term secret key for confidentiality– Solution: Establishing a new session key after

authentication

News on Recent Threats

• Criminal hackers now view social networking sites as their best target for personal attacks (iTnews, 4/03/2008)

• Bugs in the ActiveX controls on popular social networking sites Facebook and MySpace can be used by hackers to snatch control of Windows PCs. ( Computerworld, 01/31/08)

• Unpatched PCs running Internet Explorer could fall victim extra copies of the browser starting, and ads being served when visiting social networking site Facebook. (ZDNet Australia, 17 /09/2007)

• No matter what level of privacy you have set on your email address, it is visible on the contacts page (seen on a Windows Mobile device). (ZDNet UK, 12/01/2008)

Conclusions

• Highly personal nature of social networks and their amplifying effects make it crucial and urgent that their platform be very secure from various attacks (such as third-party attacks, pass word interception…)

• Some privacy policies in Social Networks needs to be reviewed and some changes may be need in order to provide more privacy for users

Thank you !