This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
-- The website has more than 64 million active users worldwide.
-- Main functions of Facebook
Motivation
• Exponential increasing rate of Social Networks members leads many privacy threats of online users
• Whenever you put data on a computer, you lose some control over it. And when you put it on the internet, you lose a lot of control over it. [Bruce schneier ]
In social network communities, almost people did not realize the importance of protecting their privacy online.
And due to the extreme complexity, It is a big challenge for net-work security.
Problem 1: Cleartext Password Interception
Facebook sends user’s email address and login password in clear text to the developer's server!
Transmit : Secured protocol such as Secured Socket Layer (SSL)
shall be implemented in order to protect the data entered
at the client's browser
MD5
A rainbow table: a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function. A common application is to make attacks against hashed passwords feasible.
Data Collection & Information Transport
Add salt to the MD5 data
• A salt typically means, in context with MD5 encryption, a secret key added to the password in order to complicate the dictionary attack on the password tables.
• Each bit of salt added to the original password doubles the amount of computation needed for one to break the passwords.
the user‘s password:myfacebook
instead of being stored as:
the hash of “myfacebook”
being stored as:
the hash of 128 characters of random unicode string + “myfacebook”
It now completely immunes to rainbow table attack.
Data Collection & Information Transport
Secured Socket Layer (SSL) protocol is not secure any longer,
Secure Remote Password (SRP) protocol
Advantages:
a) SRP will not compromise the secret key even if the communications are intercepted.
b) This protocol has a password to achieve authenticated key exchange, and it still not vulnerable to dictionary attack.
c) The verifier does not need to store the passwords in clear.
According to the three advantages above, this protocol is one of the best password authenticated key establishment protocols available.
Problem 2: Privacy Policy
Facebook’s two features
Using email address book to find friends on Facebook
Facebook’s Privacy Policy is 3700 words long, and ends with a notice that it can change at any time.
We reserve the right to change our Privacy Policy and our Terms of Use at any time.
• How many members ever read that policy?
• How many read it regularly and check for changes?
Privacy Policy
Import the third party to supervise online networking websites
Online Privacy Alliance
1. more than 30 global corporations and associations join
2. come together to foster the protection of individuals‘
privacy online.
Guidelines for Online Privacy Policies
1. Adoption and Implementation of a Privacy Policy
2. 2. Notice and Disclosure
3. Choice/Consent
4. Data Security
5. Data Quality and Access
Problem 3: Database Reverse-Engineering
• Facebook’s “advanced search” allows one to query the database of users using any of the fields in a profile.– For example advance
search for “getting drunk” as an interest, will list all users who have set “getting drunk” in their profile, even if their profile is set to private and visible only to their friends.
Reverse-Engineering Problem
• This problem is a security hole in Facebook, reported by many users
• Further research found a student that employed this strategy to create of other local schools. And he was able to systematically build up a database from queries on Facebook’s database.
• Solutions:– When users set their profile to “private”, all information saved
under their name should be withheld from being searched by “advanced search”
Problem 4: Incomplete Access Controls
• In searching for user photos in Facebook, service uses following URL
http://mit.facebook.com/photo_search.php&name = John
• Access controls are not applied to “My Photos”, and there is No privacy for user photographs. Any one can access other users personal photos by editing the above query URL.
• Solutions:– Privacy should extend to “My photos” as well and– Search by name feather should be disabled
Mobile Facebook
• Facebook has launched a mobile version of their website at www.m.facebook.com
• WAP site allow users to access most features of Facebook from a mobile phone such as uploading photos and notes to facebook via SMS and MMS, as well as receiving new messages and wall posts on mobile device through SMS.
• If encryption on WAP (wireless application protocol) is set by default, 96% of users employ it. But 3.4% times the number do that when it is not set by default.
Security of Mobile Facebook• Encryption by using secret-key is one of the best tools for
authenticating wireless users, which is used beside password for authenticated key establishment.
• This method also adds a layer of privacy by preventing eavesdroppers from easily watching network traffic
• Most widely employed encryption method on wireless networks is WEP encryption (wired equivalent privacy).
• WEP uses a shared 40- or 104-bit WEP key to encrypt data between the access point and client.
• key is composed of a 24-bit initialization vector (IV) and WEP key. The IV is changed periodically so packets won't be encrypted with the same cipher stream
Security Challenges of using Facebook from mobile
• The challenges for the Mobile Application Security of Facebook mainly includes:
– Interception of Data between
access point and Mobile or
Wi-Fi device
– Data Encryption and
Authentication for mobile users
Problems of WEP
• WEP uses the RC4 encryption algorithm (stream cipher). mode of operation makes stream ciphers vulnerable to several attacks.– Solution: Using Integrity Check (IC) field and Initialization
Vector (IV)
• key is composed of a 24-bit initialization vector (IV) and a 40-bit WEP key. The IV is chosen by the sender is changed periodically so every packet won't be encrypted with the same cipher stream
• Using the same long-term secret key for confidentiality– Solution: Establishing a new session key after
authentication
News on Recent Threats
• Criminal hackers now view social networking sites as their best target for personal attacks (iTnews, 4/03/2008)
• Bugs in the ActiveX controls on popular social networking sites Facebook and MySpace can be used by hackers to snatch control of Windows PCs. ( Computerworld, 01/31/08)
• Unpatched PCs running Internet Explorer could fall victim extra copies of the browser starting, and ads being served when visiting social networking site Facebook. (ZDNet Australia, 17 /09/2007)
• No matter what level of privacy you have set on your email address, it is visible on the contacts page (seen on a Windows Mobile device). (ZDNet UK, 12/01/2008)
Conclusions
• Highly personal nature of social networks and their amplifying effects make it crucial and urgent that their platform be very secure from various attacks (such as third-party attacks, pass word interception…)
• Some privacy policies in Social Networks needs to be reviewed and some changes may be need in order to provide more privacy for users