Social networks security threats

Users Choice

Users Problems

Technical Solutions

BehavioralSolutions

Risks

Sharing Information Risks

Unsecured links

Viruses

Tools

Third-party applications

Social engineering attacks

Identity assumption

Sharing Information RisksUnsecured links

This problem evolved with the URL shortening

Shared unsecured links that may contain viruses malware or just impropriate content

Solutions

Stopping spam is not easy. Most sites have a “report spam/abuse” addresses. Spammers, however, frequently change their address from one throw-away account to another. In order to fight spam within URL shortened links ,most social networks perform checks by its servers and warn the user if the link is spam before directing to it

Sharing Information Risks

VirusesSocial networks are the ideal targets for attackers who want to have the most impact with the least effort. By creating a virus and embedding it in a website or a third-party application, an attacker can potentially infect millions of computers.

On Jan 2012 Twitter users were tricked into clicking a link and sent to a website designed to download malware called System Security which is a fake antivirus product that is designed to trick the user into buying it by using scare tactics such as fake scanning results.

Example

SolutionsFacebook and Twitter are trying to protect their users by implementing defense mechanisms and shutting down pages, apps and accounts that can be deemed as harmful to user computer . Facebook also teamed up with security firms to offer five anti-virus software that users can download associated with their accounts with offers up to six months of free security coverage.Users are still responsible for keeping their ant viruses up-to-date.

Sharing Information Risks

Tools

Attackers may use tools that allow them to take control of a user’s account.pose as that user and post malicious content.

Facebook tools also known as cheat engines are used to grant illegal access to the hacker so that they can act on user behalf.

Example

Solutions

Proactive defense mechanisms should be set on computers and file servers to detect and block suspicious activity caused by emerging malware No high security level achieved as more tools are developed everyday

Sharing Information Risks

Third-party applications Some social networking services may allow adding third-party applications.Even if an application does not contain malicious code, it might access informationin profiles without permission.This information could then be used in a variety of ways, such as tailoring advertisements, performing market research, sending spam email, or accessing user contacts

SolutionsMost social networks manage third party applications permission or ask user to permit the application to access their information on their own responsibility , for example unofficial twitter and Facebook mobile applications needs to authenticate before it can deal with user accounts. connecting with a middle interface that delivers a unique key for each username and password allowing the third party application to see only a generated key by the social network itself rather than the actual username and password keeping them safe.

Sharing Information Risks

Social engineering attacksAttackers may send an email or post a comment that appears to originate from a trusted social networking service or user. The message may contain a malicious URL or a request for personal information.

For example a page that looks exactly like Facebook or twitter settings page asking the user to confirm a setting by providing secure information such as passwords

Example

SEA

Recommendation Demographic Visitor Tracking

Strong Ties:Show a potential connection between two users only if there is a strong connection between them such as the fact that user already have some friends in common.Monitor new accounts:Closely monitor friendships that have been established newly .For example benign user may be contacted by people and also actively search and add friends on the network. However in contrast the attacker only receive friend requests from other users , it may be possible to indentify the attackers automatically.CAPTCHA:CAPTCHA usage also needs to be extended to incoming friend requests. By requiring to solve a CAPTCHA challenge before being able to accept suspicious incoming friend request or message raise the difficulty bar for attackers.

Social engineering attacks

Sharing Information Risks

Identity assumption Attackers may be able to gather enough personal information from social Networking services to assume user and guess password reminder questions for email, credit card, or bank accounts

These type of threats are the responsibility of the user more than the social network service provider (Behavioral Solutions), for example the social network may require a password with certain number of characters , but in the end the social network cannot control the user behavior and permissions granted by user and consequently cannot fight identity assumption or abusing of public data. Its recommended that users implement security measures and take general security precautions to reduce the risk of compromise

Solutions

•Use strong passwords, and use a unique password for each service. •Keep anti-virus software up to date. •Install software updates in a timely manner, particularly updates that affect web browsers.•Use strong privacy and security settings and remember that these services may change their options periodically, so regularly evaluate your security and privacy settings, looking for changes and ensuring that your selections are still appropriate.•Avoid suspicious third-party applications•Treat everything as public .This recommendation applies not only to information in your user profile, but also to any comments or photos you post.

Solutions cont’d

Identity assumption

Public figures identity theft is very serious as it may influence their audience in a bad way.Facebook focused on unique names , for example it doesn’t allow a user to have the exact name of a public figure (ie: mahmod darwesh)Twitter began offering verified accounts back in 2009, guaranteeing the authenticity of its well known users. 2012 Facebook will soon provide verified celebrity accounts.

However Public figures are not safe onSocial networks from posting on theirBehalf and spreading rumors .

Identity theft

Business data Posting sensitive information intended only for internal company use on a social networking service can have serious consequences.

Professional reputation Inappropriate photos or content on a social networking service may threaten a user’s educational and career prospects.

Personal relationships According to a survey conducted by Retrevo, ―32 percent of people who post on a social networking site regret they shared information so openly

Personal safety You may compromise your personal security and safety by posting certain types of information on social networking services. For example, revealing that you will be away from home

Take Care

Enable SSL EncryptionIn the past, Facebook used HTTPS--Hypertext Transfer Protocol Secure--only when you entered your password. Facebook now applies Secure Socket Layer encryption , and it is strongly recommended if you use public computers or access points, such as at coffee shops, airports or libraries.

Take Care

Be Wary of Information You Shareits recommended to opt out of the feature that lets you--and your friends--check you into places. Here's how to find this setting.

Take Care

Be Wary of Information You Shareits recommended to opt out of the feature that lets you--and your friends--check you into places. Here's how to find this setting. hackers use your location data not just for physical-world attacks such as stalking and robbery, but for social-engineering attacks, too. One example of this: messaging you to say, "Hey, I met you at XYZ conference last week," in order to obtain more information or promote a malicious link.

Take Care

Use Applications and Games SparinglyFacebook has since put a number of safety protocols, such as App Passwords, in place to better vet their apps and ensure security.also recommends carefully reviewing the permissions granted to Facebook apps before you install and use them.

Take Care

Log Out of Facebook When You're DoneWhen you're finished browsing Facebook, be sure you log out, to prevent threats, such as 'Like jacking,' that leverage logged-in sessions to Facebook," Like jacking is a form of click jacking, or the malicious technique of tricking users into posting a status update for a site they did not intentionally mean to "like.“If you have forgotten to log out of Facebook from a computer or mobile device, you can do so remotely. From your Account Settings page, click the "Security" tab on the left. Select "Edit" next to Active Sessions.

1. Choose a Strong password

2. Know where you’re typing your password

3. Use Twitter’s HTTPS option

Take Care

Thank you