The Impact of Social Networking On Security Threatsaz9194.vo.msecnd.net/pdfs/110902/3383.pdfThe Impact of Social Networking On Security Threats David Melnick, Principal Charlie Blanchard,

The Impact of Social Networking On Security Threats

David Melnick, Principal

Charlie Blanchard, Manager Deloitte & Touche LLP

Today’s agenda

• Definitions and terminology

• Security Threats

• Responding

• What is next in the world of social networking

• Q&A

Definitions and terminology

Social Networking

• As defined in Wikipedia

– A social network is a social structure made of nodes (which are generally individuals or organizations) that are tied by one or more specific types of interdependency, such as values, visions, ideas, financial exchange, friendship, kinship, dislike, conflict, or trade. The resulting structures are often very complex.

• As defined in Webmaster

– Social networking is a phenomena defined by linking people to each other in some way. Users work together to rate news and are linked by rating choices or explicit identification of other members. Generally, social networks are used to allow or encourage various types of activity whether commercial, social, or some combination of the two.

What makes a Social Network so powerful?

• Metcalfe’s law

– The value of a telecommunications network is proportional to the square of the number of connected users of the system (n2)

• Related to the fact that the number of unique connections in a network of a number of nodes (n) can be expressed mathematically as the triangular number n(n–1)/2, which is proportional to n2 asymptotically

http://en.wikipedia.org/wiki/Metcalfe’s_Law

• Applying this to Social Networking — Consider LinkedIn — it took 16 months to reach the first one million users. The latest million users were added in just 11 days.

What makes a Social Network so powerful? (cont.)

• Web 2.0

– “Web 2.0” was first coined in 1999, and, by 2004, had become used to describe the next evolution of the Web.

– It’s based on the notion that people who consume media, access the Internet, and use the Web shouldn’t passively absorb the flow of content from provider to viewer; rather, they should be active contributors, helping customize media and technology for their own purposes.

– Social network sites, blogs, wikis, and other collaborative technologies are the result.

Web 1.0 (Yesterday)

Power lies with: institutions,

platforms, and technology

• Structured

• Siloed

• One size fits all

• Passive audience

• Unilateral

Web 2.0 (Today)

Power lies with: users,

communities, and experiences

• Flexible

• Collaborative

• Communities

• Engaged users

• Multilateral

Social network — More terminology

• Web sites where entries are made (such as in a journal or diary), displayed in a reverse chronological order; often provide commentary or news on a particular subject

• Some function as personal online diaries or logbooks

• Combine text, images, and links to other blogs and Web sites

• Typically provide archives in calendar form, local search, syndication feeds, reader comment posting, trackback links from other blogs, blogroll links to other recommended blogs, and categories of entries tagged for retrieval by topic

Blogs

Social network — More terminology (cont.)

• Short, frequent posts with questions, information, or current status

• Twitter (public) and Yammer (private) are two examples

• Social software (including Facebook, LinkedIn, etc.) now prompts for “what’s on your mind?” or similar status or mood lines

Microblogging

Social network — More terminology (cont.)

• The changing face of microblogging…………….

• 2009 Twitter Trend Categories – Entertainment 38%

– Sports 14%

– Holidays 11%

– Business / Tech 11%

– Hashtags 9%

• 2010 Twitter Trend Categories – Hashtags 40%

– Entertainment 28%

– Sports 10%

– Holidays 6%

– Business / Tech 3%

Source = http://whatthetrend.com/ - the trend-tracking company that monitors the rank and duration of

every single topic that pops up on Twitter's global Trending Topics chart throughout the year.

Microblogging

(cont.)

Social network — More terminology (cont.)

• Web sites which allow users to easily add, remove, edit, and change most available content

• Effective for collaborative writing and self-service Web site creation and maintenance

Wikis

Social network — More terminology (cont.)

• Wikipedia – perhaps the best known Wiki – First edit on 16 January 2000, followed by 1,000 articles in the first

month *

– Now has 17 million articles in 270 languages, all written by volunteers *

– Billionth edit took place on 16 April 2010 *

– Used by 400 million people every month *

– Claims to have 80,000 editors, although reports suggest that it has recently lost thousands; something Wikipedia disputes *

– Aims to grow to one billion users by 2015 with a focus on women and people in the developing world *

– Critics maintain that many entries are untrustworthy

– But a disputed study has shown that for subjects such as science it comes as close as traditional encyclopedias

* Statistics taken from http://www.bbc.co.uk/news/technology-12171977

Wikis (cont.)

Social network — More terminology (cont.)

• A range of tools which facilitate social networking

• Personal Web pages, including bios, photos, interests, audio and video, links to friends, messages from friends, and personal networks

Social networking

software

Social network — More terminology (cont.)

• Facebook – the biggest of them all – Over 500 million registered users *

– 50% of our active users log on to Facebook in any given day *

– About 70% of Facebook users are outside the U.S. *

– More than 30 billion pieces of content (web links, news stories, blog posts, notes, photo albums, etc.) shared each month *

– People spend over 700 billion minutes per month on Facebook *

* Statistics taken from http://www.facebook.com/press/info.php?statistics (Sept 2010)

• As of March 13, 2010 Facebook was America’s most popular site according to Experian Hitwise with 7.1%

Social networking

software (cont.)

Social network — More terminology (cont.)

• Online collections of videos and photos from users

• Users can upload, tag, and rate content Videos and

photos

Security Threats

Phishing and Worms

What is phishing?

• Messages that encourage you to leak information about yourself, whether that information is personal or financial data.

Common characteristics of phishing messages

• Often have a tone of urgency

• Look to exploit the emotions of the individual receiving the message

• May play on an individual’s curiosity

Phishing attacks pre-date Social Networking which presents just another avenue of attack.

Phishing and Worms (cont.)

• Examples worms / phishing attacks affecting social networking sites – Boface - convinces users to click on a link pointing to a video resulting in a download. Shortly

after the download is complete, the user’s Facebook account will be hijacked and used as a means of spamming (and propagating a worm to) all their friends

Phishing and Worms (cont.)

• Examples worms / phishing attacks affecting social networking sites cont. – Koobface – targets Facebook, MySpace, hi5, Bebo, Twitter, and other sites. Users are prompted

to click on a URL purporting to be an update from Adobe and a worm is downloaded to the PC which looks for personal data

– http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_real_face_of_koobface_jul2009.pdf

– Fbaction - Facebook phishing attack that encourages users to sign up for fbaction.net using their Facebook credentials. Those credentials are then used to hijack the Facebook account

Phishing & Worms (cont.)

• More on phishing — social networks are a target rich environment

“Dearest One…

Sorry for the nature of this email, please bear with me.

I am Natasha Kone, a 22 year old lady now, i was born on the 1st of January 1986 to the family of Kone. My father’s name is Kamara Cone. He was a very wealthy Gold and Cocoa Merchant based in ACCRA and ABIDJAN respectively. I am their only child. When I was a kid, I attended a private school and things were well for me and my parents. Things changed when I was in High School, my mother died on the 21st October 1994. My father then took me very special and gave me motherly care. As fate had it, my father died last year…………………..”

- See http://www.419legal.org for more details

• The 419 scams have evolved with the technology – now using LinkedIn to target specific individuals

Phishing and Worms (cont.)

• Common element – they all take advantage of the implied trust that social networking users have with each other

• May also take advantage of URL Shortening – bit.ly, tr.im, tinyurl.com etc.

Evil Twin Attack

• Impersonation – the ‘Evil Twin’ refers to imposters pretending to be somebody they are not.

• The reasons for such impersonation include (but are not limited to):

– Financial Gain – attempt to extort money from a person’s friends

– Defamation – able to post comments pretending to come from that person

– Stock churn – post false statement that could potential impact trading of stock

– Cyber-bullying – post negative comments to another’s profile with the intent of hurting that individual

• Such impersonation is not limited to just celebrities, political officials and executive, but can also relate to regular people.

Evil Twin Attack (cont.)

How to create the ‘Evil Twin’

Step 1 – research the target. Will need to find out as much information as necessary to make the profile as believable as possible. Try to establish the following: – Date of birth

– Employer (current and / or past)

– College and High school names and graduation dates

– Any current hobbies, interests or affiliations

– Home town

– Current city / state they reside in

– Profile photo

– Any other photos of the individual or their family / friends

Where do you get this information? Existing social networking sites both personal and professional

Evil Twin Attack (cont.)

How to create the ‘Evil Twin’ cont.

Step 2 – create an email account for the target. Plethora of free email services out there to create an account.

Step 3 – create the ‘Evil Twin’ account on the social networking sites.

– Sign up using the email account we have just created and validate the account.

– Add the profile picture we have obtained of the individual and all the other information we have been able to obtain to make the profile plausible e.g., home town, high school, employer etc.

– Start inviting friends – how? Join groups. Send request to people who went to the same high school, work at the same company etc.

You have now assumed the individual’s online identity!

Evil Twin Attack (cont.)

Example – created a fictitious profile for ‘Jimbo Jones’

Session high jacking

• Default security settings on Facebook (as of June 2011). HTTPS is not enabled by default. Many applications require you to use HTTP.

Session high jacking (cont.)

• A number of tools out there that make it relatively straightforward go high jack a session if the individual is using HTTP for social networking sites. Examples include: – Firesheep

– FaceNiff

Screenshot

from Firesheep

Identity Theft

The case of Bryan Rutberg*

• Facebook account was hijacked in January 2009

• His status was updated to read “BRYAN IS IN URGENT NEED OF HELP!!”

• Many of his friends had received an email stating that Bryan had been held up at gun point while on vacation in the UK

• The email stated that he was in need of money

• Bryan realized his account had been compromised and tried to log-in, but the perpetrators had already changed his password

• Bryan then tried to use his wife’s account to post a message on his own wall warning people, but the perpetrators had de-friended his wife

• One of Bryan’s friends wired $1,200 to an account in London

• Eventually after 40 hours the account was disabled

* See www.cnn.com/2009/TECH/02/05/facebook.impostors/index.html

Identity Theft (cont.)

Once again Identity Theft is not unique to Social Networking

• Just provides a new attack vector

• In 2008 there were over 10 million people in the US who reported being victims of identity theft, yet only 11% of overall contributors to identity theft were online transactions*

• 42% of victims reporting identity theft actually knew the perpetrator**

* www.javelinstrategy.com/research/2

** www.idtheftcenter.org/artman2/uploads/1/Aftermath_2008_20090520.pdf

Law Suits

• Reputation — Damage to company brand/reputation through inappropriate comments or remarks from employees – Even a lack of a response may damage the brand. For example, XYZ Company, Inc. creates a

Twitter account called @XYZ_Cares and then fails to use the account.

– Other examples include creating social media program, but not telling the rest of the company about it, so they may be unaware of any promotions or offers being publicized.

• Liability – should an employee post threatening comments to another person while at work

• Copyright violation — Third-party material, such as essays, articles, and photographs, are used without written consent from the proprietor

• Intellectual Property theft — Harder to prevent inadvertent data leakage through the one-to-many nature of Web 2.0 as a medium

Social Engineering 2.0

Bypassing physical security controls

• Search social networking site for employees from the company you wish to compromise

• Create a group named “Employees of Company X”

• Create a profile of a bogus employee and join the group

• Invite other employees to the group

• Sit back and watch the membership of the group grow

• Select an employee to impersonate and visit their social network profile

• Gather intel – job title, work email address, work phone number

• Create a bogus business card

• Approach target facility and attempt social engineering attack

Physical Security

Threats against your person including (but not limited to):

• Property damage

• Theft

• Kidnapping

• Bodily injury

• Death

Applications

• Control of applications – Some of the top Facebook Applications

Source - http://statistics.allfacebook.com/applications/leaderboard/ (June 2011)

There are now more than 500,000 active applications on the Facebook Platform

Name Monthly Active Users *

Static FBML 104,764,366

CityVille 86,442,965

FarmVille 38,562,986

Texas HoldEm Poker 35,462,687

Create your Quiz 28,261,475

Daily Horoscope 14,066,572

Mafia Wars 7,617,294

• New security concerns and attack vectors — as a result of the shift in technology through Web services that are empowering server-side core technology components as well as Asynchronous JavaScript and XML (“AJAX”) and Rich Internet Application (“RIA”) clients that are enhancing client-end interfaces in the browser itself.

• Top 10 Web 2.0 Attack Vectors — http://net-square.com/whitepapers/Top10_Web2.0_AV.pdf

– Cross-site scripting (“CSS”) in AJAX e.g., “Samy worm that exploited MySpace.com’s CSS flaw”

– XML poisoning — poison XML blocks coming from AJAX client

– Malicious AJAX code execution — replay of cookies for each request

– RSS/Atom injection — inject JavaScripts into the RSS feeds to generate attack on client browser

– Web Services Definition Language (“WSDL”) scanning and enumeration

– Client-side validation in AJAX routines — fail to perform server-side checks

– Web services routing issues — compromise of intermediate nodes

– Parameter manipulation with SOAP — web services consume information and variable from SOAP

– XPATH injection in SOAP message — bypass authentication mechanisms

– RIA thick client binary manipulation — issues with session management

Applications (cont.)

Productivity

• Productivity — Users employ social media tools for nonproductive purposes, such as socializing (“Social Notworking”)

BBC News - “Twitter ‘costs businesses £1.4bn’ a year”

http://news.bbc.co.uk/2/hi/business/8325865.stm

A quick word on privacy

“People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time.”

— Mark Zuckerberg, Facebook founder

“If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place...”

— Eric Schmidt, CEO Google, Inc.

A quick word on privacy (cont.)

Facebook privacy in the news:

• September 2006 – News Feed introduced – Display recent Facebook activities of the member's friends on member’s homepage. Resulted

in 740,000 members joining a group entitle “Students Against Facebook News Feed” – Facebook added new privacy features to address users concerns.

• November 2007 – Beacon service launched (ended in September 2009) – Third-party websites could include a script by Facebook on their sites, and use it to send

information about the actions of Facebook users on their site to Facebook.

• June 2011 – Automatic facial recognition rolled out- Tag Suggestions – Automatically tag pictures of individuals based off facial recognition of existing friends.

Currently under investigation by European Data Protection Authorities

A quick word on privacy (cont.)

Default privacy settings on Facebook (as of June 2011)

A quick word on privacy (cont.)

Individual profile as it appears in a search using default privacy settings on Facebook (as of June 2011)

Responding – what can the security professional do?

Responding - what can the security professional do?

• Risk assessment

– Establish what information is most critical to the business

– Understand how information might become vulnerable and how to protect it (data mapping)

• Policies and procedures

– Acceptable use policy

• Details how social networking sites and applications can be used

• Define consequences for failure to comply e.g., “termination of employment and legal action”

Responding - what can the security professional do?

• Monitor consumer feedback

– Establish a team or small group of individuals to monitor consumer feedback 24/7

– Check out sites such as Hootsuite, Socialmention and Brandwatch

– Team should also be responsible for investigating suspicious activity

Responding - what can the security professional do? (cont.)

• Education and awareness

– Information user of the information security risks involved and hot to guard against them

• For example only install or run applications from trusted sources approved by the corporate IT department

Responding - what can the security professional do? (cont.)

• Vulnerability Assessments

– Identifying, quantifying, and prioritizing the potential vulnerabilities that Social Networking may present to the organization

• Firewalls

– Historically firewalls focused on ports, IP addresses and packets

– But social networking applications operate on Ports 80 & 443

– Next-generation firewall technology that offers granular control of social networking functionality

• Identify applications, regardless of port, protocol, evasive tactic or SSL

• Identify users regardless of IP address

• Scan application content in real-time

• Visibility and policy control over application access

Responding - what can the security professional do? (cont.)

• Report security bugs – Facebook has setup ‘Security Bug Bounty’ offering rewards for individuals who

‘Report a bug that could compromise the integrity or privacy of Facebook user data’

– For more info see http://www.facebook.com/whitehat/bounty/

What is next in the world of social networking

Where we are at today

• Enterprise Social Media has crossed the tipping point and is no longer considered an “emerging” technology

“The Hype Cycle”

http://en.wikipedia.org/wiki/Hype_cycle

What’s next in the world of social networking

• Increase in the use of mobile devices to access Social Networks

– Over 600 million people will use their phone to access Social Networks by 2013, and increase of more than 400% than 2009 figure of 140 million Source — eMarketer

• Increase in frequency of access

– Facebook mobile users are 50% more active than other users of the site

• Take your social profile with you as you travel the Web

– For example — Facebook Connect

• Social Networks will become more pervasive — broadcasting your location in geo-networking apps

– Interaction between devices. For example, your car’s navigation system will be able to learn your friend’s location and provide directions to them

Some further predictions

• Some quotes on social networks

– “Probably the greatest transformative force in our generation, absent a major war.” — Mark Zuckerberg, Facebook founder

– “(Twitter is)… Something important that has the potential to change the world, though we have a long way to go.” — Biz Stone, Co-founder of Twitter

Q&A

?

Today’s Presenters

David Melnick Principal Security & Privacy Services Deloitte & Touche LLP [email protected] +1 213-593-3656

Charlie Blanchard Manager Security & Privacy Services Deloitte & Touche LLP [email protected] +1 213-688-3220

Appendix & Further Information

• Phishing attacks – Facebook’s link if you think you have fallen victim to a phishing attack:

– www.facebook.com/help.php?page=797

Appendix & Further Information

• Additional resources

– Gopal, Raj et al. “Web 2.0 reinvents corporate networking.” Deloitte Consulting LLP (2008)

– The Economist — A special report on social networking “January 30, 2010”

– Fraser, Matthew; Dutta, Soumitra (2008). Throwing Sheep in the Boardroom: How Online Social Networking Will Transform Your Life, Work and World

– “Wall of Facebook: The Social Network's Plan to Dominate the Internet” — and Keep Google Out by Fred Vogelstein, Wired Magazine (June 2009)

– http://www.wired.com/techbiz/it/magazine/17-07/ff_facebookwallGreat

– “The Future is Social, Not Search, Facebook COO Says” by Ryan Singel, Wired Magazine (October 2009) http://www.wired.com/epicenter/2009/10/facebook-social-2/

– British Computer Society Social Media Web site — http://www.bcs.org/socialmedia

This presentation contains general information only and Deloitte is not, by means of this presentation,

rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be

used as a basis for any decision or action that may affect your business. Before making any decision or

taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by

guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte

Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed

description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.