4. A Social Networks definition
4
Defines itself on Wiki:
A social network is a social structure made up of
individuals (or organizations) called "nodes",
which are tied (connected) by one or more
specific types of interdependency, such as
friendship, kinship, common interest, financial
exchange, dislike, or relationships of beliefs,
knowledge or prestige.
5. Examples of Social Networks?
5
Facebook
LinkedIn
Twitter
Even more media:
RSS Feeds
Blogs
Wikis
Web Chat
Podcasts
Mashups
Photo/Video-sharing
Virtual Worlds
6. Common Web 2.0
6
Vulnerabilities
Phishing
Spam
Malwares
Cross Site Scripting
SQL Injection
Authentication and Authorization Flaws
Information Leakage
Insecure Storage
Insecure Communications
7. Some Web 2.0 Specific
7
Vulnerabilities
On top of that list we do have some specific
Web 2.0 vulnerabilities:
XSS Worms
Feed Injections
Mashup and Widget Hacks
8. Well First thing first:
8
Passwords!!!
Is it new thing? No, however its different.
Password sloth. Using the same password on
several sites is like trusting the weakest link in a
chain to carry the same weight.
Use same password as your email when the login
username is your email!!
According to FB stats. More than 50% use the
same password.
Avoid using the same password on multiple sites
Do not synchronize account information with
organization login credentials.
11. Phishing
11
cont’d
Major phishing attempts
Simple "look at this" message
Users directed to fbstarter.com, fbaction.net
Phished credentials used to automatically log in,
send more mail
Some users report passwords changed
Phishtank reports Facebook 7th most common
target
Behind only banks, PayPal eBay
"Socail Phishing" is far more effective
12. Phishing
12
cont’d
72% successful in controlled study
No TLS for login page
No Anti-phishing measures
Frequent genuine emails with login links
Users don't consider social networks'
passwords as valuable
Web 2.0 sites encourage password sharing…
Facebook is doing a good job but still!
17. Cross Site Scripting (XSS)
17
New to Web 2.0? No
Is this worse in Web 2.0? Yes
XSS flaws occur whenever an application takes
user supplied data and sends it to a web browser
without first validating or encoding that content.
18. XSS Worms
18
New to Web 2.0? Yes
Self propagating XSS code injected into a web
application which will spread when users visits a
page.
First XSS worm, 4 years ago spread through
MySpace
1 million+ infections in 24 hours
19. Feed Injections
19
New to Web 2.0? Yes
Feed aggregators have data coming from various
untrusted sources. The data being received can
be malicious and exploit users.
Remote Zone Risks
Web browsers or web based readers in this
category
Attacks such as XSS and CSRF possible
20. Mashup and Widget
20
New to Web 2.0? Yes
Mashups and Widgets are core components in
Web 2.0 sites. The rich functionality they
provide can be exploited by attackers through
attacks such as XSS.
21. Mashup and Widget
21
cont’d
Mashups site is the middleman, do you trust
it?
Multiple inputs, one output
Mashup communications could leak data
Mashups require cross domain access.
23. Information Leakage
23
New to Web 2.0? No
Is this worse in Web 2.0? Yes
Applications can unintentionally leak
information about their configuration, internal
workings, or violate privacy through a variety
of application problems.
24. Information Leakage
24
cont’d
A simple lack of error handling leaking information
http://www.examplesite.com/home.html?day=Mon
dayDrivers(0x80040E14)
I add a little something onto the URL
http://www.examplesite.com/home.html?day=Mon
day AND userscolumn=2
No error handling = information leakage
Microsoft OLE DB Provider for ODBC
Drivers(0x80040E14) [Microsoft][ODBC SQL Server
Driver][SQL Server]Invalid column
name/examplesite/login.asp, line 10
25. Information Leakage
25
cont’d
What makes this worse in Web 2.0?
Business logic and validation moved to the
client side
Web 2.0 apps will do a lot of work on the client
side
Validation of data, business logic and sensitive
data
You need to back these up with server side
checks
Never assume sensitive data will be safe client
26. Authentication and
Authorization Flaws
26
New to Web 2.0? No
Is this worse in Web 2.0? Yes
These flaws can lead to the hijacking of user
or accounts, privilege escalation, undermine
authorization and accountability controls, and
cause privacy violations.
27. Authentication and
Authorization Flaws
27
cont’d
Authentication and Authorization Weaknesses
Passwords with no max age, reasonable lengths and
complexity
Lack of brute force protection
Broken CAPTCHA systems
Security through obscurity
Session Management Weaknesses
Lack of sufficient entropy in session ID’s
Predictable session ID’s
Lack of sufficient timeouts and maximum lifetimes for
ID’s
Using one session ID for the whole session
28. Authentication and
Authorization Flaws
28
cont’d
What makes this worse in Web 2.0?
CAPTCHA’s used to provide strong A+A but are
often weak
More access points in Web 2.0 applications
The use of single sign on leads to single point of
failure
Growth in other attacks further undermines A+A
29. Insecure Storage and
Communications
29
New to Web 2.0? No
Is this worse in Web 2.0? Yes
These flaws could allow sensitive data to be
stolen if the appropriate strong protections
aren’t in place.
30. Insecure Storage and
Communications
30
cont’d
Insecure storage of data
Not encrypting sensitive data
Hard coding of keys and/or insecurely storing keys
Using broken protection mechanisms (i.e. DES)
Failing to rotate and manage encryption keys
Insecure communications
Not encrypting sensitive data in transit
Only using SSL/TLS for the initial logon request
Failing to protect keys whilst in transit
Emailing clear text passwords
31. Insecure Storage and
Communications
31
cont’d
What makes this worse in Web 2.0?
More data in more places, including client side
storage
Mixing secure and insecure content on a page
And now with the Cloud!!!
32. Browsing Habits and Experience
32
have Changed…
Trigger finger (clicking on everything). Inboxes
contain everything from drink requests to
cause requests, do not get into the click habit
unless you are ready to deal with drive-by
downloads and zero-day attacks.
33. A little on Privacy …
33
3rd Party Apps on Facebook
Anyone can create a Facebook app
Many of the agreement you must accept gives
the company the right to monitor your data and
sell it without informing you.
Tracker information can be built into any
application.
Mixing personal with professional; Commonly on
Facebook, where one’s friends included business
associates, family members and friends.
Engaging in Tweet (or Facebook/LinkedIn/Myspace)
rage. Imagine you are at a party where everyone is
listening, including your boss, spouse and future
employer.
36. Data = $$$
36
Steal your money directly
Sell your data
Trick your friends and family into supplying
personal data
Sell your identity
Use your accounts to spread spam, malware and
more data theft scams
Sell your organization's data or sensitive
information
Blackmail individuals and organizations
37. URL Shortners Risks
37
bit.ly, hex.io, zi.ma …etc
Where the URL will take you?
dubious link via email? Hover your mouse or
check the HTML
A new way for email Phishing scams
DDOS with iframe
Easily escaping spam filters
Even more dangerous! what if the site got
hacked?
“See before you click” functionality or extensions
Example: j.mp
38. Malware example: Koobface
38
The Koobface worm and its associated botnet have gained notoriety in
security circles for its longevity and history of targeting social networking
sites. First surfacing in 2008 within MySpace and Facebook, the worm
resurfaced in early 2009, this time targeting Twitter users.
By using Phishing techniques, the message directs the recipients to a third-
party website, where they are prompted to download what is purported to be
an update of the Adobe Flash player.
11/10/2009 - As part of a new Koobface attack, links to Google Reader
URLs controlled by cyber-criminals are being spammed by Koobface onto
social network sites, including Facebook and MySpace. The hundreds of
Google accounts involved host a page with a fake YouTube video. Attempts
to view this supposed video expose Windows users to infection by
Koobface.
Koobface ultimately attempts, upon successful infection, to gather sensitive
information from the victims such as credit card numbers.
40. Twitter hacking example:
40
Select victim group using any one of a number of
Twitter trend tools.
Select malware based on device or location info.
Upload malware to dropbox.com and request a
public link for the uploaded file.
Use a URL shortening service to obfuscate the
URL.
Send tweet to target referencing information or
post with keywords so that all individuals
“tracking” the keywords will be notified of a new
tweet on the subject they are tracking.
41. Scareware Tweets
41
Scareware is fake anti-virus – instead of
protecting your computer it infects it
Scammers create multiple tweets that direct you
to a scareware page. They then try to frighten
you into believing you have a security problem
and need their software to address it
Other scareware attacks aim to:
Take control of your computer to send spam
Hold your computer to ransom
Result: Malware infection
42. Security analysis difficulties
42
with Web 2.0
More code and complexity in Web 2.0 apps
At least two languages to analyze (client and
server)
User supplied code might never be reviewed
Dynamic nature increases risk of missing flaws
Increased amount of input points
43. Basics of Social Networking
43
Security
Never Post Personal Information Online
Everything you post is public information
If you don’t feel comfortable with everyone seeing it, then don’t put it
online
Configure security settings on all sites
Most websites you log into have security configurations
Set the privacy levels in accordance to what you are posting
Change your Password Regularly
Use Phrases, not words
Do not keep a “Master” password
Never Trust E-mails asking for personal information
An official organization will never ask you to disclose any private
information in order to correct a error
44. Basics of Social Networking
Security
44
cont’d
Do not friend anyone you do not know and trust
Hackers and spammers are more clever then you think. There is a reason many
online scams are called “Social engineering”
Clean out your friend list regularly
Watch For Hacked Friend Accounts
Unusual posts or requests
Posting “Shock Sites”
Beware of Third Party Apps
Many require you to sign a agreement giving them the right to sell your
information
Malicious code can be written in the program
Delete unused Apps
If you are not using them, then why let them potentially mine data about you?
If you are unsure a app or a post or anything, then Google is your
best friend
45. Basics of Social Networking
Security
45
cont’d
Caution about posting your location online
People are watching you where you will be and more importantly where you will
not be
Check your security settings monthly
Facebook sets all profiles to public with each site redesign
Apps may disable your security settings
Viruses and Malware may disable your security settings
Consider using Private Browsing
Private Browsing allows you to view websites without storing your history or
installing cookies
Private Browsing Shortcuts:
Firefox – Ctrl + Shift + P
Internet Explore 8 – Ctrl + Shift + P
Opera – Ctrl + Shift + N
Google Chrome – Ctrl+Shift+N
Don’t stay logged on
46. Basics of Social Networking
Security
46
cont’d
Set your settings to high privacy and/or enable
security settings on the sites you use.
Review a given Website’s privacy policy, you
may be surprised on what you are actually
agreeing to.
Log off when you leave.
Install and update antivirus software.
Keep system software AND applications up to
date.
Make sure the connection you use is secure.