security in
social media
DO YOU?
1. threats / attacks
in social media ?
Based on Internet Social Networking Risks, by Federal Boreau of Investigation (FBI).
Available at http://www.fbi.gov/about-us/investigate/counterintelligence/internet-social-networking-risks
Available at http://www.fbi.gov/about-us/investigate/counterintelligence/internet-social-networking-risks
Basically two different approaches:
1. Manipulating computer code to gain access or install unwanted software on a computer or a mobile device.
2. Manipulating people through social interactions (in person, over the phone, or in writing), known as "social engineering".
Manipulating CODE
Click-jacking
Concealing hyperlinks beneath legitimate clickable content which, when clicked, causes a user to unknowingly perform unwanted actions.
Can be used to use e.g. “Like” and “Share” buttons on social networking sites.
MANIPULATING CODE
Cross-Site Scripting (XSS)
Malicious code is injected into a trusted website. People can be directed to sites with a XSS Attack by sharing a link through a hijacked or a fake profile.
A Stored XSS Attack is when malicious code is permanently stored on a server.
A Reflected XSS Attack is when a person is tricked into clicking on a malicious link that causes the XSS attack.
Social engineering
Elicitation
Using conversation to extract information from people without giving them the feeling they are being interrogated. E.g. in Facebook chat.
Scams
Fake deals that trick people into providing money, information, or service in exchange for the deal.
E.g. fake competitions or giveaways, where the participant is directed to a malicious website in order to be able to participate.
SOCIAL ENGINEERING
Doxing
Retrieving personal information from e.g. social networking site profiles and releasing them publicly or e.g. blackmailing them with threats to release the information.
Manipulating code +
Social engineering
Phishing
Impersonating a legitimate organization or person.
In social media many times sharing a link that looks like it is legitimate but leads to a file with malware or a frauded website (e.g. bank websites). Phishing attacks are typically aimed at random victims.
Spear phishing attacks target a specific person or organization as their intended victim.
MANIPULATING CODE +
SOCIAL ENGINEERING
Abusing social-sign in
"Sign-in with Facebook" , "Connect to Facebook" etc. can be used to direct the user to a fake sign-in, through which the login details can be extracted and the user account can be hijacked. Especially noteworthy on mobile apps.
A Wonderful IDEA
2. How can you protect against these threats ?
PROTECTING YOURSELF: GENERAL INFO
- Use anti-virus and firewall software.
- Keep your software patched and updated.
- Whenever possible, encrypt communications with websites (https). It may be a feature social network sites allow you to enable.
-
Avoid accessing your personal accounts from public computers or through public WiFi spots.
- Monitor your bank statements, balances, and credit reports.
-
Do not share sensitive information online (e.g. usernames, passwords, social security numbers, credit cards, bank information).
PROTECTING YOURSELF: GENERAL INFO
-
Do not automatically download, or respond to content on a website or in an email. Do not click on links in email messages claiming to be from a social networking site. Instead go to the site directly to retrieve messages.
-
Only install applications or software that come from trusted, well-known sites. “Free” software may come with malware. Verify what information applications will be able to access prior to enabling them. Once installed, keep it updated. If you no longer use it, delete it.
-
Monitor data movement on your network.
PROTECTING YOURSELF:
CODE MANIPULATION
- Click-jacking and client side XSS: Disable scripting and iframes in whatever Internet browser you use. Research other ways to set your browser options to maximize security.
PROTECTING YOURSELF:
Social ENGINEERING
-
Do not post anything that might embarrass you later, or that you don’t want strangers to know.
-
Verify those you correspond with. It is easy for people to fake identities over the Internet.
-
Beware of unsolicited contacts from individuals in person, on the telephone, or on the Internet who are seeking corporate or personal data.
PROTECTING YOURSELF: PARANOIA
- Do not store any information you want to protect on any device that connects to the Internet.
- Disable Global Position System (GPS) encoding. Many digital cameras encode the GPS location of a photo when it is taken. If that photo is uploaded to a site, so are the GPS coordinates, which will let people know that exact location.
- Always use high security settings on social networking sites, and be very limited in the personal information you share. Monitor what others are posting about you on their online discussions.
PRotecting YOURSELF:
The Wonderful idea
- Change your passwords periodically, and do not reuse old passwords. Do not use the same password for more than one system or service. For example, if someone obtains the password for your email, can they access your online banking information with the same password?
3. Possibilities and drawbacks of Web 2.0 -technology
Based on Top 8 Web 2.0 Security Threats, by Sarah Perez
WEB 2.0 POSSIBILITIES
- Allows use of the Web beyond static pages.
- Makes it possible to have interactive apps online.
- Allows people to communicate and share information with one another effectively through e.g. social media sites.
WEB 2.0 DRAWBACKS
1. Insufficient Authentication Controls
"In many Web 2.0 applications, content is trusted in the hands of many users, not just a select number of authorized personnel."
If users are allowed to access or modify data that they are not supposed to, it can affect the whole system negatively. Especially, if the users credentials are leaked or stolen.
WEB 2.0 DRAWBACKS
2. Cross Site Scripting (XSS)
Services based on social sharing (e.g. wikis) are easier targets for XSS attacks.
3. Cross Site Request Forgery (CSRF)
A lot of applications use AJAX, where the user cannot easily see what data is being transferred. Therefore, Web 2.0 applications are potentially more vulnerable to this type of attack.
WEB 2.0 DRAWBACKS
4. Phishing
"[T]he multitude of dissimilar client software in use makes it harder for consumers to distinguish between the genuine and the fake web sites. "
5. Information Leakage
Web 2.0, social media and "work-from-anywhere" lifestyle combined can blur the lines on work and private life, which can lead to "slips" of sensitive information.
WEB 2.0 DRAWBACKS
6. Injection Flaws
Web 2.0 made multiple new technologies popular (XML, XPath, JavaScript and JSON), which makes the services prone to new type of injection attacks.
7. Information Integrity
Social data sharing and editing (e.g. in Wikipedia) can lead to the spread of false information.
WEB 2.0 DRAWBACKS
8. Insufficient Anti-automation
The lack of anti-automation can help hackers to automate their attacks or help them to acquire a lot of information fast.
Anti-automation mechanisms (like CAPTCHAs) can be used to slow these attacks down or stop them.