Social Network Security: A Brief Overview of Risksand SolutionsEdward Wang, [email protected] (A project report written underthe guidance of Prof. Raj Jain)DownloadAbstractIn this study, we present the various aspects of social, network and physical security related with the use ofsocial networks, by introducing the mechanisms behind each and summarizing relevant security studies andevents related to each topic. It has been long understood that the widespread use of social networking sites canprovide attackers with new and devastating attack vectors. In this study we attempt to dive deeper into eachmode of security threat, as well as confirm the security risk associated with each topic by providing real worldfinancial / social consequences. We recognize that while organizations and individuals may have legitimatebusiness / personal uses for social networks, we recommend specific actions be taken to bolster stronger userawareness, more secure software designs as well as better organizational accountability.KeywordsSocial network security, social engineering, XSS, CSRF, DoS, stalking, OpenID, Facebook, twitter, LinkedIn,phishing, information theft, identity, identity hijacking, malware, worms, firewall, corporate securityContents1 Abstract2 Keywords3 Contents4 Introduction5 Social Engineering 5.1 Information Leakage & Theft 5.1.1 Mechanism 5.1.2 Consequences 5.1.3 Possible Remedy 5.2 Phishing 5.2.1 Mechanism 5.2.2 Consequences 5.2.3 Possible Remedy 5.3 Identify Hijacking 5.3.1 Mechanism 5.3.2 Consequences 5.3.3 Possible RemedySocial Network Security: A Brief Overview of Risks and Solutionshttp://www.cse.wustl.edu/~jain/cse571-09/ftp/social/index.html 1 of 146 Physical Security 6.1 Stalking 6.1.1 Mechanism 6.1.2 Consequences 6.1.3 Possible Remedy7 Malware 7.1 Cross-Site Reference Forgery (CSRF) & Cross-Site Scripting (XSS) 7.1.1 Mechanism 7.1.2 Consequences 7.1.3 Possible Remedy8 Conclusion and Advice9 Bibliography10 List of Acronyms11 Last Date ModifiedIntroductionFor a newcomer to the internet arena, social networking sites are an ever more popular way for people to stayconnected. Some might even venture to say business opportunities are formed and lost online, as our webpresence becomes an integral part of our personal lives. In an era where our online identity not onlyovershadows our actual identity, but other key financial and personal systems as well, the potential securityrisks associated with these social networks cannot be stressed enough.Over the years, researchers and hackers alike have identified a handful of security risks ranging from people,process to application. The purpose of this study is to give a sweeping overview of the major security topicssurrounding social networks today, and introduce the underlying mechanisms behind each. We follow up withsome tangible consequences that each risk might have, and finally provide a direction to look at in terms ofsolutions.Social EngineeringInformation Leakage & TheftMechanismScope of VisibilityMost people when asked will agree that not everyone they know is their best friend; there are the mereacquaintances all the way to those with whom we share our deepest secrets, along with many shades inbetween. However the widespread phenomena of social networking sites has added new meaning to friends:two people are often "friends or not" (D, 2004). While social networks may not necessarily increase strongties, it certainly does very little for weak ties. One may have a couple of close friends and thousands of distantfriends, and a social network may simply categorize them all as "friends."More contacts aren't necessarily a bad thing; the problem is who has access to our information? Socialnetworking sites provide a certain level of access control, but most people do not take the effort to configureSocial Network Security: A Brief Overview of Risks and Solutionshttp://www.cse.wustl.edu/~jain/cse571-09/ftp/social/index.html 2 of 14these properly. As a result, everyone ends up with equal access rights. To make matters worse, oftentimesinformation travels through several hops of "friends," and by the idea of six degrees of separation it seemsunreasonable to assume we are far from the bad guys.Use of Real Names and Personal InformationAs an added bonus, social networking sites contain information that is either mostly real or easily identified asfake. For the sole purpose of keeping up with friends in a seemingly trustworthy domain, people have verylittle incentive to falsify information on Facebook. The same idea goes for sites like MySpace and LinkedIn.See figure 1 for a recent study at Carnegie Melon University (Gross & Acquisti, 2005).Similar results exist for other sensitive information, such as birthdates, education history and hometown. Infact, a group of Taiwanese researchers have gone on to propose automated identification systems for name,age and education record inference on a different social network with good results (Lam, Chen, & Chen,2008)Breadth of Available InformationIn the same CMU study, Gross and Acquisti go on to show the sheer amount of information available simplywithin the CMU Facebook realm. (Gross & Acquisti, 2005) Again, most users make very little effort tosubdivide access privileges to different parts of their profile. By the same line of logic as names and birthdates,we have very little reason to doubt the validity of this information.Social Network Security: A Brief Overview of Risks and Solutionshttp://www.cse.wustl.edu/~jain/cse571-09/ftp/social/index.html 3 of 14Promiscuous Trust RelationshipsWithout taking into account the registration requirement relaxation for Facebook in the last year, users used toneed a valid academic e-mail address in order to enroll. The bulk of Facebook users still operate under thisassumption (as far as I can tell, the open Facebook doesn't bother the newcomers either), and we automaticallytrust whoever is in our network. Most campus networks are open and gaining a mail address is not difficult.Moreover, many users will gladly accept friend requests from people that aren't even in their network. (Jump,2005)As soon as a stranger connects with someone in a new network, he more or less inherits his friend's credentialswhen it comes to dealing with others in the same realm, giving him easy access to other users. As a bonus, thismay allow a malicious user to circumvent realm-based privacy settings.Data Protection CircumventionThose who are more privacy