1 / 56

Can we be friends? A Social Networking Experiment

Can we be friends? A Social Networking Experiment. By Ben McGee, CISSP. Agenda. Social Networking Basics Profile Experiments - User Vulnerability, Data Mining Scams & Investigations Recommendations. whoami. Specialties Systems Engineering – SAIC Contractor for Army

abe
Download Presentation

Can we be friends? A Social Networking Experiment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Can we be friends?A Social Networking Experiment By Ben McGee, CISSP

  2. Agenda • Social Networking Basics • Profile • Experiments - User Vulnerability, Data Mining • Scams & Investigations • Recommendations

  3. whoami Specialties • Systems Engineering – SAIC Contractor for Army • Digital certificates, PKI, Encryption, biometrics, smart cards, and identity management • Software Engineering • .NET, Web Services, XML/XSLT, LDAP, VB 6.0, VBSCRIPT, .ASP, HTML, SQL, DTS, Shell Scripting, and some JAVA Experience • Government, healthcare, financial, & auditing Employers • SAIC for NASA at the Marshall Space Flight Center, Raymond James Financial, CDXperts, BenefitOne of America, Geonex and TEKSystems

  4. Who is this guy? • Vice President of the NAISSA • Teach Information Security & Assurance courses at the University of Alabama in Huntsville for the Continuing Education Division. • CISSP Boot camp • Information Assurance Associate Certificate • Information Assurance Professional Certificate • Security + • MOSS 2007 Administration and Development • University of Florida • Certified Information Systems Security Professional (CISSP) designation.

  5. Focuses on building online communities • share interests and/or activities about yourself • exploring the interests and activities of others • Encourages new ways to communicate and share information • A great way to reconnect What is Social Networking?

  6. Don’t you TRUST me? • SNS built on TRUST. • Create relationships with: • Family and friends • Former classmates • Groups of similar interest • Co-workers

  7. Social Networking Sites • I stopped counting at 200 • Facebook most widely used worldwide • Facebook, MySpace, Twitter and LinkedIn most widely used in North America • Are you a follower?

  8. And the winner is?Facebook 10 Largest Countries • United States 94,748,820 • United Kingdom 22,261,080 • Turkey 14,215,880 • France 13,396,760 • Canada 13,228,380 • Italy 12,581,060 • Indonesia 11,759,980 • Spain 7,313,160 • Australia 7,176,640 • Philippines 6,991,040 Source : www.Checkfacebook.com

  9. What is Facebook? Users create a profile typically tied to email

  10. What is your Facebook “Profile”?

  11. Profile is Who you are on Facebook

  12. Who am I on Facebook?

  13. Benjamin McGee Married Three Kids

  14. Male

  15. Joined Facebook for Networking

  16. My political affiliation

  17. My religion

  18. ben.c.mcgee@gmail.com

  19. My cell phone number

  20. My home phone number

  21. My home address(Street, City, State, Zip)

  22. My birthday

  23. Where I live

  24. Where I work

  25. Where I shop

  26. Favorite TV Shows

  27. Profile is what you let people know about you on Facebook

  28. Using Facebook Request “friends” & accept “friend” requests Updating your “wall” & commenting on others status I like this Create and/or join groups that share common interests Upload photos or videos Play games Chat with people and hold discussions in forums.

  29. Who is using it? Everyone who is anyone  Employers Government Business Dating Services Universities Medical Media

  30. Big Business Right Now Facebook has 300,000,000 users Users constantly check Advertisers Pay Per Hit Targeted Advertising Monster revealed 351 jobs right now for Facebook Developers

  31. Privacy Info • Share profile with Everyone, Friends of Friends, Friends Only, or No one • “Facebook may also collect information about you from other sources, such as newspapers, blogs, instant messaging services, and other users of the Facebook service through the operation of the service (e.g., photo tags) in order to provide you with more useful information and a more personalized experience.” • “By using Facebook, you are consenting to have your personal data transferred to and processed in the United States.”

  32. The Good • Websites are beginning to tap into the power of the social networking model • Highly successful for connecting small organizations with little resources • Users benefit by interacting with a people with same interests Reference: Wikipedia

  33. The Bad…..and the Ugly • Cyberstalking • Identity Theft and/or Impersonation • Phishing • Viruses through Facebook Applications • Bunch of Scams

  34. Experiment #1- User Vulnerability • Created Experimental User • Filled out profile with high school • Received two friend requests within first 24 hours • Sent out about 50 friend requests • 60% of people accepted friend request • Now has over 30 friends in 3 week period

  35. Experiment #1 - Conclusions • If you don’t recognize the person, don’t accept the friend request • Send them an email or message via Facebook and ask “Do I know you?” • Even friends who you do know could potentially be a threat • If you haven’t talked to someone in 15 years are they really a “friend”? • do you really want to see what a “friend” is up to every day? Vice versa? • Use caution in accepting “friends” and consider removing unknown or unwanted friends

  36. Experiment #2 – Data MiningUsing the Facebook Platform • Facebook Markup Language • it is used to customize the "look and feel" of applications that developers create. • Using the Platform, Facebook launched several new applications and extended the API to developers • Gifts- allowing users to send virtual gifts to each other • Marketplace- allowing users to post free classified ads • Events- giving users a method of informing their friends about upcoming events • Video-letting users share homemade videos with one another • Anyone playing Mafia Wars or Farmville lately?

  37. Experiment #2 – Data MiningFacebook API • Very Rich API • Reference developer.facebook.com • Easy to create Facebook App • Screenshots setup of gui to set up app • You need Webspace • Pick a programming language and include Facebook Libraries (I used C#) • Took me about three hours to figure out

  38. Experiment #2 – Data MiningHidden Agenda • Because of the nature of Facebook, users may feel a sense of security, and not realize that the information they release could be used against them. • The danger in being able to so easily access this data is that it can fall into criminal hands.

  39. Allow Access??

  40. Experiment #2 – Data Mining • Created Facebook Application to Collect Data • Asked friends to take simple survey • Who should win the Heisman? • What is the best ISSA chapter in the U.S. ?

  41. Experiment #2Facebook API • Users.getInfo • Returns a wide array of user-specific information for each user identifier passed, limited by the view of the current user • Friends.getLists • Returns the names and identifiers of any friend lists that the user has created • Status.get • Returns the user's current and most recent statuses

  42. Experiment #2Users.getInfo Decomposition • uid • Firstname • lastname • activities • affiliations • College • high school • work • region • birthday • birthday_date • Books • current_location • City • State • Country • zip • education_history • Degree • email_hashes • hometown_location • Interests • Looking For • Movies • Music • name • Username • wall_count • work_history • company_name • pictures • political • Quotes • relationship_status • religion • Sex • significant_other_id • Status • Timezone

  43. Experiment #2 - Results • Collected data over experimental period • Once users click “Allow” button, I could see user data even if people were not my friends • About half of profiles had enhanced privacy settings turned on like field level privacy setting • About a quarter of the profiles filled out most of the information exposed enough fields for data mining or targeted advertising • A handful filled out all profile information and shared everything to everyone

  44. Beware of the scams Nigerian 419 Widget warrior Koobface Phishing Contrived community By JR Raphael, PC WorldScams on Social Networks

  45. Nigerian 419 Scam: Dates back decades and now is entering social networks. Example Victim received alarming messages from friend In the U.K. and was robbed, and needed $600 to fly back to Seattle The messages came both in Facebook-based IMs and in e-mail They included details such as family members' names Two hours and $600 the victim realized what had happened Recommendation: Contact friend outside of the social network, either by phone or by external e-mail

  46. Widget warrior Scam: widgets are the third-party applications that you can add onto your account. Example “Check out who has a Secret Crush on you” Installed spyware onto computer and sends messages to all of your friends Recommendation: Remember that if you “Allow” the app access, you’re information is theirs.

  47. Koobface Scam: Tries to dupe users into clicking on a link that's included in a message from a friend: Examples: "Paris Hilton Tosses Dwarf On The Street", "My friend catched you on hidden cam", "My home video :)“ Redirects to a third-party website prompted to download update of the Adobe Flash player Installs DNS filter program that blocks access to well known security websites and a proxy tool that enables the attackers to abuse the infected PC. Recommendation: Updated Antivirus should catch it. Be careful when clicking

  48. Phishing Scam: Trick users into following links that open official-looking Facebook login prompts Example Pastor fell for it and someone gained access Started sending out messages to persuade to click Recommendation: Be carefuly using third-party apps. If prompts for uid and password appear, don’t enter

  49. Contrived community Scam: Facebook groups can be marketing scams Example Friend clicks on group to join Group sends out email to all friends in his profile When you click the join link, you join Recommendation: Be careful when deciding what groups you join Don't accept the request without doing research

More Related