ie ms5710 e lectronic c ommunication and online social n etworks s ecurity n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
IE MS5710 E lectronic C ommunication and Online Social N etworks S ecurity PowerPoint Presentation
Download Presentation
IE MS5710 E lectronic C ommunication and Online Social N etworks S ecurity

Loading in 2 Seconds...

play fullscreen
1 / 71

IE MS5710 E lectronic C ommunication and Online Social N etworks S ecurity - PowerPoint PPT Presentation


  • 152 Views
  • Uploaded on

IE MS5710 E lectronic C ommunication and Online Social N etworks S ecurity. 26 March 20 1 3 Prof. CHAN Yuen-Yan, Rosanna Department of Information Engineering The Chinese University of Hong Kong. Email Security and Privacy.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'IE MS5710 E lectronic C ommunication and Online Social N etworks S ecurity' - golda


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
ie ms5710 e lectronic c ommunication and online social n etworks s ecurity

IEMS5710Electronic Communication and Online Social Networks Security

26 March2013

Prof. CHAN Yuen-Yan, Rosanna

Department of Information Engineering

The Chinese University of Hong Kong

email security and privacy
Email Security and Privacy
  • Email communications is one of the earliest format of electronic communications.
  • Governments and organizations began adopting policies which effectively make email the preferred and official means of communication, making it equal to written (paper) communications in all respects.
  • Its security requirements (should) include:
    • Confidentiality: protection from disclosure
    • Authentication: of sender and receiver(s) of message
    • Message integrity: protection from modification
    • Non-repudiation of origin: protection from denial by sender (and receivers?)
  • SMTP (Simple Mail Transfer Protocol) has no security by default. Email message contents are not secure
    • may be inspected either in transit
    • or by suitably privileged users on destination system

IEMS5710 - Lecture 10

early solution pretty good privacy pgp
Early Solution – PrettyGood Privacy (PGP)

Developed by Phil Zimmermann in 1991

Used for email and file encryption

Now developed into the OpenPGP standard (RFC 4880)

IEMS5710 - Lecture 10

pgp encryption and decryption
PGP encryption and decryption

(Image from Wikipedia)

IEMS5710 - Lecture 10

pgp message format
PGP Message Format

¥ denotes the corresponding plaintexts

R64 = Radix 64 conversion (similar to ASCII codes)

IEMS5710 - Lecture 10

pgp key management
PGP Key Management

rather than relying on certificate authorities

in PGP every user is own CA

can sign keys for users they know directly

forms a “web of trust”

trust keys have signed

can trust keys others have signed if have a chain of signatures to them

key ring includes trust indicators

users can also revoke their keys

IEMS5710 - Lecture 10

pgp trust model example
PGP Trust Model Example

IEMS5710 - Lecture 10

s mime secure multipurpose internet mail extensions
S/MIME (Secure/Multipurpose Internet Mail Extensions)

security enhancement to MIME email

original Internet RFC822 email was text only

MIME provided support for varying content types and multi-part messages, with encoding of binary data to textual form

S/MIME added security enhancements

have S/MIME support in many mail agents

eg MS Outlook, Mozilla, Mac Mail etc

IEMS5710 - Lecture 10

s mime
S/MIME

IEMS5710 - Lecture 10

s mime functions
S/MIME Functions

enveloped data

encrypted content and associated keys

signed data

encoded message + signed digest

clear-signed data

cleartext message + encoded signed digest

signed & enveloped data

nesting of signed & encrypted entities

IEMS5710 - Lecture 10

s mime cryptographic algorithms
S/MIME Cryptographic Algorithms

digital signatures: DSS & RSA

hash functions: SHA-1 & MD5

session key encryption: ElGamal & RSA

message encryption: AES, Triple-DES, RC2-40bits and others

MAC: HMAC with SHA-1

have process to decide which algorithms to use

IEMS5710 - Lecture 10

s mime certificate processing
S/MIME Certificate Processing

S/MIME uses X.509 v3 certificates

managed using a hybrid of a strict X.509 CA hierarchy & PGP’s web of trust

each client has a list of trusted CA’s certs

and own public/private key pairs & certs

certificates must be signed by trusted CA’s

IEMS5710 - Lecture 10

internet mail architecture
Internet Mail Architecture

IEMS5710 - Lecture 10

domain keys identified mail
Domain Keys Identified Mail

IEMS5710 - Lecture 10

DomainKeys Identified Mail (DKIM) lets an organization take responsibility for a message while it is in transit

a specification for cryptographically signing email messages

so signing domain claims responsibility

recipients / agents can verify signature

Internet Standard RFC 4871

dkim strategy
DKIM Strategy

IEMS5710 - Lecture 10

  • transparent to user
    • MSA sign
    • MDA verify
security and privacy in social network
Security and Privacy in Social Network
  • (Ahn, Shehab, & Squicciarini, 2010) IEEE Internet Computing: Special Issue in Security & Privacy in Social Network
  • Most social networking sites offerthe basic features of online interaction,communication, and interest sharing; individuals create online profilesthat other users can view.
  • Special challenges to security & privacy
    • social networks involveuser-centric concerns and allow multiple usersto specify security policies on shared data
    • the increased risk to personal data processed by online social networking applications
    • the user population’s lack of awareness

IEMS5710 - Lecture 10

security and privacy in social network1
Security and Privacy in Social Network
  • The privacy issue in social networkingis coupled with the identifiability andlinkability of the information availablein this social setting
    • Also include its possiblerecipients, and its potential uses
  • Social network sites enable users to create a limited profile and select which other users map to it
    • Such primitive security mechanisms have only limited expressiveness for controlling user-to-user interactions
  • Possiblerecipients for such personally identifiable information still include
    • hosting servers for the socialnetworking sites
    • the network itself, and
    • thirdparties that might abuse or misuse such criticaland sensitive information

IEMS5710 - Lecture 10

security objectives on osns
Security Objectives on OSNs
  • (Cutillo et al., 2009)
  • OSN levels: three architectural layers of social networking services
    • Social network, application services, and communication and transport services

IEMS5710 - Lecture 10

security objectives on osns1
Security Objectives on OSNs
  • Three main security objectives are identified in the context of OSNs
    • Privacy
    • Integrity
    • Availability

IEMS5710 - Lecture 10

privacy
Privacy
  • Privacy in OSNs encompasses the following
    • (user profile privacy) protection of personal information, which users publish on their profiles, presumably accessible by their contacts only
    • (communication privacy)none but directly addressed orexplicitly trusted parties may have the possibilityto trace which parties are communicating
    • (message confidentiality)details of messages have to be hidden,so only the requesting and responding partiesshould know one another’s identity and the contentof the request
    • (Information disclosure)disclosure of informationabout a member to some parties that are not explicitly trusted, withoutthe consent of the member, has to be prevented

IEMS5710 - Lecture 10

privacy1
Privacy
  • In principle, privacy calls for the possibilityto hide any information about any user, even tothe extent of hiding their participation in theOSN in the first place
  • Moreover privacy has tobe met by default
    • all information on allusers and their actions has to be hidden fromany other party internal or external to the system,unless explicitly disclosed by the usersthemselves
  • Requiring explicit disclosure leads tothe need for access control.
    • Access to informationon a user may only be granted by the userdirectly
    • the access control has to be as finegrainedas the profile, and each attribute has tobe separately manageable

IEMS5710 - Lecture 10

integrity
Integrity
  • As part of integrity, the user’s identity and datamust be protected against unauthorized modificationand tampering
  • In addition to conventionalmodification detection and messageauthentication, integrity in the context of OSNshas to be extended:
    • E.g. parties in an OSN are notarbitrary devices, but real, unambiguously identifiablepersons
    • However, the creation of personae —bogus accounts, cloned accounts, or other typesof impersonation — in traditional social networks is easy toachieve
    • Therefore, the authenticationhas to ensure the existence of real personsbehind registered OSN members

IEMS5710 - Lecture 10

availability
Availability
  • Since some social network services are used as professional tools toaid their members’ business or careers, datapublished by users has to be continuously available
  • Availability of user profiles is consequentlyrequired as a basic feature, even though consideringrecreational use
  • In OSNs, this availability specifically has toinclude robustness against censorship, and theseizure or hijacking of names and other keywords
  • Apart from availability of data access,availability has to be ensured along with messageexchange among members

IEMS5710 - Lecture 10

security model of osns
Security Model of OSNs
  • Social Network Services (SNS) can be divided into three different levels (Cutillo et al., 2009, p.5):
    • A social network (SN) level: The digitalrepresentation of members and their relationships; provides each member with aset of functions corresponding to social interactionsin the real life
    • An application services (AS) level: Theapplication infrastructure, managed by theSNS provider
    • A communication and transport (CT) level:Communication and transport services asprovided by the network

IEMS5710 - Lecture 10

security model of osns1
Security Model of OSNs
  • Two kinds of attackers in OSNs: inside attackers and external attackers
  • An inside attacker primarilyseem to be legitimate participants in the system, can be one of the following:
    • A malicious member on the SN level
    • A malicious service provider on the ASlevel
    • A party that has and misuses access to theinfrastructure at the CT level (e.g. an eavesdropperwith a local view, or a malicious ISPwith possibly even a global view)
  • External attackers, or intruders, can perpetrate attacks at one or moreof the SNS levels

IEMS5710 - Lecture 10

social network data schneier 2010
Social Network Data (Schneier, 2010)
  • A taxonomy was presented by Bruce Schneier (famous security researcher) at OECD (经济合作与发展组织)
  • Define user data in social network sites from security & privacy perspectives
  • 6 types of data
    • Service data
    • Disclosed data
    • Entrust data
    • Incidental data
    • Behavioral data
    • Derived data

IEMS5710 - Lecture 10

social network data schneier 20101
Social Network Data (Schneier, 2010)
  • Service data is the data you giveto a social networking site in orderto use it.
    • Such data might includeyour legal name, your age,and your credit-card number.
  • Disclosed data is what you poston your own pages
    • E.g. blog entries,photographs, messages, comments,and so on.
  • Entrusted data is what you poston other people’s pages.
    • It’s basicallythe same stuff as discloseddata, but the difference is thatyou don’t have control over thedata once you post it—anotheruser does.

IEMS5710 - Lecture 10

social network data schneier 20102
Social Network Data (Schneier, 2010)
  • Incidental datais what other people post about you: a paragraph about you that someone else writes, a picture of you that someone else takes and posts
    • Again, it’s basically the same stuff as disclosed data, but the difference is that you don’t have control over it, and you didn’t create it in the first place.
  • Behavioral data is data the sitecollects about your habits by recordingwhat you do and whoyou do it with.
    • It might includegames you play, topics you writeabout, news articles you access(and what that says about yourpolitical leanings), and so on.
  • Derived data is data about youthat is derived from all the otherdata.
    • For example, if 80 percentof your friends self-identify as Christian, you’re likely Christian yourself.

IEMS5710 - Lecture 10

social network data schneier 20103
Social Network Data (Schneier, 2010)
  • As a user, you may have the following perspectives about data privacy when you submit your data
    • Some of it you give to a social networking site in confidence, expecting the site to safeguard the data.
    • Some of it you publish openly and others use it to find you.
    • Some of it you share only within an small circle of other users.
  • However, at the receiving end, technically, the social networking sites can monetize all of it: generally by selling targeted advertising.
  • Different social networking sites give users different rights for each data type.
    • Some are always private, some can be made private, and some are always public.
    • Some can be edited or deleted, e.g. some sites allow entrusted data to be edited or deleted within a 24-hour period, and some cannot.
    • Some can be viewed and some cannot.

IEMS5710 - Lecture 10

social network data schneier 20104
Social Network Data (Schneier, 2010)
  • User’s right about behavioral data is even more controversial
    • It’s frequently a critical part of a social networking site’s business model. Users should have different rights with respect to each data type.
    • We often don’t mind if a site uses it to target advertisements, but are less confident when it sells data to third parties.
  • We should be allowed to export, change, and delete disclosed data
    • even if the social networking sites don’t want us to.
  • But it’s less clear what rights we have for incidental data
    • E.g. If someone post pictures from a party with you in them, can you demand him/her remove those pictures—or at least blur out your face?
  • It is still debatable about what sorts of fundamental rights people have with respect to their data on social networks
    • more countries may contemplate regulation of social networking sites and user data
  • For security and privacy on social network, it is important to keep this taxonomy in mind.
    • The sorts of things that would be suitable for one type of data might be completely unworkable and inappropriate for another.

IEMS5710 - Lecture 10

social network connect service reviewed by ko et al 2010
Social Network Connect Service (reviewed by Ko et al., 2010)
  • Social-networks connect services (SNCSs)
    • supported in major social-networking sites such as Facebook Platform, Google Friend Connect, and MySpaceID
    • let third-party sites develop social applications and extend their services without having to either host or build their own social network
  • This extension allows third-party sites to leverage the social-networking site’s features
    • E.g. third-party sites can exploit the authentication services provided by a social-networking site so that users need not create another username and password to access the third-party site

IEMS5710 - Lecture 10

social network connect service framework
Social Network Connect Service Framework
  • For social-networking sites to be able to share user Social Web data with third-party sites, a secure and reliable SNCS framework is required

IEMS5710 - Lecture 10

sncs framework user data
SNCS Framework: User Data
  • Under the SNCS framework, user data is composed of three types of information
    • Identity datadescribes who I am in the Social Web, including my identity, profile information, and privacy policy
    • Social-graph datarepresents who I know in the Social Web, including my friendship connections with descriptions such as family, co-worker, colleague, and so on
    • Content datarepresents what I have in the Social Web, including my messages, photos, videos, and all other data objects created through various Social Web activities

IEMS5710 - Lecture 10

sncs framework
SNCS Framework
  • Four categories of APIs that allow third-party sites to interface with the social-networking site
    • Identity authenticationproves users’ identity; users can authenticate using their existing accounts from various identity providers to include the social-networking site
    • Authorizationgoverns access to user data in the Social Web based on pre- defined authorization access rights; the authorization API lets third-party sites create new content and extract existing content from users’ Social Web data
    • Streams let third-party sites publish to users’ activity streams and vice versa
    • Applications let third-party sites develop rich social features in the form of applications and thereby extend the Social Web
  • The implementation of these APIs can vary widely with different protocols and technologies

IEMS5710 - Lecture 10

example facebook platform
Example: Facebook Platform
  • Facebook Platform lets third-party sites integrate with Facebook and send information both ways
    • to create more engaging and richer social experiences on the Web
  • Facebook Platform allows users to export their identity, profile, privacy policy, social graph, and content from Facebook to third-party sites
  • Authentication is by far the most used Facebook Platform component. This API enables third-party sites to leverage Facebook as an identity provider

IEMS5710 - Lecture 10

facebook platform
Facebook Platform
  • Facebook platform service

IEMS5710 - Lecture 10

facebook platform1
Facebook Platform
  • Example: Digg.com doesn’t require new members to register and create a profile. Instead, they can use their existing Facebook profile to authenticate

IEMS5710 - Lecture 10

oauth 2 0 and facebook platform authentication
OAuth 2.0 and Facebook Platform Authentication
  • Facebook Platform leverages OAuth 2.0 for authentication and authorization
    • OAuth is an open standard for authorization, OAuth 2.0 is evolved from OAuth (not backwards compatible) and the specification is being developed by the IETF
    • But unlike OAuth 1.0, OAuth 2.0 doesn't support signature, encryption, channel binding, or client verification. It relies completely on SSL for some degree of confidentiality and server authentication.
    • Facebook supports OAuth 2.0 and is the largest implementation of the emerging standard
  • First, a user of the third-party site authenticates using Facebook as an identity provider
  • Next, Facebook issues a user access tokenthat lets the third-party site access the user’s basic profile information including name, picture, gender, and Friend List
    • The third-party site can request extended permissions depending on the specific application requirements

IEMS5710 - Lecture 10

challenges for sncss
Challenges for SNCSs
  • The Social Web is growing exponentially due to SNCSs, but with this growth come several challenges, most pertaining to security and privacy
  • Challenges discussed by Ko et al. (2010) include
    • Identity mapping
    • User data portability
    • Common enhanced privacy policy framework
    • Cascaded authorization
    • Data integrity in social plug-ins
  • Also notice that Eran Hammer resigned his role of lead author for the OAuth 2.0 project, withdrew from the IETF working group, and removed his name from the specification. Hammer pointed to a conflict between the web and enterprise cultures
    • huniverse: OAuth 2.0 and the Road to Hell

IEMS5710 - Lecture 10

privacy breach attacks gao et al 2011
Privacy Breach Attacks (Gao et. al., 2011)
  • A study on the Facebookusers in the Carnegie Mellon Universitynetwork reveals:
    • 90.8% uploaded their images
    • 87.8% revealed their birth dates
    • 39.9% shared their phone numbers
    • 50.8% listed their currentaddresses
  • Abundance of readily available personal information makesprivacy breach a unique angle of attack in social networks
  • Three primary parties interact with oneanother in an OSN:
    • the service provider, theusers, and third-party applications

IEMS5710 - Lecture 10

breaches from service providers
Breaches from Service Providers
  • OSNs’ current client–server architecture inherentlydictates that users must trust service providersto protect all the personal informationthey’ve uploaded
  • However, service providerscan obviously benefit from examining andsharing this information
    • E.g. for advertising purposes

IEMS5710 - Lecture 10

breaches from service providers1
Breaches from Service Providers
  • E.g. TheFacebook “Statement of Rights andResponsibilities”requires that users “not provide any false personal informationon Facebook”
  • and “keep [their] contact information accurateand up to date.”
  • Further, it states that users “grant [Facebook] a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP [Intellectual Property]content that [they] post on or in connection with Facebook“
  • Facebook “Statement of Rights andResponsibilities”
    • https://m.facebook.com/legal/terms/?_rdr

IEMS5710 - Lecture 10

examples of secured social networks persona
Examples of Secured Social Networks (Persona)
  • Persona: allowing users to apply fine-grained policies over who may view their data
    • puts policy decisions in the hands of the users
    • uses decentralized, persistent storage so that users may choose with whom they store their information
    • Supports both public-key cryptography(to share information with any single entity inthe network) and attribute-based encryption (ABE) (toshare content with entire groups)

IEMS5710 - Lecture 10

examples of secured social networks persona1
Examples of Secured Social Networks (Persona)
  • Attribute-based encryption (ABE):
  • For each friend, the user can generate an ABE secret key (ASK) corresponding to the set of attributes that defines the groups that friend should be part of
  • Each encryption must specify an access structure: a logical expression over attributes.
    • For instance,Alice can choose to encrypt a message with access structure (‘neighbor’ OR ‘football fan’), where ‘neighbor’ and ‘football fan’ are attributes, and anyof her friends who have an attribute secret key with eitherattribute will be able to decrypt the message
    • Alice can alsoencrypt to (‘neighbor’ AND ‘football fan’).In this case, theABE construction ensures that only friends with both attributes will be able to decrypt the message

IEMS5710 - Lecture 10

examples of secured social networks lockr
Examples of Secured Social Networks (Lockr)
  • http://research.microsoft.com/en-us/projects/lockr/
  • Lockr separates social networkcontent from social network functionalities.
  • Lets users decide where to store their informationwithout interrupting the social network functionalities
  • In Lockr, the recipient of digitally signedsocial relationships can provide these signedsocial relationships to the social network service providers as proof tofetch social data
    • also ensures that the social network service providers can’t reuse the signed social relationshipsfor unintended purposes
  • Lockr enables message encryption using a social relationship key.

IEMS5710 - Lecture 10

examples of secured social networks
Examples of Secured Social Networks
  • (Anderson et al., 2009)
  • Researchers have also proposed an OSN architecture consisting ofsmart clients and an untrusted central server
  • The server stores encrypted data so that it’savailable only for those who have been grantedaccess to it

IEMS5710 - Lecture 10

breaches from other users
Breaches from Other Users
  • Major OSNs let a user’sfriends access the personal information the userhas uploaded to his or her profile by default,while blocking others from doing so
  • However,the notion of “friends” here is merely asocial link that the two users have agreed toestablish, regardless of the actualoffline relationship
  • This discrepancy providesa potential channel for stealing personal informationby befriending users in OSNs

IEMS5710 - Lecture 10

breaches from other users1
Breaches from Other Users
  • Same-site profile cloning
    • An attacker duplicates a user’s profile in thesame social network and uses the duplication to send outfriend requests to the user’s friends
    • Believingthe request has come from a familiar person,the unalerted friends can accept it andthereby expose their personal information tothe attacker
  • Cross-site profile cloning
    • The attacker identifies a user from social network A (SN A),along with this user’s friend list
    • The attackerthen duplicates the profile to SN B, where theuser hasn’t yet registered, and sends out friendrequests on OSN B to the target’s friends whohave also registered on OSN B
    • Cross-site profilecloning is potentially more dangerous thansame-site cloning because it’s less likely toarouse suspicion

IEMS5710 - Lecture 10

breaches from third party applications
Breaches from Third-Party Applications
  • There exists many applicationsreside on the social network platform but were developed by third party, which are essentially untrusted
    • E.g. Facebook applications and Google’s OpenSocial

IEMS5710 - Lecture 10

breaches from third party applications1
Breaches from Third-Party Applications
  • Users must grant theapplication access to their personal data beforethey can install those applications
    • such access is necessary for some applicationsto perform their functionality (e.g. ahoroscope application must know the user’sbirthday)
    • Unfortunately, neither the service providernor the users know exactly which piece of informationis truly necessary for the applications
  • The current approachis to legally bind the third parties using a Termsof Service (TOS) agreement.
    • However, there is no mechanism to monitor how theapplications manipulate the personal information collected
    • This leaves the door open forthe applications to misuse that information

IEMS5710 - Lecture 10

viral marketing
Viral Marketing
  • Social networks are formed by real people, theyare targets for viral marketing
  • Social networks encompass friends, family,and acquaintances,which makes users tend totrust messages they receive in the networks
  • Information extractedfrom user profiles also help the spammers to exploitsocial-engineering tricks to enhance viral marketing’seffectiveness

IEMS5710 - Lecture 10

spam on online social networks
Spam on Online Social Networks
  • Context-awarespamming
    • The spammerachieves the high click-through rate by takingadvantage of the shared context among friendson social networks
    • Moreover, OSNs providesearch functionality to help locate users withcertain properties (location, school, workplace,and so on)
    • this functionality enhances thespammer’s ability to discover a well-definedtarget set
  • Broadcast spamming
    • doesn’t have specific targets, but ratherabuses public interaction mechanisms to disseminateinformation

IEMS5710 - Lecture 10

phishing on osns
Phishing on OSNs
  • A phishing attack targets OSN users’ confidentialinformation (OSN account credentials, emailaddress, online banking etc.)
  • Such an attack is usuallycombined with spamming to complete theviral-marketing process
  • Phishing attacks in OSNs is similar to those that traditionally executed throughemail, but they have higher success rates
  • Experiment show that, aided with informationobtained from OSNs, phishing is 4 times more effective than traditional “blind” attempts.

IEMS5710 - Lecture 10

sybil attack
Sybil Attack
  • Originally, Sybil attack occurs in peer-to-peer (P2P) systems
  • In a Sybil attack, an individual entity masqueradesas multiple simultaneous identities so as to fool the reputation scoring mechanism
  • Such attacks is also possible in OSN
  • E.g., by controlling many identities, theadversarycan promote the popularity and reputationof an account in e-commerce settings by votingthe target account as “good.”

IEMS5710 - Lecture 10

sybil attack defenses
Sybil Attack: Defenses
  • Defenses mechanisms of Sybil attack
  • Trusted certification
    • Only verified users can enter the network
  • Resources Testing
    • Investigates computing ability, storage ability, network structure, network bandwidth, and the number of IP addresses associated with the nodes representing actual users
  • Recurring costs
    • Sybil attacks can’t be launched until a significant number of Sybil nodes are created
    • Using recurring validation mechanisms (e.g. Captcha) for account creation can significantly increase the cost of creating many Sybil nodes
  • Cracking Captcha
    • http://www.wausita.com/captcha

IEMS5710 - Lecture 10

malware attacks
Malware Attacks
  • In addition to file sharing and email, attackersare also exploiting OSNs to spread malicioussoftware
  • Attackers can spread worms andestablish botnets (殭屍網路) more easily because of the richand frequent interactions in the OSN
  • Malwarecan propagate over social networks via profile,interaction, and third-party applications.
  • The Koobface worm is one of the most notoriousworms in OSNs, and is the first malware tohave a successful and continuous run propagatingthrough social networks

IEMS5710 - Lecture 10

malware attacks koobface
Malware Attacks: Koobface
  • Koobface attackers post messages on the friends’ walls that containlinks to the Koobface loader component
  • E.g. to a video at “YuoTube.com”, which then ask you to update the Flash player

IEMS5710 - Lecture 10

malware attacks likejacking on facebook
Malware Attacks: Likejacking on Facebook
  • A kind of clickjacking attack
    • Clickjacking is a malicious technique of tricking a Web user into clicking on something different to what the user perceives they are clicking on (Wikipedia)
  • Likejacking trick users of a website into posting a Facebook status update for a site they did not intentionally mean to "like”

IEMS5710 - Lecture 10

malware attacks likejacking on facebook1
Malware Attacks: Likejacking on Facebook
  • Affected profiles can be identified by seeing that the Facebook user has apparently "liked" a link
    • "This man takes a picture of himself EVERYDAY for 8 YEARS!!"
  • Clicking on the links takes Facebook users to what appears to be a blank page with just the message "Click here to continue“

IEMS5710 - Lecture 10

malware attacks likejacking on facebook2
Malware Attacks: Likejacking on Facebook
  • However, clicking at any point of the page publishes the same message (via an invisible iFrame) to their own Facebook page
    • The iFrame essentially places an invisible button over an entire web page, so that wherever the user clicks, they end up hitting the button - in this case a hidden Facebook "like" button
  • Sample code

IEMS5710 - Lecture 10

slide62
XSS
  • Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users (Wikipedia)
  • A lot of malicious actions can be performed, including stealing cookies from the client’s browser which can then be used to impersonate the victim user and have access to their dataand privileges
  • Depending on the nature of the reflection point, XSS can be classified as Non-Persistent and Persistent
  • Social network sites and online forums can be persistent reflection points for XSS (thus persistent XSS is possible)

Reference: http://www.ntobjectives.com/files/PersistentCrossSiteScripting.pdf

IEMS5710 - Lecture 10

non persistent xss
Non-persistent XSS
  • Below is a very typical search scenario, suppose the word “foobar” has been entered (which has no matched result) and the following was returned
  • The corresponding HTML code is

IEMS5710 - Lecture 10

non persistent xss1
Non-persistent XSS
  • By replacing foobar with the following JavaScript (high-lighted in blue), an attacker can collect cookies from the client browser and send to foobar.com
  • But what is displayed on the client’s browser is the same as the previous one
  • The client’s web browser will be instructed to redirect itself to the hacker’s website and pass along the customer’s cookies for the searching site
  • This is possible because the action is done within a valid session of the searching site

IEMS5710 - Lecture 10

persistent xss
Persistent XSS
  • Consider the similar attack on an online forum, e.g. a forum where users can enter book review commends
  • The hacker enter the review commend which contains the malicious scripts

IEMS5710 - Lecture 10

persistent xss1
Persistent XSS
  • Any users visiting the forum will see the following reviews
  • But the user’s browser has actually processedHTML that includes the malicious code hidden in the source

IEMS5710 - Lecture 10

malware attacks xss on facebook
Malware Attacks: XSS on Facebook
  • It is possible to inject Javascript through specially crafted Facebook application pages
  • The malicious script will then be executed in the context of Facebook.com, allowing it to perform requests under the user’s session
    • In a XSS attack discovered recently, when user following such a link, the malicious script shows a fake update procedure for the Adobe Flash Player as a distraction
    • The script than starts issuing hidden AJAX requests to get the user’s profile page from Facebook
  • Because the user is logged in and has a valid session, the script can perform a variety of actions such as submit a post, search for any of your friends UID’s and send them a direct message with a link to an infected application site

Reference: http://www.symantec.com/connect/blogs/persistent-xss-vulnerability-facebook

IEMS5710 - Lecture 10

malware attacks csrf
Malware Attacks: CSRF
  • Cross-site request forgery (CSRF) is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts
  • UnlikeXSS, which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser (Wikipedia)
  • The attack works by including a link or script in a page that accesses a site to which the user is supposed to have been authenticated
  • E.g. the following image link is posted by Fred onto an online forum, Bob later browses the forum

<img src="http://bank.example.com/withdraw?account=bob&amount=1000000&for=Fred">

IEMS5710 - Lecture 10

malware attacks csrf1
Malware Attacks: CSRF
  • Why image tag?
    • CSRF attacks using image tags are often made from Internet forums, where users are allowed to post images but not JavaScript
  • If Bob is also logged-in to bank.example.com at the same time, then the attempt by Bob's browser to load the image will actually submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval
  • The cross-site request forgery misuses Bob's authority at Fred's direction
  • CSRFs are also reported at Facebook

IEMS5710 - Lecture 10

conclusion
Conclusion
  • Electronic communications and social networks are essential to Internet users
  • But there are security and privacy issues of various kind
  • We have to take precaution and be aware about our own security and privacy issues
  • Solutions WITHOUT careful implementation of cryptography primitives (e.g. encryption, digital signature, one-way hash functions, key exchange, cryptography-based authentication such as challenge-and-response, and zero knowledge proofs) are still subject to various insider / service provider threats

IEMS5710 - Lecture 10

references
References
  • Farrell, S. (2009). Why Don't We Encrypt Our Email? IEEE Internet Computing, 13(1) 82-85
  • Ahn, G.-J., Shehab, M., & Squicciarini, A. (2011). Security and Privacy in Social Networks. IEEE Internet Computing, 15(3), 10-12.
  • Schneier, B. (2010). A Taxonomy of Social Networks Data. IEEE Security & Privacy, 8(4), pp.88.
  • Gao, H., Hu, J., Huang, T., Wang, J., Chen, Y. (2011). Security Issues in Online Social Networks. IEEE Internet Computing, 15(4), 56-63
  • Baden, R. et al. (2009). Persona: An Online Social Networkwith User-Defined Privacy. Proc. ACM SIGCOMMConf. Data Comm. (SIGCOMM 09), 135–146
  • Barth, A., Jackson, C. & Mitchell, J. C. (2008). Robust Defenses for Cross-Site Request Forgery. Paper presented in ACM CCS.
  • J. Anderson et al. (2009), Privacy-Enabling Social Networkingover Untrusted Networks, Proc. 2nd ACM WorkshopOnline Social Networks (WOSN 09), ACM Press,pp. 1–6.
  • K. Jump, “A New Kind of Fame,” Columbia Missourian,1 Sept. 2005 (updated 21 July 2008); http://www.columbiamissourian.com/stories/2005/09/01/a-new-kind-of-fame/.
  • Cutillo, L. A. et al., (2009). Safebook: A Privacy-Preserving Online Social Network Leveraging on Real-Life Trust. IEEE Communications Magazine. 47(12), 94-101
  • Ko, M. N. et al., (2010). Social-Network Connect Services. IEEE Computers, 43(8), 37-43.
  • William Stallings, Cryptography and Network Security Principles and Practices, 5/e, Pearson
    • Chapter 18

IEMS5710 - Lecture 10