Era of Online Social Networks
Social Networking websites such as Facebook, Twitter, Google+,
LinkedIn, Qzone, MySpace have been growing rapidly within the past few years
with now over billions of users [1]. Most social network users share a
large amount of their private information in their social network space
publicly without careful consideration.
 |
| Percentage of CMU profiles revealing various types of personal information |
Once the hacker has this information, he is free to engage in
phishing, identity hijacking, spamming, malware and many other forms
of social attack. Moreover, social network users tend to have a high level
of trust toward other social network users. They tend to accept friend requests
easily, and trust items that friends send to them. To make matters worse,
oftentimes information travels through several hops of "friends," and
by the idea of six degrees of separation it seems unreasonable to assume we are
far from the bad guys. Because of social networks large population and
information base, and its simple accessibility, social networking websites have
become new targets that attract cyber criminals. We don’t bother to configure
privacy settings provided by social network vendors.
Social Pishing
In phishing attack, attackers provide a fake website (e.g. bank)
that looks authentic to lure victims into providing their sensitive information
such as password, financial information, or identification number to the
website. Typically, attackers leverage the available information on social
networks to create highly specific and personalized messages. These messages
are then either sent through the network directly or used in network
applications to target their victims.
Possible remedies:
1) Browser plug-ins
- [2] presents a plug-in that identifies many of the known tricks that phishers use to make a page resemble that of legitimate site.
- Earthlink's Scamblocker [3] toolbar maintains a blacklist and alerts users when they visit known phishing sites; however this requires an accurate and dynamic blacklist.
- Trustbar [4] by Herzberg and Gbara is a plug-in for FireFox that reserves real estate on the browser to authenticate both the site visited and the certificate authority.
- Dhamija and Tygar [5] propose a method that enables a web server to authenticate itself, in a way that is easy for users to verify and hard for attackers to spoof.
2) Services like PhishTank[6] and BlueCoat [7] provide network and
application level blacklisting.
3) Use of strong password management systems as described in [8].
Identity Thefts
Identity Theft is an act of stealing someone’s identity or
sensitive information, and then pretending to be that person, or using that
identity in a malicious way. Existing Profile Cloning and Cross-Site Profile
Cloning are two common ways of account hijacking. Attack given in [9] provide ample evidence of identity thefts.
Solutions like VeriSign's Personal Identity Portal (PIP) [10] and
OpenID [11] can be adopted.
- PIP
can be configured to perform two factor authentications and OpenID
provides a central location for high grade security logon
credentials. A malicious user would be forced to obtain not only the
password but the key fob (often a cell phone) as well. A commercial entity
like VeriSign can provide quick and deterministic actions in the
event of an account theft.
- OpenID would be a great way for users to cut off unauthorized access to all affected accounts.
Spams
In social networks, spam
comes in the form of wall post, news feed, and messages. These contains ads and
hyperlinks that may lead to pishing or malware sites and may spread to friend’s
wall posts. Social networks support e-mail spams since attackers can now
retrieve large amount of valid e-mail addresses thanks to social networking.
Attackers can also create context aware email spams by using information from
user profiles. For example, if attackers know that A is B’s friend, then an
attacker can send a fraud email saying that A posted something on B wall, and
provide a fake link for B to follow to see that post. Another case is if
attackers also know B’s birthday, then they can send a fake online birthday
card to B by saying that the card is sent by A.
According to [12], 8% of 25
million URLs posted to Twitter point to phishing, malware and scams while out
of 200 million tweets from the stream, over three million tweets were
identified as spam. Of spam links that generate any traffic, 50% of the URLs
receive fewer than 10 clicks, as shown, while the upper 10% of URLs account for
85% of the 1.6 million clicks.
Possible solutions:
- To
automatically identify spam, blacklists can be used to flag
known spam URLs and domains. [12] has used three blacklists :Google
Safebrowsing, URIBL, and Joewein.
- [13] and [14] shows the use of machine learning techniques to detect OSN spams.
HTTP Session Hijacking
HTTP Session hijacking on
social networking sites is a man-in-the-middle-attack that can be used to
obtain context-information from victims, as well as victim’s friend’s
information that will later be used to generate context-aware spam.
First attackers try
to sniff communication between victims (A) and social networking sites, especially
those without data encryption. Different network attacks can be used in this
case, for example, ARP cache poisoning or DNS poisoning.Attackers then capture
HTTP headers that contain session cookies since many website use cookie-based
authentication. After that attackers can now copy the HTTP session and use it
to access the victim’s profile and personal information. Furthermore, attackers
can use the victim’s profile to retrieve the victim’s friend’s (B, C, D)
information such as email addresses, and then use this information to generated
context-aware spam.
Malware
Malicious link can redirect victims to malicious websites, and
then send malicious code to victim’s computer to steal information, or to use
victim’s computer to attack others. The details can be found in [15].
Possible solutions:
- MyPageKeeper [16], which has over 15K subscribed users, continually scans the wall and news feed of every subscribed user to detect malicious posts and socwares.
- [17] reflects some anti-virus products for detecting and removing scams in facebook.
Cryptographic Approach
There have been different
approaches proposed for protecting the users’ privacy in OSN and can be
compared based on following criteria:
1) Protection against breach of
confidentiality by any third parties i.e. OSN providers and non-friends are not
able to access the user’s data.
2) Relational confidentiality i.e. nobody
except the user is not able to know the specifications related to the user’s
online social relationships defined in her OSN
environment.
3) Fine-grained access control i.e. the
user is able to define access permissions over her friends.
5) Flexible access control i.e. the user
is able to define new access policies using the combinations of friends and
relations.
6) Dynamic access control i.e. the user
is able to add a friend to a relation or remove/revoke a friend from a
relation.
In [18], modified BE
approach has been proposed which consists of three main steps:
1) The privacy settings customization
step that allows OSN users to have full control over their privacy settings and
customize them freely. This ability does not rely on the need to trust the OSN
providers.
2) The data sharing step that facilitates
the sharing of private data between OSN users and their friends. In this step,
the user sets up the cryptographic key and shares encrypted data with intended
friends.
3) The data accessing step is used by the
user’s authorized friends to access the user’s private shared data.
Security in Cloud Computing
In public cloud, all applications and data accessed are
susceptible to malicious attacks demanding the secure processing and storage of
data via access control, authentication and encryption mechanisms. Private
Cloud is on the other hand more secure due to its specified internal
exposure.
- The various security technologies currently deployed by cloud providers are :
- Platforms like Tonido [19] provides features of private data sharing.
- [20] provides an architectural design for a secure cloud computing environment
References:
2) N. Chou, R. Ledesma, Y. Teraguchi, D. Boneh, and J. Mitchell. Client-side defense against web-based identity theft. Proc. NDSS, 2004.
4) A. Herzberg and A. Gbara. Trustbar: Protecting (even naive) web users from spoofing and phishing attacks. 2004. http://eprint.iacr.org/2004/155.pdf.
5) R. Dhamija and J. D. Tygar. The battle against phishing: Dynamic security skins. Symp. on Usable Privacy and Security, 2005.
9) MarketingVOX. (2008, November). Watershed Ruling in MySpace Suicide Case May Criminalize Fake'Net Personas'.Retrieved from http://www.marketingvox.com/watershed-ruling-in-myspace-suicidecase-may-criminalize-fake-net-personas-042175/
12) @spam: The Underground on 140 Characters or Less. Chris Grier, Kurt Thomas, Vern Paxson, and Michael Zhang. Proceedings of the ACM Conference on Computer and Communications Security, October 2010.
16) M. S. Rahman, T.-K. Huang, H. V. Madhyastha, and M.
Faloutsos. Efficient and scalable socware detection in online social
networks. In USENIX Security, 2012.
