Can we be friends?

minorbigarmΑσφάλεια

30 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

94 εμφανίσεις

Can we be friends?


A Social Networking Experiment

By Ben McGee, CISSP

Agenda


Social Networking Basics


Profile


Experiments
-

User Vulnerability, Data Mining


Scams & Investigations


Recommendations



whoami

Specialties


Systems Engineering


SAIC Contractor for Army


Digital certificates, PKI, Encryption, biometrics, smart
cards, and identity management



Software Engineering


.NET, Web Services, XML/XSLT, LDAP, VB 6.0,
VBSCRIPT, .ASP, HTML, SQL, DTS, Shell Scripting,
and some JAVA


Experience


Government, healthcare, financial, & auditing


Employers


SAIC for NASA at the Marshall Space Flight Center,
Raymond James Financial, CDXperts, BenefitOne
of America, Geonex and TEKSystems





Who is this guy?


Vice President of the NAISSA



Teach Information Security & Assurance
courses

at the University of Alabama in
Huntsville for the Continuing Education Division.


CISSP Boot camp


Information Assurance Associate Certificate


Information Assurance Professional Certificate


Security +


MOSS 2007 Administration and Development




University of Florida




Certified Information Systems Security
Professional (CISSP) designation.





What is Social Networking?



Focuses on building online communities


share interests and/or activities about
yourself


exploring the interests and activities of
others


Encourages new ways to communicate and
share information


A great way to reconnect

Don’t you

TRUST
me?


SNS built on
TRUST
.



Create relationships with:



Family and friends



Former classmates



Groups of similar interest



Co
-
workers


Social Networking Sites



I stopped counting at 200



Facebook most widely used worldwide



Facebook, MySpace, Twitter and LinkedIn most
widely used in North America



Are you a follower?



And the winner is?

Facebook


10 Largest Countries

1.
United States

94,748,820

2.
United Kingdom 22,261,080

3.
Turkey

14,215,880

4.
France

13,396,760

5.
Canada

13,228,380

6.
Italy

12,581,060

7.
Indonesia

11,759,980

8.
Spain

7,313,160

9.
Australia

7,176,640

10.
Philippines

6,991,040




Source : www.Checkfacebook.com


What is Facebook?

Users create a
profile

typically tied to email



What is your Facebook “Profile”?


Profile is Who you are on Facebook

Who am I on Facebook?

Benjamin McGee


Married


Three Kids







Male



Joined Facebook for Networking






My political affiliation




My religion





ben.c.mcgee@gmail.com






My cell phone number





My home phone number






My home address

(Street, City, State, Zip)




My birthday

Where I live

Where I work

Where I shop

Favorite TV Shows

Profile is what you let people know about you
on Facebook

Using Facebook



Request “friends” & accept “friend” requests



Updating your “wall” & commenting on others status


I like this



Create and/or join groups that share common interests



Upload photos or videos



Play games



Chat with people and hold discussions in forums.



Who is using it?


Everyone who is anyone



Employers


Government


Business


Dating Services


Universities


Medical


Media



Big Business Right Now


Facebook has 300,000,000 users


Users constantly check



Advertisers Pay Per Hit


Targeted Advertising



Monster revealed 351 jobs right now for
Facebook Developers

Privacy Info


Share profile with Everyone, Friends of Friends, Friends
Only, or No one



“Facebook may also collect information about you from other
sources, such as newspapers, blogs, instant messaging
services, and other users of the Facebook service through
the operation of the service (e.g., photo tags) in order to
provide you with more useful information and a more
personalized experience.”



“By using Facebook, you are consenting to have your
personal data transferred to and processed in the United
States.”

The Good



Websites are beginning to tap
into the power of the social
networking model



Highly successful for
connecting small organizations
with little resources



Users benefit by interacting with
a people with same interests


Reference: Wikipedia

The Bad…..and the Ugly


Cyberstalking



Identity Theft and/or Impersonation



Phishing



Viruses through Facebook Applications



Bunch of Scams


Experiment #1
-

User Vulnerability


Created Experimental User



Filled out profile with high school


Received two friend requests within first 24 hours



Sent out about 50 friend requests


60% of people accepted friend request



Now has over 30 friends in 3 week period



Experiment #1
-

Conclusions


If you don’t recognize the person, don’t accept the friend
request


Send them an email or message via Facebook and ask
“Do I know you?”


Even friends who you do know could potentially be a
threat


If you haven’t talked to someone in 15 years are they really a
“friend”?


do you really want to see what a “friend” is up to
every day? Vice versa?


Use caution in accepting “friends” and consider removing
unknown or unwanted friends

Experiment #2


Data Mining

Using the Facebook Platform


Facebook Markup Language


it is used to customize the "look and feel" of applications that
developers create.


Using the Platform, Facebook launched several new
applications and extended the API to developers


Gifts
-

allowing users to send virtual gifts to each other


Marketplace
-

allowing users to post free classified ads


Events
-

giving users a method of informing their friends about
upcoming events


Video
-
letting users share homemade videos with one another


Anyone playing Mafia Wars or Farmville lately?

Experiment #2


Data Mining

Facebook API


Very Rich API



Reference developer.facebook.com



Easy to create Facebook App


Screenshots setup of gui to set up app


You need Webspace


Pick a programming language and include Facebook
Libraries (I used C#)


Took me about three hours to figure out

Experiment #2


Data Mining

Hidden Agenda


Because of the nature of Facebook, users
may feel a sense of security, and not
realize that the information they release
could be used against them.



The danger in being able to so easily
access this data is that it can fall into
criminal hands.

Allow Access??

Experiment #2


Data Mining


Created Facebook Application to Collect
Data



Asked friends to take simple survey



Who should win the Heisman?



What is the best ISSA chapter in the U.S. ?


Experiment #2

Facebook API


Users.getInfo


Returns a wide array of user
-
specific information for each user
identifier passed, limited by the view of the current user



Friends.getLists


Returns the names and identifiers of any friend lists that the
user has created



Status.get


Returns the user's current and most recent statuses

Experiment #2


Users.getInfo Decomposition


uid


Firstname


lastname


activities


affiliations


College


high school


work


region


birthday


birthday_date


Books


current_location


City


State


Country


zip


education_history


Degree


email_hashes


hometown_location


Interests


Looking For


Movies


Music


name


Username


wall_count


work_history


company_name



pictures


political


Quotes


relationship_status


religion


Sex


significant_other_id


Status


Timezone


Experiment #2
-

Results


Collected data over experimental period


Once users click “Allow” button, I could see user data
even if people were not my friends


About half of profiles had enhanced privacy settings turned on
like field level privacy setting


About a quarter of the profiles filled out most of the information
exposed enough fields for data mining or targeted advertising


A handful filled out all profile information and shared everything
to everyone


Beware of the scams


Nigerian 419


Widget warrior


Koobface


Phishing


Contrived community


By JR Raphael, PC World


Scams on Social Networks


Nigerian 419

Scam:

Dates back decades and now is entering social networks.


Example


Victim received alarming messages from friend



In the U.K. and was robbed, and needed $600 to fly back to Seattle



The messages came both in Facebook
-
based IMs and in e
-
mail


They included details such as family members' names


Two hours and $600 the victim realized what had
happened


Recommendation:

Contact friend outside of the social network, either
by phone or by external e
-
mail

Widget warrior

Scam:

widgets are the third
-
party applications that you can add
onto your account.


Example


“Check out who has a Secret Crush on you”



Installed spyware onto computer and sends messages to all
of your friends


Recommendation:

Remember that if you “Allow” the app
access, you’re information is theirs.



Koobface


Scam:

Tries to dupe users into clicking on a link that's included in a message
from a friend:


Examples:


"Paris Hilton Tosses Dwarf On The Street",


"My friend catched you on hidden cam",


"My home video

:)“



Redirects to a third
-
party website


prompted to download update of the Adobe Flash player



Installs DNS filter program that blocks access to well known security
websites and a proxy tool that enables the attackers to abuse the infected
PC.


Recommendation:

Updated Antivirus should catch it. Be careful when clicking

Phishing

Scam:
Trick users into following links that open official
-
looking Facebook login prompts


Example


Pastor fell for it and someone gained access


Started sending out messages to persuade to click


Recommendation:
Be carefuly using third
-
party apps.

If prompts for uid and password appear, don’t enter

Contrived community

Scam:

Facebook groups can be marketing scams


Example


Friend clicks on group to join


Group sends out email to all friends in his profile


When you click the join link, you join


Recommendation:



Be careful when deciding what groups you join


Don't accept the request without doing research


Investigations

Fugitive caught after updating his status on Facebook



Maxi Sopo
-

fugitive



Charged with bank fraud in Seattle



Made the error of adding a former justice department official to his list of
friends



He told his Facebook friends, including a former justice department official,
he was living in paradise in Mexico



They got him





www.guardian.co.uk

Recommendation:

Block it at the office


Err on the side of caution


In November 2007, Dark Reading

reported that

half of companies block
social networking sites.


Some people post at work about work (Think of DILBERT).



Barracuda Networks' poll gauged the top two reasons businesses had for
enforcing employee Web surfing restrictions overall:


virus or spyware prevention (70 percent) and


employee productivity drain (52 percent).



Companies cite bandwidth concerns (36 percent) and liability issues (28
percent) as further justification for restricting employee Internet access.

Recommendations for how you protect
yourself


Learn and use the privacy settings offered by Facebook


Limit the amount of personal information you post


Remember that the internet is a public resource


Be wary of strangers


Be skeptical


Use strong passwords


Check privacy policies


Use and maintain anti
-
virus software


www.us
-
cert.gov

National Cyber Alert System

Cyber Security Tip ST06
-
003


Staying Safe on Social Network Sites


Recommendations for

Keeping kids safe online



Be friends on Facebook


Keep your computer in an open area


Set rules and warn about dangers


Monitor computer activity


Keep lines of communication open


Consider implementing parental controls





National Cyber Alert System
Cyber Security Tip ST05
-
002



Keeping Children Safe Online


Summary


Social Networking Basics


Profile


Experiments


Scams & Investigations


Recommendations



Questions

?????