Transcript Security in social media

SECURITY IN SOCIAL MEDIA
Juha Siivikko
7.11.2013
WHAT IS A) SOSIAL MEDIA AND B) SECURITY
•
Social media is the online content published by people that use easily accessible and very
scalable puplishing platforms 1
• E.g. Twitter, Facebook, LinkedIn, MySpace, YouTube, Wikis
• Social media sub categories contain networkking, blogging etc.
•
Security is of course the barrier between the asset and the threat, but it is also a feeling
TOP 5 SOCIAL MEDIA SECURITY RISKS FOR
ENTERPRISES 2 1/2
•
Mobile apps
• Employees download apps to their company-issued mobile devices
• Mobile apps have huge security risks, and some apps are just plain malicious
software that reveal and send the user’s private information to a third party, destroy
persolan data, impersonate the device owner etc.
•
Social engineering
• Nowadays people are more willing than evere to share personal information about
themselves online 2
• Social media platforms encourage dangerous level of assumed trust
2
TOP 5 SOCIAL MEDIA SECURITY RISKS FOR
ENTERPRISES 2/2
•
The sites themselves
• Malicious code-injections e.g. shortened URL injections
• For example Twitter is really vulnerable because of the retweet function: the
malicious code can be forwarded to hundreds of thousands of people in short time
•
Employees
• Employees have lapses in judgement, they make mistakes and they behave
emotianlly
•
Lack of social media policy
• Without social media policy employees don’t know the goals and parameters of
social media, this brings on chaos and problems
THE RISKS IN SOCIAL MEDIA FOR ANY USER
•
The amount of risks is vast and the risks are not conserning only major enterprises, but
everyone using social media
•
The attacks can – for example – cause
• Mild annoyance
• Lose of personal data
• Lose of money
• Lose of a job
• And of course thats not all
SOCIAL ENGINEERING
•
Rather than using thecnical hacking, social engineering is gaining acces to buildings,
systems, data, etc. by manipulating or exploiting human psychology 3
• For example, instead of using a software vulnerabilty, one might call an employee to
pose as an IT suppor person trying to get the password of the employee
• One other popular tactic is to hack to someones Facebook accounta and send a
message through the hacked account to ask for money by claiming to be stuck in a
foreing city
• Once a social engineer has access to a person’s account, it is eaasy to gain
information that can be used to make an credible scam attempt
•
The most effective countermeasure for social engineering is awareness
PHISHING
•
Phishing is like social engineering, its about getting personal information by means of
fake emails, login sites etc.
•
An exampe of a phishing email http://www.banksafeonline.org.uk/node/112
•
Countermesures:
• Awareness, the knowledge about phisgin is vital, you can spot phishing attempts
from bad grammar, questions about your password etc.
• Of coure some times the phishing attempt is carefully crafted, you must also
remember to 5 :
• Not click links in your email, but use the real sites, log in and continue from
there
• If you feel like you are on a phishing site, try to log in with invalid credentials, if
it directs you to a logon failed page, you might be on a legimate website
CROSS-SITE SCRIPTING
•
Cross-site scripting, or XSS, is a security vulnerability in web applications
•
It enables to inject a script into a web page
•
Here is an example that I made http://users.jyu.fi/~jusasiiv/TIES326/xssexample/
• The example – especially the login form – has a combination of features from
phishing, XSS, social engineering and code injection
RISKS IN WEB 2.0 7
•
1/2
Authentication controls are spread amongst many users
• In Web 2.0 content is trusted to many users, which means there will be lessexperienced users creating security issues, but also more holes for hackers e.g.
brute force, more accounts which may have more simple passwords ect.
•
Cross Site Request Forgery or CSRF
• An innocent looking site that has malicious code which request to a different site and
because the heavy use of AJAX, Web 2.0 applications are potentially more
vulnerable
•
Phishing in Web 2.0
• Because of multitude of dissimilar client software, it makes it harder to distinguish
between genuine and fake web sites
RISKS IN WEB 2.0
•
2/2
Information leakage
• Web 2.0 has brought the work-from-anywhere mentality, which blurs the line between
work and private life and because of that, people may inadvertently share sensitive
information
•
Injection flaws
• Web 2.0 has brought new kinds of injection attacks to daylight e.g. XML injection,
XPath injection, JS injection and JSON injection and because of the heavy client side
code use, it bring risks to the end users
•
Insufficent anti-automation
• Web 2.0 lets hacker automate attacks more easily, hackers can use more effectively
attacks like brute force, CSRF, large amounts of data retrieval and automated
opening of accounts
WEB 2.0 COUNTERMESURES
•
While Web 2.0 presents different types of challenges, those are not necessarily wore than
the risks in legacy applications
•
In dealing with the risks in Web 2.0 it comes again down to having a good understanding
of the risks
• E.g. In the previous example about the HTML XSS blocking with the
htmlspecialchars()
REFERENCES
•
[1] http://socialmediasecurity.com/
•
[2] http://www.networkworld.com/news/2011/053111-social-media-security.html?page=1
•
[3] http://www.csoonline.com/article/514063/social-engineering-the-basics#1
•
[4] https://sites.google.com/a/pccare.vn/it/security-pages/social-engineering-attacks-andcountermeasures
•
[5] http://web.archive.org/web/20080320035409/http://www.hexview.com/sdp/node/24
•
[6] http://www.acunetix.com/websitesecurity/cross-site-scripting/
•
[7] http://readwrite.com/2009/02/16/top-8-web-20-securitythreats#awesm=~omBK194D1667qg