Google Site Search


Saturday, November 24, 2007

Online Social Networks : Tubing , Phishing Targets - What next?

The Online Social Network(OSN)s have been immensely popular in recent ages. They have ridden high on the basic nature of human beings - to socialize. Examples include, as of June 2007, MySpace had 114 million visitors [1].

With the proliferation of social networks on the internet and the need to get as many users as possible, in the shortest period of time, security has taken the back seat. The result - phising, identity theft, Cyber Stalking and attacks such as Tubing. This is what happens when security is not taken into consideration during the conception/design phase.

Just as the windows world is facing constant threats with Viruses, Trojans etc, any popular idea that does not try to be secure by design will find harmful glances from the cyber trash.

It is highly encouraging to see a position paper from ENISA on ensuring security in Online Social Networks.

Some of the notable points from the paper [1] are:
- Discourage banning of OSN from Schools.
- Cyber Stalking is increasing due to OSN.
- The OSN are encouraging users to divulge as much private information as possible (which in turn can be mined and misused for marketing/financial gains). This has been validated by a survey in the UK [3]

Out of the 10.8 million in the UK signed up for social sites, one in four have posted confidential or personal information, according to "Get Safe Online."

This issue has manifested further in developing economies such as India [4] [5] where people's lives has started revolving their daily interactions with Online Social Networks such as Orkut.

Ragini got on last year and already boasts of over 3,200 'friends' — a blend of a few real buddies, many passing acquaintances, strangers, and even people she hates in the real world.

Having the largest number of friends has become crucial for Ragini. On days that she gets less than 10 new be-my-friend requests or no messages (scraps) on her page, she gets depressed, claim her parents.

Competition for friends can be so fierce that some have even resorted to faking friend lists. Sixteen-year-old Mohit Kapoor, for example, has put up 20 benami (fake) profiles and keeps scrapping himself daily. "This not only pads the number of scraps I receive, but I can also brag about things indirectly," grins Mohit.

BBC [6] has an article on why an Internet watchdog is warning the youth to be careful with OSN.

The ICO also said young people could be putting themselves at risk of identity fraud because of the material they post on social networks such as Facebook and MySpace.

Many enterprises have jumped into Web 2.0 without even giving any special thoughts to Security. An article on it in InformationWeek [2] sheds light on this scary aspect.

The problem is that malicious hackers are increasingly focusing their attention on using Web 2.0 technologies as entries into unsecured companies. Hackers and spammers, for instance, can create their own pages on social networking sites and riddle them with malicious code to infect their social networking peers. One worm planted in a MySpace page infected more than 1 million users. And malware writers are beginning to target vulnerabilities in Ajax-based applications, which help make the Web 2.0 sites so dynamic.

Privacy Concerns
Many social networking sites like Facebook want your date of birth during registration. This piece of information is mandatory for you to use their service. I am unsure as to why this sensitive and risky information is needed rather than a check box that asks whether you are older than 18 years. Additionally, what is the guarantee that the company will keep this information safe from prying employees and potential sale to marketing companies. A good indicator of this is employees of social networking companies able to peek at your usage history on their sites, for example, what profiles you have been viewing lately [7].

[1] ENISA Position Paper No.1 Security Issues and Recommendations for Online Social Networks

[2] Study: Companies Dive Into Web 2.0 Without Securing Risks

[3] UK Survey Finds Social Networking Sites Raise Security Risks

[4] Social networking can be real pain

[5] Adults also prone to faking having online friends

[6] Young warned over social websites

[7] Facebook employees know what profiles you look at.

Be safe when you use and/or adopt Web 2.0 Applications.

Scott Wright is a 20 year veteran in the computer world and is currently a Security Management Consultant in Ottawa. He has pointed me to a poll that he has created. Please check it out and vote anonymously.

Does your organization allow you to access social networking sites (eg. Facebook) from its network?

Additionally, you should be aware that the more personally identifiable information is available on these social networking sites, the more spam you are going to receive, as per a new report: Spam gets dirty in 2008



Admin said...

This is an interesting article. It is unsettling to see more evidence that companies are ignoring the security risks around Social Networking sites. I have a poll on my site at: asking people to indicate (anonymously) how their organizations are dealing with the issue.

Abhishek Asthana said...

very valid point made here ... i think whether it is orkut or facebook they have left very basic essence of the networking "Credibility". We should be sure that we are interacting with people we can feel safe at. We should not allow anyone who wants to use the OSN for foul purpose. Its very subjective whats foul and fair !! but yes its a high time when we should look for alternatives where we can PREVENT people taking advantage of the anonymity of online system and play with other's because it can harm to anyone to great extent.