Vote for Inherent Dangers of Real-Time Social Networking panel at #SXSW

SXSW2010_logo_squareWe were happy to see that one of the panels up for selection at the South by Southwest (SXSW) Interactive Festival next year (March 12-16, 2010) is a panel about the security of social networks called “Inherent Dangers of Real-Time Social Networking”.  The way panel selections work st SXSW is that they are up for open voting which ends on September 4th.  Basically the voting works like this (from the SXSW site):

“SXSW is a community-driven event. So, knowing what kinds of topics you want to hear at the event next March is extremely important to us. Your voting accounts for about 30% of the decision-making process for any given programming slot.

Also important is the input of the SXSW Advisory Board, which is a group of industry professionals from across the US and around the world. The final part of the panel decision-making equation is the input of the SXSW staff.”

So yes, you have a big part in the selection process!  This panel includes the following participants:

Jennifer Leggio (@mediaphyter), ZDNet
John Adams (@netik), Twitter operations and security incident response team
Damon Cortesi (@dacort), security consultant at Sevicron, founder of TweetStats, Twitter app developer
Mike Murray (@mmurray), CISO of Foreground Security

Awesome, awesome group for this panel.  Here is the description of the panel (from the SXSW PanelPicker site):

“There’s plenty of chatter about social media and security issues, from social engineering to the naïveté of users. This panel of experts will explore how cyber criminals are taking advantage of socnets flaws and lack of user awareness, and what both individuals and companies can do to help protect themselves.”

Since this is one of the biggest media conferences of the year, we highly encourage you to vote for this panel.  This will be one not to miss if selected!  What are you waiting for?  Go vote now!

Sex Offenders in IL Banned from Social Networking Sites

There was an interesting post on Mashable today about a new law that was just passed in Illinois by the governor Pat Quinn.  Basically, it bans sex offenders from using social networking sites.  The problem is that social networking is so loosely defined that this could mean any news site or blog.  Think about Facebook Connect or anything that shows a profile picture with media links and/or text.  In addition, how would this stop a sex offender from using an alias and/or fake name on these sites (if you can even define what these sites are)?

There is some interesting conversation brewing around this one especially around the fact that just by peeing in public you are considered a sex offender in 13 states!

Read the entire article on Mashable here.

View proposed changes to the Facebook SRR/ToS

fb_governanceYou can view and comment on changes to the Facebook SRR (Statement of Rights and Responsibilities or better known as “Terms of Service”) located on the Facebook Governance Page.  You can download and review the redlined proposed changes here.  The deadline for comment is 12pm PST August 18th.  It is important for Facebook users to review these new terms as there are significant changes to the SRR and the wording that is used.  Most of the SRR will affect your privacy as a Facebook user.

For example, make sure you note the following:

1. For content that is covered by intellectual property rights, like photos and videos (“IP content”), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non‐exclusive, transferable, sub‐licensable, royalty free, worldwide license to use any IP content that you post on or in connection with Facebook (“IP License”).  This IP License ends when you delete your IP content or your account (unless your content has been shared with others, and they have not deleted it).

3. When you add an application and use Platform, your content and information is shared with the application.  We require applications to respect your privacy settings, but your agreement with that application will control how the application can use the content and information you share.

4. When you publish content or information using the “everyone” setting, it means that everyone, including people off of Facebook, will have access to that information and we may not have control over what they do with it.

You should already know these things though, right?  :-) Remember: Anything you post to Facebook private or not…consider it public information.  You can leave your comments on the Facebook Governance Page or feel free to comment here.  We would love to hear your opinion of these upcoming changes.

Staying Safe & Secure on Twitter

We recently added a presentation that Tom Eston did at the Cool Twitter Conference in Cleveland last week to the presentations section.  You can also find it on SlideShare.  This presentation should give you some good tips on how to use Twitter safely.  Stay tuned for a printable guide and video similar to the Facebook Privacy & Security Guide.

Tom was also interviewed by Dan Hanson from the Great Lakes Geek Show about his presentation as well as other social media security issues.

Twitter and Facebook DDoS was Targeted at One User

The following article was just posted over at CNET News regarding the massive DD0S (Distributed Denial of Service) that targeted Twitter, Facebook, LiveJournal and more.

Via CNET News:

A pro-Georgian blogger with accounts on Twitter, Facebook, LiveJournal and Google’s Blogger and YouTube was targeted in a denial of service attack that led to the site-wide outage at Twitter and problems at the other sites on Thursday, according to a Facebook executive.

Read the entire article here.

Security and Privacy in Social Networks Bibliography

We just added a fantastic link to 70+ academic papers about security and privacy issues in social networks. It is maintained by Joseph Bonneau from the University of Cambridge.  You will see a page titled “Research” at the top of the page where you can get links to this and other academic papers and research papers.

Thanks to Joe for the submission!

Attacking Password Resets w/ Social Networks

Posted originally on Neohaxor.org, re-posted with permission:


Password Reset: Your passport to a fuxored account.

Password Reset Methods Vulnerable? Really? Get out of here, you mean that many password reset methods are vulnerable to attack? You have to be kidding. The fact that people think vulnerable password reset is newsworthy have got to be crazy. This is something that many of us have been talking about for years. Now Sarah Palin’s email gets attacked and it is big deal. It amazes me why we always wait to get screwed by something before we fix it.

Why does everything in the security world have to be a response to something. Ok, not the security world but the business security world. They are definitely two different entities. I am truly tired of reactive security. Just think if other professions followed this reactive model, like a cop asking for a bullet proof vest after they have already been shot. Nobody can say they didn’t see this coming either. People make more of their life known through social networks, photo sharing, and blogs than ever before. The simple password reset questions just don’t hold up.

There is a lot of unnecessary fear about data from social networks being used to steal someone’s identity. Although this is mostly FUD, social networks can be a great source for password recovery data. A while back we recovered a password (with his permission of course) from my friend Brian’s Sprint account using data from his MySpace page. This is when we were first starting our research for the social network hacking project.

Let’s take a step back from social networks for a sec, would your friends, co-workers, significant other, etc. be able to recover your password with the information they know about you? If the answer to that question is yes, then you need to change something. Passwords should be something that you know, not you and a couple of other people.

What Types of Data are on Social Networks?

The information that people put on their social network pages range from minimal to wildly over the top. Some people even go above and beyond by posting survey questions that tell a lot about their personalities. Although they want to show off the depth of their personality, all it really does is show off the shallowness of their brain.

Social networks by their default nature basically allow you to “friend” the world. The information on people’s social network page typically contains information that was previously only known to traditional friends and acquaintances. This can be a huge problem for the password reset mechanism, not to mention a person’s privacy. If it’s deep and kinda scary from a privacy standpoint then it is probably on a social network. Remember when I mentioned if your friends knew enough about you to reset your password then you are in trouble, well you just friended the world with the information from your social network profile. Beyond standard profile information there are a users actions taken on a social network site and possibly social network applications that are being used as well. All of this information can be leveraged when attacking a password reset mechanisms.

You can use an email address to look up people’s accounts on social networking sites. On the flip side, someone social network profile might directly tell you a person’s email address or you can use the search features of the social network to query owner’s of certain email addresses. There are no secrets in social networking ;)

Email Accounts are Gold

With password resets an email account is really the jackpot. Many password reset mechanisms, including the ones from social networks, rely on sending either the password or a temporary password to the email address of the account owner. Someone who gets their email account compromised might just find that they have every other account tied to that email account compromised as well. I mean, it wouldn’t be a far stretch to figure that out once someone had access to the email account. Just think of all the crap that sites like Amazon, eBay, MySpace, Facebook, etc. send to your email account.

Typical Password Questions

Typical password recovery questions really vary in complexity from site to site. What is the problem with password recovery questions in general? Well, they are not typically made up of data that is private. Unlike a password which is supposed to be something that only you know, recovery questions may be known to many people around you.

Here are some questions from Yahoo:

  • Where did you meet your spouse?
  • What was the name of your first school?
  • Who was your childhood hero?
  • What is your favorite pastime?
  • What is your favorite sports team?
  • What is your father’s middle name?
  • What was your hight school mascot?
  • What make was your first car or bike?
  • What is your pets name?

Some of these questions look like questions that social networks ask when you are filling out a profile, don’t they? If not questions they ask, certainly data that people put on their social network profiles or divulge through other means on a social network.

The Obvious

Take a glance at someone’s profile or maybe your profile on a social network. From just this page without further probing there may be an enormous amount of information. Depending on the mechanism that is being attacked, it may be all that is needed. Here is an example of some of the things that may be found just on the profile page:

  • Name
  • Date of Birth
  • Hometown
  • Current town
  • Favorite movies, artists, music, people, TV, sports teams, etc
  • High School
  • College
  • Personal description
  • Personality traits
  • Networks and Groups
  • Relationship information
  • Family information
  • Employer

The list really goes on and on. Remember that many people are on multiple social networks. Checking out other social networks may fill in the blanks. It is easy to see why this information could be a problem and I don’t think it needs any further explanation.

The Not So Obvious

Some data is not so obvious and might not be directly spelled out. This may be information that has to be aggregated or inferred from the profile data, friends list, blog, group, network, etc.

  • Photos and photo tags
  • Comments on other profiles
  • Photo data (cloths, background, other individuals, etc)
  • Pets
  • Children
  • Siblings
  • Relatives (potentially ones with your mother’s maiden name?)
  • Potential usernames
  • Instant messenger data
  • Blogs and comments in friends’ blogs
  • Favorite teachers
  • Sexual preference
  • Religious views
  • Political views

The data is really limitless, but after all isn’t that what a nice web 2.0 application is supposed to provide? On the surface some of this data may seem silly for password resets but it is really not. This not so obvious information can be really helpful when when non-standard questions are used in the password reset process. This typically happens when people are left to their own devices when creating security questions. They typically create questions that are common and familiar to them. Stupid things like pet’s names, favorite teams, favorite TV shows, etc.

Just think for a moment about tagging. People may tag photos themselves with useful information. Also, friends may tag people in photos helping better define a person’s relationships with people and activities they are involved in. The URL of the social network may lead you to potential usernames / IM information such as www.myspace.com/(username). Maybe the data is completely visual like photo data. A lot of information can be obtained by looking at pictures. Favorite places, sports teams, cars, and countless other possibilities. You name it, people like pictures with their favorite things.

The actions people take on social networks helps better define relationships, networks, group affiliations, and activities. The person may place comments on other people’s photos, profiles, walls, blogs, etc. You may see comments like “That is why you are my BFF”. You may also see that someone is a member of a political party or religious group. People may discuss on boards or blogs about certain things happening in their life. Sharing is caring right?

So what you get in the end is a clear picture of who these people are. You get their likes, dislikes, friends, and affiliations are all in a nice clean package. You may have never even met this person but you have all of the information a traditional friend may have, possibly more.

Need a bit more?

If you almost have the nail in the coffin then you can turn to other sites to complete the task. You could look for name / username collisions on other sites to gain more data. You could take their high school and age information and find out who they went to school with. The possibilities are endless.

The User’s Choice

When people are given the option to choose their own security it has historically been bad. There is nothing that seems to suggest that allowing user’s to choose their security will get any better, so some of this may be wasted breath.

When looking at sites like Google, it seems they have slightly better security questions. Questions such as your library card number, frequent flyer number, etc. I think sites like these with better security questions probably have a high amount of people that end up just choosing their own questions when this option is available. People don’t seem to understand that this isn’t a function that you are going to use everyday. It is ok and preferable to use data that you may not be able to recall without looking up.

So What Can We Do?

The problem of personal data leakage isn’t going to stop until people realize the potential impacts of their data being strung out for the whole world to see. I personally don’t think this will change, in fact, I think with time it will get a lot worse. We live in this voyeuristic, virtual world where people create digital representations of how they see themselves. I think that has an appeal to many people, especially those who don’t particularly find their lives that exciting.

Don’t play by the rules when dealing with a sites password reset questions. Put blatantly wrong, hard to guess, or nonsensical information in to the answer blocks. This will make any information gathered on you useless when attempting to recover your password.

It seems that many sites want you to log in. You shouldn’t use the same password on every site. Use a trusted password safe such as KeePass to store your login credentials. KeePass is open source and multi-platform. Using a mechanism like this allows you to be in control of your password recovery along with allowing you to use different passwords for different sites. It would also be a good idea to back up the database of whatever password safe you choose to use as well. Just a thought ;)

The biggest mistake someone can make is thinking that there is nobody out there that gives enough of a crap about them to attack their accounts. People do weird things. Anybody is capable of just about anything. This isn’t being paranoid, it’s being safe. Think of it as locking the door on your house when you leave, only instead of your valuables you are protecting your data.

1 2 3