Essay Word Count: 4000 .

Bilkent Laboratory International School Umut Baris AKKAYA

000894-002

EXTENDED ESSAY – COMPUTER SCIENCE Facebook Security: How Much the Updates Made in Facebook, Improved its Security

December, 2012

Page 1 of 16 Umut Baris AKKAYA 000894-002

Abstract This essay is about the security gaps that social network systems (SNSs), especially Facebook, have and how the updates SNSs make doesn’t make those websites more secure. In an age, when people spend most of their time on those Social Networks, security is an important issue, thus the aim of the essay is to increase awareness and acquaint people. The article proves these by using the real life events, such as the PlayStation Network and LinkedIn crisis. Essay also includes theories such as super user, and explain the risks such a privilege can create. Essay concludes that Facebook is not secure as it is now, and the updates it made didn’t improve its security yet. Thus essay suggests new ways of improving the security of Facebook in the conclusion part. 130 Words

List of Figures Figure 1. Notification given by Facebook to users about access grants .............................................. 5 Figure 2.Recent Activities that are shown on Facebook’s website ...................................................... 8 Figure 3. Information about Access Tokens, taken from Facebook’s website..................................... 9

December, 2012

Page 2 of 16 Umut Baris AKKAYA 000894-002

Contents Abstract ................................................................................................................................................. 1 List of Figures ....................................................................................................................................... 1 1. Facebook ........................................................................................................................................... 3 2. Security ............................................................................................................................................. 4 3. Security Updates ............................................................................................................................... 7 4. User Privileges ................................................................................................................................ 10 5. Problems ......................................................................................................................................... 11 6. Conclusion ...................................................................................................................................... 13 References .......................................................................................................................................... 14

December, 2012

Page 3 of 16 Umut Baris AKKAYA 000894-002

1. Facebook Invention of internet made people contact each other more often and with ease. The venture resulted in a demand of a medium where people can share their ideas and contact with friends, families at the same time which led to creation of a market for social media where the competition is very high. Today, social media is mostly a group of internet-based applications that built on the ideological and technological foundations of Web 2.0, and that allows the creation and exchange of user-generated content. With this market, hundreds of websites were created. Popular social network services throughout the history are: Linkedin (May 5, 2003) MySpace (August 2003), Facebook (February 4, 2004), Digg (December 5, 2004), YouTube (February 14, 2005), Twitter (July 15, 2006). All of these websites offered the same thing to the users, or as in economic description, to the consumers, communication. However, all of them have a different point of view. Such as, Twitter describes itself as a platform where people can write what they are doing at the moment, where Facebook specializes itself on instant messaging and its ability to run applications and games on itself. Today, Facebook can be defined as the most widely-used social networking site, which supports a number of interactive features to build relationships with individuals and social communities. In recent years, many social networking sites (SNSs), including those accounted for in the beginning of the essay, have become very popular around the world, because of their ability to promote relationships, to help individuals to share their ideas, messages, events, and interests with friends. Facebook, having the highest number of active accounts, owes its expansion to its ability to provide more resources to users than other social network sites, such as MySpace and Twitter. Same service also allows developers to add applications to those, with the use of relatively simple application programming interfaces. According to data on the official Facebook website (Facebook, 2011), there are more than 800 million active users, with an average user being connected to 80 community pages, groups, and events. At first, Facebook was originally created in February 2004 as a Harvard only online social networking site, but since had opened its network site to the public in 2006. In December 2006, it had more than 12 million users, and by the end of December 2009, the number of active users reached 350 million. Nowadays, it has more than 800 million… (Facebook, 2011) It is a marvelous increase which made its founder, Zuckerberg, probably more than happy by providing him extra revenue. However, are the users who create new accounts aware of the fact that, each account they create leaks more information about themselves than they allow to the internet? To explain how creating a single Facebook account could give their all information to a place where thousands can see, this essay will explain the deep research made about the security gaps, and explain how Facebook updates don’t make this social network service more secure.

December, 2012

Page 4 of 16 Umut Baris AKKAYA 000894-002

2. Security Facebook updates don’t make the social network service more secure. Security, according to Engineering Principles for Information Technology (Dinerman, 2011), means:

‘Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, inspection, or destruction.’

For our good, and our friends’ good, security is a must to have. A small information loss can create enormous problems that can ruin our days or even lives. In an era, where all of our business is made by using electronic transactions, (Such as sending credit card applications, using e-mails for university admissions etc.) people can lose all of their information, if their e-mail addresses get in the hands of other people with malicious intentions. Therefore a cautious e-mail user should keep his e-mail passwords and other sensitive credentials as secretive as possible. Facebook, however, is not with the same opinion with those cautious people. It immediately asks for your e-mail address, in the process of signing up. In other words, regarding the malicious intent ‘he shoots, he scores’. What even worse is, it makes your e-mail address available to be seen by millions of other Facebook users, which makes the user a ‘sitting duck’. After signing up, say you wanted to try one of hundreds of various applications that Facebook has. You will face a notification such as:

December, 2012

Page 5 of 16 Umut Baris AKKAYA 000894-002

Figure 1. Notification given by Facebook to users about access grants

This notification implies that it will have the permission to access any information about the

user, any time it wants. Once you grant access, control of your personal information is out of Facebook’s hands. The application creator or the 'developer' may misuse your information, or creator can give your personal information to the companies, which advertise products on Facebook, which will, in turn be explained in more detail in personal habit and purchasing sections. Not only developers, but hackers also can access to your information using elementary tools of hacking. First of all, the misconception between a hacker and a cracker should be explained (Anonymous, 2011):

'A hacker is a person intensely interested in the arcane and recondite workings of any computer operating system.'

Hackers are programmers, who has advanced knowledge on operating systems such as

Windows, iOS, or Linux and their programming languages. They may know the security gaps within the systems and the reasons for those. “They seek for knowledge, and freely share what they have discovered, and never intentionally damage data” says an anonymous writer in his book ‘A Hackers Guide to Protecting Your Internet Site and Network’. (Anonymous, 2011) Crackers, on the other hand, are people who break into or otherwise violate the system integrity of remote machines, with malicious intention. Crackers may destroy vital data, deny legitimate users service, or basically cause problems for their targets. Usually, a cracker is more dangerous than a hacker; while a hacker seeks information, a cracker seeks trouble, but when the issue is knowledge, it doesn’t really matter. Because in both cases (doesn’t matter where the attack comes form), users will lose their information or get them shared in the internet. Both are crucial for the security of the users’ privacy. To get protected by hacker or cracker attacks, and prevent the violation of security, one first must learn their hacking techniques. There are 5 elementary methods that hackers use while ‘stealing’ information (Moore, 2006): Vulnerability scanner, for example, is a tool used to check computer networks and seek for weaknesses.

Hackers also use port scanners, to check the availability of ports in a computer in order to access them. Password cracking, a common method used by crackers, is a process of recovering passwords from data that has been stored in a computer system. A common approach would be repeatedly trying guesses for the password until one is accepted by the system. Dan Brown refers to this in his ‘Digital Fortress’ book as “Brute Forcing”. Packet sniffer, which is a legal application, is commonly used by hackers. It is an application that captures data packets, which can be used to capture users’ information such as their passwords, user names, and personal information. Packet sniffers also are used by websites to determine whether the password and user name entered by the user match or not, therefore it is completely legal. Frankly, the software mentioned helps hackers to do their ‘jobs’ easier and therefore gives hackers opportunity to steal information legally. In his presentation, Chung describes spoofing attacks as gaining users’ trust:

December, 2012

Page 6 of 16 Umut Baris AKKAYA 000894-002

“Spoofing attack, known as phishing, involves one program, system, or website successfully masquerading as another by falsifying data, which makes is treated as a trusted system by a user or another program. In other words, it fools program to gain root privileges” (Chung, 2012)

Finally social engineering, or data mining, is a method, in which the hacker or cracker collects the user information and uses them against the users. An average person is very likely to set the name of his pet as his password.

What a hacker or cracker does is: he looks at the profile of a user, and from the information published in the profile he tries to guess what the real password is. Even a birth-date can decrease the possibilities that a password can be. This method can also be used in marketing. People can steal information about users’ likes and hobbies, and sell this information to the companies, which design their ads according to these stolen data. Marketing online is a new concept. In recent years social media applications, which enable consumers to contribute to the world of online content, have grown in popularity, which made it even more attractive for hackers to steal information. There are some conspiracy theories that information is not getting stolen only by hackers but by government agencies as well. Before talking about how updates affected the Facebook security, security gaps should be explained. A gap or hole is any feature of hardware or software that allows unauthorized users to gain access or increase their level of access without authorization. This is a broad definition, but it is accurate. A hole could be virtually anything. The biggest security gap is the Facebook itself. People share information about their locations, about their jobs and where do they go in their summer vocations, online. One of the most common examples about Facebook being a security gap itself is the thief example. The example is about a couple going to vocation. A thief subscribes this couple’s Facebook account, or becomes friends with them and sees when they leave their houses. Stealing everything, robber leaves the place before the couple comes back. Another security gap that Facebook has is using IPv4. When an electronic device connects to internet, it is given a code expressed with 32-bit integer value. That value is the temporary name of the device; however, there are billions of devices out there. Which means numbers are going to start repeating themselves, therefore different devices will have the same name. Which means a device will be able to see your browser history as well as your e-mail address from miles away. Facebook declared that it started to use IPv6, which is an improved version of IPv4; however, it didn’t update its entire server according to the IPv6. (Facebook, 2012) Another move that Facebook did, which invaded the privacy of users, was updating the tagging system. With the new update, Facebook tags people automatically, without asking. People became easily findable, and everyone, even the government can see what people do anytime with the new update.

December, 2012

Page 7 of 16 Umut Baris AKKAYA 000894-002

3. Security Updates Facebook updates don’t make the social network service more secure All these new features of Facebook bring the user closer to the concept of Big Brother as described by George Orwell in his book 1984 (Orwell, 1949). The updates are far from improving the security of Facebook, au contraire they bring more information to any application developer who have access to the super wall via the Facebook development process regardless of their status. Third party application developers can access all the personal information of any user who accepts the terms and conditions, i.e. a sort of disclaimer. Such an approach is asymmetrical in nature; by which users give permission and privileges over the users’ sensible information, which is their political views, their pets’ names, their location etc. The topic will be briefly explained in the super user section. Tagging and IPv4 are only two updates, which demonstrated how “trustful” Facebook is. However there are lots of other updates: Aside from the obvious factors that are mentioned in sections security and user privileges, the security concerns on Facebook started from 2007 with the creation of Facebook Beacon. For tracking user activity, Facebook started offering a free tool, Beacon, to online partners. Beacon recorded members’ activities and proactively broadcast such off-Facebook activities to designated Facebook friends. A case report written by Kristen E. Martin (2010), explains how Nate Weiner, a Facebook user, reacted to Beacon and what his ideas were. Martin also explains Beacon in his article. The main purpose of the Beacon was to make advertisements; however, system was doing it without permission of the users. This brought up arguments whether it was true or not, and later on Facebook updated Beacon so that it had to ask to the users before posting anything on Facebook. This feature, however, was not easily identified. The information box, where users click on ‘I give permission’ option appeared in a small window and disappeared without users taking any action. Unless the user opted out quickly, the notification window would close quickly and the user activity data would be sent to Facebook user’s friends through an existing service called News Feed. “Residing on a partner’s website, the Beacon program would track the user’s activities and ask Facebook if the user was a Facebook member.” Facebook would ask to its users whether if they want to share their activities with others with a pop-up or not, yet, the time pop-up stay was limited with only couple of seconds. If users were quick enough to deny, Facebook would stop broadcasting the activities. Otherwise, Facebook would take the user activity data and send it to other users. With the security breach, online community MoveOn.org (2007) started a Facebook group “Petition: Facebook stop invading my privacy!” 200 members signed the petition within 24 hours and eventually the group grew up to over 80,000 members. The controversial service, which became the target of a class action lawsuit, was shut down in September 2009. Mark Zuckerberg, CEO of Facebook, said on the Facebook Blog in November 2011 that Beacon was a "mistake". (Zuckerberg, 2011) After the failure of beacon,

December, 2012

Page 8 of 16 Umut Baris AKKAYA 000894-002

Facebook continued to update its security features to make Facebook more trusted. Facebook updated itself again so that every action its users did started to be collected in its history database. With this security feature, one became able to see his actions that he did before. Another advantage that this feature gave to the users is the ability to see where your account is logged in. One can see if he is still logged in on other devices and immediately log out on those devices from one central control in his account as seen in Figure 2.

Figure 2.Recent Activities that are shown on Facebook’s website

You can see all of your active sessions along with information about each one. That information includes the login time, device name if you’ve previously named it through our login notifications feature, the approximate location of the login based on IP address, and browser and operating system. In the unlikely case that someone accesses your account without your permission, you can shut down the unauthorized login before resetting your password and taking other steps to secure your account and computer. Unlike beacon the latest update made Facebook more reliable. People were now able to see from which computer they logged in the last time, and where was the location of the computer. However this feature might have a negative effect too. In case of an account being hacked, hacker can learn all the information about where does this person live and what kind of computer does he use; this can lead to more serious consequences. The third Facebook security update mentioned brought up lots of questions about whether it improved Facebook’s security, or did it just harm the users. Third update brought the feature of picture identifying. When a suspicious user -meaning someone logging in to your account from a new device- logs into your account, Facebook will ask them to identify your friends. If they can't answer, they'll get booted off. However this new system brought up concerns; (Sarno, 2011) at Los Angeles Times explains his concerns as: “Couldn’t a hacker or intruder just Google all six names and hope that one of them would turn up a photo of the anonymous person in the security challenge? Not everyone has photos posted online these days, but almost everyone on Facebook does.”

December, 2012

Page 9 of 16 Umut Baris AKKAYA 000894-002

All the updates mentioned above, were proofs of why security gaps weren’t closed, or security holes weren’t filled by the updates. However, one should talk about events that happened in the real life, if he wants to prove his point, therefore in the next paragraphs, examples from real lives will be given: The first example is the scandal of Linked in, a famous social network, revealing millions of people’s information. On the 19/06/2012, Linked in it was announced that it was hacked and over 6.5 million Linked in passwords were posted online. (Ubergizmo, 2012) A similar event happened to the PlayStation network. PlayStation network got hacked and more than 77 million customers were affected from this scandal. NSW police fraud squad warned Australian PlayStation users may have to cancel their credit card after hackers obtain personal information from millions of users. (2012) Those examples are real life events that happened to other SNSs, however, these could have happened to Facebook as well. Therefore, people reading such news should het paranoid and worry about their privacy. You might think, this won’t happen to you. Learning the permissions you give might change your decision. The information about access tokens taken from Facebook might express more to the reader:

Figure 3. Information about Access Tokens, taken from Facebook’s website

December, 2012

Page 10 of 16 Umut Baris AKKAYA 000894-002

4. User Privileges All these permission issues bring the topic in to one single idea: ‘super user’. In theory, super user is an administrator for the Facebook, someone who has all the permissions. It is morally wrong; since there is someone that you don’t know, who can reach into your account anytime he wants, and posts anything by using your name. Considering users can give permissions to 3rd party app developers, the idea is realistic. On the other hand, there should be a super user in case something in the Facebook goes wrong, such as in the LinkedIn example. In case of such an event, there should be a user, who can stop the hacker before information gets stolen. While people having questions on their minds about the super user, 3rd party developers started to introduce super wall to the Facebook. The problem with the super wall is that it is an application which has the root access to users’ profiles. In case of this application being hacked, the hacker/cracker can destroy or get even the tiniest bit of information.

December, 2012

Page 11 of 16 Umut Baris AKKAYA 000894-002

5. Problems Considering super walls, super users, updates that bring dissatisfactions, security gaps and holes; it is a serious risk to broadcast your personal information on the internet; since you can’t control who is going to see it, use it and abuse it, and how much one can care for your information. As mentioned before in the ‘updates’ section, updates bring quite disdain and many dissatisfactions. Facebook crew doesn’t fix its gaps or bugs by doing an update, but they procrastinate by temporarily shutting down the portion of the device or software which creates problem. However Facebook crew can solve these problems if they desire so, of course that may be a tradeoff between different features and being fun. Every system has its own downsides and software and firmware bugs; there is no platform or website which is completely secure. Any computational entity will be insecure limited to its connectivity. Yet Facebook crew can strengthen the internet based social service’s security, according to the author’s humble opinion, provided they might follow some of the routes explained below: Some of the most dangerous, common, and frequent type of attacks are grouped under DoS (Denial of Service) class of attacks. Denial of Service class of attacks are based on the servers’ capacity to respond to unprocessed or illegal requests from the user terminals, i.e. any device that connect to the physical network used by Facebook Service. Every server has its own capacity and number of users it can serve. If a server has a user limit of 100, after the 101st user, the mentioned server will eventually overload. If this number increases to a level such as 10 or 20 times the capacity, server goes down. The websites become unavailable to users the website, and in that case they may well be rerouted to fake websites. This happened before to bank websites, e-mail service providers, and to counterparts of the social networking service in question and to even the social service itself. Similarly, Facebook went down before and according to mon-tools website (2012), Facebook was down for 1 day and 13 hours in total, only this year. Thomas Robert Malthus’, the renowned philosopher’s, theory about the management of resources evaluated under economical sciences, states that population of human kind increases geometrically, while the resources that are available to them increase arithmetically (Wood, 1994). Malthus claimed that curve of resources and curve of human population in a graph will meet in a point and after that point, resources will become scarce. Same theory can be applied to computer science. If a server gets overloaded, it means the number of people using the website is more than the bandwidth dedicated to the server and its capacity. Thus the internet traffic limit of the hardware is increasing less, compared to the users’ ever increasing demands. Eventually the backbone used by the social networking service may collapse. To decrease the downtime, and to protect millions’ information, DoS attacks should be taken care of. Facebook crew and executives can eliminate this threat by increasing the bandwidth available to them in contingencies. DoS class attack vulnerability is only one type of threat which

December, 2012

Page 12 of 16 Umut Baris AKKAYA 000894-002

the social networking service faces, but there are many other gaps and cracks Facebook crew has to fill. Usage of Internet Protocol version 4 is seemingly another security gap. As mentioned before in the article, Facebook is still using IPv4 even though it announced that its website was running on IPv6. With IPv6 each computer will have a different IP address and therefore probability of another computer or user mimicking you and tracking your actions without your consent will presumably be minimal.

December, 2012

Page 13 of 16 Umut Baris AKKAYA 000894-002

6. Conclusion Facebook has to choose between two options: it can either discard security and focus on how much the website is entertaining, or it can put the entertainment aside and improve its security. If it chooses the ‘right’ one, to improve its security, it can put multilayered password protection, such as one can have two different passwords for chat and Facebook itself, or it can close applications such as games and video viewing programs to close potential gaps. This type of a precaution can decrease the number of Facebook users, however is essential. Facebook is so careless about its security that it even contains a system such as super wall. Having a root privileged person, creates an enormous security gap, therefore it should be removed. Third option can be creating a new OS. Facebook is vulnerable to attacks and a single problem can lead to loss of personal data. Google+ which is also a social network service handled the same problem by turning each tab into a single virtual machine. Therefore in an attempt of leakage, virtual machines and therefore tabs will be safe. It also created a new device with its own operating system, Chromebook. Chromebook has only Google’s own applications, and there is nothing installed on it other than a browser and java. It has a small memory for temporary information, also known as cookies and therefore, this device reduces the risk of leakage. Facebook can create its own device as well, which has only Facebook OS installed on it. Another Google fix is categorizing friends. As explained in the security topic, Facebook is a security gap itself. Having hundreds of people as friends, and sharing all your information with them is risky. Google solves this problem by categorizing people and giving them limited privileges. For example, a friend from high school that you added years ago and you don’t have any relation now, can’t see your personal information. You can put your friends into groups and decide on how much information they can view about you. If Facebook designers, developers and management come to their senses, and care more about its security than its entertainment, it can be a safer service. However, for now, it is easy to say that it is insecure, and updates that Facebook made didn’t make it more secure.

December, 2012

Page 14 of 16 Umut Baris AKKAYA 000894-002

References Bloxham, Andy . "Most burglars using Facebook and Twitter to target victims, survey suggests." .

http://www.telegraph.co.uk/technology/news/8789538/Most-burglars-using-Facebook-and-Twitter-to-target-victims-survey-suggests.html (accessed 2012)

Briones, Gene Ryan . "LinkedIn gets sued over recent hacking scandal." Ubergizmo, 06 19, 2012. http://www.ubergizmo.com/2012/06/linkedin-gets-sued-over-recent-hacking-scandal/ (accessed 2012).

Dinerman, Brad. Social Networking and Security Risks. GFI White Paper, 1749, 2011

Dinerman, Brad. Social Networking and Security Risks. GFI White Paper, 2348-2350, 2011

Facebook , "Permissions." Last modified 2012. Accessed 2012. http://developers.facebook.com/docs/reference/login/

Hew, Khe Foon. "Computers in Human Behavior."Students’ and teachers’ use of Facebook. : 662-677. www.elsevier.com/locate/comphumbeh

Hsu, Chia-Cheng, Hsin-Chin Chen, Kuo-Kuang Huang, and Yueh-Min Huang. "Computers and Mathematics with Applications." A personalized auxiliary material recommendation system based on learning style on Facebook applying an artificial bee colony algorithm. : 1506-1513. www.elsevier.com/locate/camwa

Martin, Kristen E. Business Roundtable Institute for Corporate Ethics, "Facebook(B): Beacon and Privacy." Last modified 2010. http://www.corporate-ethics.org/pdf/Facebook _B_business-ethics_case_bri-1006b.pdf.

Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network. Indianapolis: Angel722 Computer Publishing,

McCarthy, Caroline . "MoveOn to Facebook: We caught you red-handed." . http://news.cnet.com/8301-13577_3-9823063-36.html (accessed 2012).

montools.com, . http://montools.com/stats/www.facebook.com (accessed).

Moore, Robert (2005). Cybercrime: Investigating High Technology Computer Crime. Matthew Bender & Company.

Moses, Asher. "PlayStation hacking scandal: police chief says contact your bank now." , 2011

December, 2012

Page 15 of 16 Umut Baris AKKAYA 000894-002

Nakashima, Ellen, Feeling Betrayed, Facebook Users Force Site to Honor Their Privacy, Washington Post, 30 November 2007, 2012.

Orwell, George. 1984. London: Secker and Warburg, 1949.

Rescorla, E., and A. Schiffman. The Secure HyperText Transfer Protocol. EIT,

Reynol, Junco. "Computers & Education." The relationship between frequency of Facebook use, participation in Facebook activities, and student engagement. : 162-172. www.elsevier.com/locate/compedu

Rhee, Man Young. Internet security. West Sussex: JohnWiley & Sons Ltd., 2003.

Sarno , David. "Technology." Facebook's new security method: Can you beat it by Googling the names? (blog), 01 26, 2011.

Vauhini, Vara, “Facebook's Tracking of User Activity Riles Privacy Advocates, Members, Wall Street Journal, 21 November 2007

Veer , E. A. Vander. Facebook: The missing manual. Sebastopol: O'Reilly Media Inc., 2010.

Wagner, Richard. Building Facebook Applications For Dummies. Indianapolis: Wiley Publishing Inc., 2008.

Wood, John Cunningham. Thomas R Malthus. Taylor & Francis Group, 1994.

Chung, M. J. H. [Web log message]. Retrieved from http://baggins.nottingham.edu.my/~hsooihock/G53CWO/G53CWO-Computer Crimes.pdf

Zuckerberg, M. (2011, 11 29). [Web log message]. Retrieved from https://blog.facebook.com/blog.php?post=10150378701937131