What are the security threats that exist

in social networks?

A Billion users… a million

threats

1.2 billion users on a single site – exchanging information about their lives, their work, and a lot more.

Security is one of the biggest strongpoints of Facebook even if privacy isn’t.

Privacy Vs Security

Facebook, over the years, has been criticised for several privacy flaws. For example: who sees my photograph? But a hack on Facebook itself is not one of them.

Facebook’s concentration of security has been a constant endeavour for years.

We look at how Facebook stays safe in the next few slides.

Types of attacks

Some common risk and security issues that social networks are

vulnerable to.

Types of attacks

• Phishing Attacks:– People who visit the site expect to see new things, click on links

and open apps, but they often don’t know if they’re clicking on is legit. So, a click might lead them to a malware site and open them up to spamming.

• Facebook apps – When a user opens up an app they provide the app with some

level of access to information. However, an app is as secure as the people behind it. So, if the app itself gets hacked, the users are also vulnerable to attacks.

• Poor Password Security – A fair number of accounts are compromised because someone

guessed their password.

Types of attacks

• Cross site scripting:• Photo tagging is a popular feature in FB and also one of the favourites

of hackers. ‘Self XSS’ hacks come in the form of messages that ask ‘why are you tagged in this post?’ and on click trick you into cutting and pasting a malicious JavaScript into your computer allowing you to malware installation.

• Facebook security • In an ironic twist, hackers have also pretended to be FB security team

to hack into user’s accounts. FB has an algorithm that forbids the use of such words like ‘Facebook Security’ in a person’s name, but hackers have used special unicode characters that spell ‘Facebook Security’ and send a message saying ‘“Last Warning: Your Facebook account will be turned off because someone has reported you. Please do re-confirm your account security by: (link)”. This links lead them to an external site that clones the Facebook look and makes them click on malicious links.

Types of attacks

• Cross Site Request Forgery (CSRF)• The CSRF attacks exploit the trust that a website has in

a browser and its request. Whenever a request comes from a user’s browser with a valid session, the web server accepts the request and processes it. The web server has no way of knowing if a request was deliberately made by a user or if a hidden script on a website issued the command covertly in the background, without the user noticing it. When a user is constantly logged in and do not log out of their social networking site, they are targeted for CSRF attacks.

Types of attacks

• Clickjacking• A clickfraud is where a user is tricked into clicking on

things that they do not see or are aware off. Usually, an invisible frame is loaded along with some content and laid over a simple game. When the user thinks he/she has clicked somewhere in the game multiple times, they actually end up clicking on the invisible layer and starts some action. For example, unknowingly a user might be coerced to change his/her privacy settings.

Types of Attacks

• Insecure frameworks • As social networks get more complex, it is not astonishing to find vulnerabilities in their

frameworks. In May 2010, Facebook encountered a privacy glitch. The privacy setting tool allowed a user to test out his modified privacy settings by previewing how his profile looks to another person. This provided a read only access to someone else’s account and increased the chance of seeing private chat conversations or pending friend requests.

• SQL injections • Another conceivable attack type is SQL injections where an attacker would find his way

to pass his or her own SQL queries to the linked database.

• DDOS attacks • The distributed denial of service (DDoS) are external attacks that can interfere with a

social network’s activities. The intention of a DDoS attack is to interrupt or suspend services of a host connected to the internet. Under this attack, a multitude of compromised systems attack a single host thereby causing denial of service for users of the host. Twitter came under a DDoS attack and remained suspended for 2 days in August 2009. DDoS have also been used by the Hacker group Anonymous against the Scientology organisation.

Thank You