The document summarizes security and privacy issues related to the social networking site Facebook. It outlines problems such as cleartext password interception, incomplete access controls allowing unauthorized access to user photos, and vulnerabilities in the mobile Facebook application. Solutions proposed include implementing encrypted protocols for password transmission, restricting unauthorized database searches, and strengthening encryption and access controls for mobile users. The document also notes recent threats targeting social networking sites reported in various news sources.
4. Problem 1: Cleartext Password Interception Facebook sends user’s email address and login password in clear text to the developer's server! http://valleywag.com/tech/great-moments-in-public-relations/facebook-calls-reporters-question-harassing-316488.php
5.
6.
7.
8. Problem 2: Privacy Policy Facebook’s two features Using email address book to find friends on Facebook New feeds
9. Improper Features: Access to Email address book http://elronsviewfromtheedge.wordpress.com/ 2007/04/13/the-modern-facebook-of-security/ The first principle of anti-phishing behaviour: NEVER enter your passwords ANYWHERE but the specific site they are designed for
10. Improper Features: New Feeds http://www.schneier.com/blog/archives/2006/09/facebook_and_da.html
Now, we will begin with the outline. In today’s presentation, there are 3 main sections. In first section, we will give a short introduction of Facebook, and describe our motivation that is why we choose this topic. and then we will talk about the privacy problems and threats Facebook confront now. After analyzing these problems, we proposed our suggestions and solutions .
Then it is the overview of Facebook. Facebook is a social network community which is launched on February 4,2004. And this website allows users to easily connect with their friends by joining into different social graphs, like school, place of employment, or geographic regions. Thanks to this kind of social graphs their users made, the website has more than 64million active users all over the world. For the main functions, I cut the description from Facebook, they list the uses as follows: Keep up with friends, share photos, control privacy (whether can really control is still depends), rests are communications and make plans. We believe most of us are familiar with Facebook, if you have not use it before, I hope after my introduction, you already have a outline of Facebook.
After the introduction of Facebook, I will explain why we choose this topic. Nowadays, people are very likely to ask for privacy in real life, but when they face the online social communities, most of them have not realized that online privacy is the same important as in real life, or even more important. I abstract the reasons into 2 points. First, this kind of internet social graph are different from original face to face interactions, because A user can be easily involved into a extremely large social graph. For example, if you only add one person who already has 500 other friends, and then the 500 persons can easily see your privacy information from the web links. So it brings large numbers of unknown factors and threats in an much more easy and hidden way. The second point is just like a famous computer security specialist Bruce have said: “ Whenever you put data on a computer , you lose some control over it. And when you put it on the internet , you lose a lot of control over it. ” The information transmit with a hard copy may limit by different geographic regions, or difficultes of seaching, but t he information spread on the internet is no need to think about these limits at all. So, while enjoying the convenience of internet, people need to prevent the corresponding threats. So we choose this topic, because we believe concerning the online privacy is necessary and important.
For the above problem, we know privacy is more about control than about secrecy. But it is only one side of networking security. For the following problem, secrecy becomes the most important part of concern. That is: Facebook sends user’s email address and login password in clear text to the developer's server! After we have finished this course, we all know: sending passwords in clear text is a horrible idea.
Information protection at the time of data collection The first level of data protection shall begin at the point of data collection. When the data is transmitted, hash functions such as message digest, MD5 algorithm [10] shall be utilized to protect the data for additional security. For transmitting, Secured protocol such as Secured Socket Layer (SSL) [10] shall be implemented in order to protect the data entered at the client's browser. So the hashed data transmitted over SSL would be the first level of protection for personal data. However, the MD5 is not one hundred percentages protective, because of its nature, where MD5 makes only one pass over the data. It is possible to create a rainbow table for the MD5 encrypted data and potentially, the password can be cracked. Here, we need to ensure one word: rainbow table A rainbow table: A rainbow table is a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function. A common application is to make attacks against hashed passwords feasible.
To overcome this problem, one may wish to add more complexity to the encryption by the way of adding salt to the MD5 data. A salt typically means, in context with MD5 encryption, a secret key added to the password in order to complicate the dictionary attack on the password tables. Each bit of salt added to the original password doubles the amount of computation needed for one to break the passwords.
SSL protocol is established between client browser and server to protect subsequent communications, but as we have learnt from our course, a sophisticated phishing scam has already used the valid SSL certificate in Feb 2006. But fortunately, in the end of our 5 module, we learnt a perfect secure protocol. That is: Secure Remote Password (SRP) protocol. It is one of the best password-authenticated key establishment protocol available but have not used today. For its advantages, it can be abstracted into 3 points:
When talking about Facebook’s privacy policy, let’s look at two Facebook’s features first. They are
When people sign up for a Facebook account, his first option is to enter his third party email address and the password to the facebook site, so that Facebbok can login to this email and search the address book for Facebook users he’s already known. We understand that Facebook are trying to find a way to import user’s contacts who already use Facebook in order to make user’s initial experience more convenient , but this violates the first principle of anti-phishing behaviour … “NEVER enter your passwords ANYWHERE but the specific site they are designed for”. That means, regardless of how many safeguards they put in place, the idea of giving email password to ANYONE else for any reason is a serious breach of security protocol.
Early September 2006, Facebook introduced a new feature called "News Feeds" that shows an aggregation of everything members do on the site: For example, on the screen is my profile in Facebook. In the “mini feed” window, every action I have ever done is displayed, like: added and deleted friends, a change in relationship status, Give somebody some gifts, and so on. Then, these changes are all broadcasted to my friends’ home pages automatically. Though Facebook give user some control, like user can delete this kind of report, but they have to delete the items one by one. Moreover, when press the cancel button, the pop up dialog is like this, we can only hide this information, and we do not even have the choice to completely delete it.
After discussion the above problems, maybe we will ask: “ Is not there any privacy policy? ” Unfortunately, Facebook can change the rules whenever it wants. Its Privacy Policy is 3700 words long, and ends with a notice that it can change at any time. How many members ever read that policy, let alone read it regularly and check for changes? For these two features, privacy is more about control than about secrecy. So the website should give user the real right to control their privacy.
If the third party’s surveillance are gradually improved and standardized, the online network developers will not bring as many threats as nowadays.
Facebook’s “advanced search” allows one to query the database of users using any of the fields in a profile. When people hide their profile page, they expect the information on it remain private. For example if some a user set “getting drunk” as an interest and set his profile visible only for his friends, an advanced search for “getting drunk”, will list his name as well. But if some one search for example “getting drunk”, as an interest
It is interesting to know that If encryption on WAP (wireless application protocol) is set by default, 96% of users employ it. But 3.4% times the number do that when it is not set by default.
WEP uses the RC4 encryption algorithm, which is known as a stream cipher. A stream cipher operates by expanding a short key into an infinite pseudo-random key stream. The sender XORs the key stream with the plaintext to produce ciphertext. The receiver has a copy of the same key, and uses it to generate identical key stream. XORing the key stream with the ciphertext yields the original plaintext. This mode of operation makes stream ciphers vulnerable to several attacks. If an attacker flips a bit in the ciphertext, then upon decryption, the corresponding bit in the plaintext will be flipped. Also, if an eavesdropper intercepts two ciphertexts encrypted with the same key stream, it is possible to obtain the XOR of the two plaintexts. Knowledge of this XOR can enable statistical attacks to recover the plaintexts. The statistical attacks become increasingly practical as more ciphertexts that use the same key stream are known. Once one of the plaintexts becomes known, it is trivial to recover all of the others.
After having the introduction, and motivation about social networkes, I am going to discuss about some recent attacks to such social networks and the present the list of some possible security and privacy threats for such kind of highly-used Social Networks (such as Facebook, MySpace, and…)