Social Network Engineering for Secure Web Data and Services

(1)

Luca Caviglione

National Research Council of Italy, Italy

Mauro Coccoli

University of Genoa, Italy

Alessio Merlo

University of Genoa, Italy & Università Telematica E-Campus, Italy

Social Network

Engineering for Secure

Web Data and Services

(2)

Lindsay Johnston Joel Gamon Jennifer Yoder Adrienne Freeland Myla Merkel Kayla Wolfe Alyson Zerbe Jason Mull

Social network engineering for secure web data and services / Luca Caviglione, Mauro Coccoli, and Alessio Merlo, editors.

pages cm

Includes bibliographical references and index.

Summary: “This book provides empirical research on the engineering of social network infrastructures, the development of novel applications, and the impact of social network- based services over the internet”--Provided by publisher.

ISBN 978-1-4666-3926-3 (hardcover) -- ISBN 978-1-4666-3927-0 (ebook) -- ISBN 978-1-4666-3928-7 (print & perpetual access) 1. Online social networks--Security measures. 2. Data protection. I. Caviglione, Luca II. Coccoli, Mauro, 1980- III. Merlo, Alessio, 1966-

HM742.S6287 2013 302.3--dc23

2012051554 British Cataloguing in Publication Data

A Cataloguing in Publication record for this book is available from the British Library.

All work contributed to this book is new, previously-unpublished material. The views expressed in this book are those of the authors, but not necessarily of the publisher.

Managing Director: Editorial Director: Book Production Manager: Publishing Systems Analyst: Development Editor: Assistant Acquisitions Editor: Typesetter:

Cover Design:

Published in the United States of America by

Information Science Reference (an imprint of IGI Global) 701 E. Chocolate Avenue

Hershey PA 17033 Tel: 717-533-8845 Fax: 717-533-8661 E-mail: cust@igi-global.com Web site: http://www.igi-global.com

Copyright © 2013 by IGI Global. All rights reserved. No part of this publication may be reproduced, stored or distributed in any form or by any means, electronic or mechanical, including photocopying, without written permission from the publisher. Product or company names used in this set are for identification purposes only. Inclusion of the names of the products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered trademark.

(3)

1

Chapter 1

DOI: 10.4018/978-1-4666-3926-3.ch001

Luca Caviglione

National Research Council of Italy, Italy

Mauro Coccoli

University of Genoa, Italy

Alessio Merlo

University of Genoa, Italy & Università Telematica E-Campus, Italy

On Social Network

Engineering for Secure

Web Data and Services

ABSTRACT

Online Social Network (OSN) applications are used every day by millions of people, and have impacts on the society, economy and lifestyle. They also accelerate the development, or the adoption, of new technologies, for instance to support new mobile paradigms. Besides, OSNs are an important building block of the Web 2.0, thus offering new services, such as product placement, advertising and user profil-ing. Hence, OSNs are valuable frameworks, contributing to the technological pool of the Internet itself. Their attitude of shifting an individual life into a digital space makes OSNs interesting targets for attacks, to disclose personal details, and to force human securities through digital insecurities. In order to be effective, OSN platforms must be properly engineered, also by having privacy and security protection as strict design constraints. To this aim, it is of crucial importance investigating potential new behaviors, Web-based technologies, traffic patterns and innovative security policies. In this perspective, this chapter discusses the state-of-the-art in the engineering of OSNs infrastructures, the key issues, and the research actions needed to effectively advance in the social network engineering for secure Web data and services.

(4)

2

On Social Network Engineering for Secure Web Data and Services

INTRODUCTION

In recent years, Online Social Network (OSN) services (Boyd & Ellison, 2007) are becoming a consistent part of the Internet and the World Wide Web (WWW). In fact, they are used every day by millions of people, interacting through such plat-forms according to different flavors. Specifically: • By using the OSN in a stand-alone manner

from a Web browser, for exploiting social duties, such as, maintaining or establishing relationships according to common inter-ests, real-life partnerships, or for business development;

• By exploiting the social infrastructure as an integrated communication platform, thus for sharing data, exchanging messag-es, or for audio/video conferencing; • By syncing their real-world activities and

social knowledge with remote peers, mak-ing OSNs as the first massive technologi-cal enabler for the mobile Internet. We mention, among the others, the sharing of physical locations, contacts and events, photos, and reviews or suggestions about commercial activities or trips. In this case, important components are the hardware equipment of handheld devices, the ubiq-uitous availability of the Internet, and the introduction of ad-hoc client interfaces making the access to, and the control of, digital alter egos simple and effective; • By considering the OSN as a third party

component. For instance, to share com-ments relying on such platform as a trusted identity manager, to keep track of visited sites and to declare interests about specific topics or brands;

• By consuming data via the Application Programming Interfaces (APIs) made available by many services to build new applications, or by adopting the OSN as a real development platform.

Consequently, OSNs can be considered one of the most relevant advancements for creating an

Internet of People, thus making the individual a central entity. However, focusing on “humans”, rather than devices or services, is not a complete novel concept. In more details, the World Wide Web Consortium (W3C) put a relevant effort in the creation of a Social Web (W3C, 2010). Not-withstanding, such a vision has been not imple-mented under its organic guidance, rather it has been progressively built according to ad-hoc OSN platforms and other services, e.g., those for sharing photo or for audio/video communications. As a result, the social organization, with the acceptation of services, APIs, human-to-machine interactions, and business-to-business logics, constitute a very split-space, resulting into mostly overlapped or closed sets of functionalities.

Needless to say, data stored and managed have great potentialities for the following reasons: 1. Performances of OSNs are tightly coupled

with the accuracy of data provided by us-ers. As an example, the more a user offers personal details, the better will be the out-come of algorithms used to suggests friends, potential business partners, reconnect with past classmates, or to find people sharing common interests. On the contrary, this can expose individuals to threats similar to those happening in real life, e.g., bullying (accordingly defined as cyber-bullying); 2. The popularity of social applications, jointly

with their ubiquitous integration, e.g., via mash-ups, plug-ins and task-specific code snippets, can lead to massive data volumes describing persons, habits, preferences, and personal details; also, these sets of data may be also accessed by malicious applications, thus potentially compromising the privacy of the user;

3. The individual-centric nature of OSNs in-trinsically gives a lot of freedom to users. In fact, people are owners of data, and everyone

(5)

3

has different needs when constructing his/her alter ego, thus making information manage-ment and privacy settings often delegated to users, which may be circumvented or forced to spread their own data to malicious targets. Points 1-3 can lead to several hazards, and cap-ture the attention of many bodies, possibly aiming at performing some undesirable actions. In more detail, (1) could bring the attention to single attack-ers aiming at forcing the digital representation of an individual for small scams or simple curiosity. Then, (2) deals with very appealing data, which can be used both for large-scale fraud activities, or sold to Industries or Companies for business development, employees or competitor profiling purposes, or worst, blackmailing competitors. Lastly, (3) represents an issue per se, since high freedom put in non-skilled hands often leads to dangerous actions. We point out that, even in presence of conscious users, privacy management policies and options are often incompatible, very mixed and confusing.

To summarize, heterogeneities, the lack of long-term standardization efforts, the attractive-ness of personal data (e.g., both from the industrial world for marketing purposes, and from attack-ers for bringing attacks to the next level), make privacy and security a critical aspect to evaluate. At the same time, the aforementioned character-istics make the engineering and management of proper security countermeasures an extremely complex task. Thus, engineering secure data and services belonging to social areas require a multidisciplinary effort, which spans over soci-ology, relationship issues, cognitive processes, scalability issues, human-machine-interaction, Web 2.0 technologies, ubiquitous availability and dependability.

Proper engineering and research actions can dramatically reduce (or completely prevent, in the best case) the natural vocation of OSN applications in amplifying the effectiveness of classical attacks,

e.g., social engineering, multiple profile fusion, user profiling and identity theft (Caviglione & Coccoli, 2011). Additionally, a thorough investi-gation process can reveal the major effectiveness in state-of-the-art security solutions, which can quickly become outdated or loose effectiveness due to user-generated flaws, lack of unified privacy/ security frameworks, threats rooted from the usage of Web technologies, weak security at the network level and interactions with un-authoritative/un-trusted third parties or machineries.

Therefore, in order to perform an effective social network engineering for secure data and services, it is important to investigate, among the others, the following aspects: sociological implications of individuals interacting into a digital environment, and their exploitation through engineering approaches; identity credibility and trust issues; modeling including users’ dynamics, hazardous behaviors, and definition of schemas to represent security issues; evaluation of current development tools, standard and technologies of OSN applications; the design and deployment of social-enabled frameworks; potential contact points between OSNs and networking, e.g., per-form traffic analysis and identification of social service, possibly in relation to network security; application of the OSN paradigm to new scenarios, e.g., e-learning, on-line gaming, application devel-opment, and A/V conferencing; understanding and optimizing Web-oriented interaction, protocols, and performances; make the security an impera-tive requirement, thus by meticulously evaluat-ing general security aspects of OSNs, privacy, authentication, authorization, access control and development of innovative and effective testing tools; implementation of new semantic method-ologies and architectural blueprints.

In this vein, efforts both from academics and industrial researchers are needed to fill the gap in the current state-of-the-art literature on data, services and engineering methodologies applied to social networks in a broad sense.

(6)

4

REFERENCES

Boyd, D. M., & Ellison, N. B. (2007). Social network sites: Definition, history, and scholar-ship. Journal of Computer-Mediated Commu-nication, 13(1), 210–230. doi:10.1111/j.1083-6101.2007.00393.x.

Caviglione, L., & Coccoli, M. (2011). Privacy problems with Web 2.0. Computer Fraud & Security, (10): 16–19. doi:10.1016/S1361-3723(11)70104-X.

W3C (World Wide Web Consortium) - Incubator Group Report (2010). A standards-based, open and privacy-aware social Web. Retrieved September, 2012 from http://www.w3.org/2005/Incubator/ socialweb/XGR-socialweb-20101206