Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
1
Security on Social Networking
Sites
Simplifying
Security.
SAN FRANCISCO — Social networks are "lucrative hot beds" for cyber scams as crooks endeavor to dupe members of online communities,
according to a Microsoft security report released on Thursday.
"Phishing" attacks that use seemingly legitimate messages to trick people into clicking on booby‐trapped links, buying bogus software,
or revealing information rocketed 1,200 percent at social networks last year, it said.
"We continue to see cyber criminals evolve attack methods such as a significant rise in social network phishing," Microsoft malware
protection center manager Vinny Gullotto said in the Security Intelligence Report.
Phishing using social networking as a "lure" represented 84.5 percent of all such trickery in December as compared with 8.3 percent at
the start of 2010, according to the report.
Microsoft analyzed data gathered from more than 600 million computer systems worldwide from July through December of last year for
the semi‐annual study.
"The popularity of social networking sites has created new opportunities for cyber criminals to not only directly impact users, but also
friends, colleagues and family through impersonation," the report said.
Cyber Scams Rife at Social Networks: Microsoft
http://www.physorg.com
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
3
Scenario:
Identity Theft
over Social
Networking Sites
Alice wanted to show her friends how fun her
trip to Bahamas was. She uploaded her
photos of the trip in one of the social
networking sites. She was shocked when one
of her friends showed her a website that
contained her photos in compromised
positions. She realized that the photos from
her Bahamas trip were morphed.
What options has she left unchecked
while uploading the photos?
Module
Objectives
Social Networking Sites
What is a Profile?
Top Social Networking Sites
Security Risks Involved in Social
Networking Sites
Staying Safe on Facebook
Facebook: Security Tips
Staying Safe on MySpace
Security Measures
Social Networking Security
Checklist
Social Networking Security
Checklist for Parents and
Teachers
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
5
Introduction to
Social Networking
Sites
Social Networking
Security Threats
Staying Safe
on Facebook
Staying Safe
on MySpace
Module
Flow
Social Networking Sites
Social networking sites are
web‐based services
that allow users to build on‐line
profiles, share information, pictures, blog entries, music clips, etc.
These sites allow users to
create a list of other users
with whom they can share
information
It allows user to get themselves involved in discussion boards and hobby groups
It allow users to refer other potential users to businesses
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
7
What is a
Profile
?
Profile
Profile is a collection of information that
defines or describes a user’s interests
The main profile page of a user of any social
networking site introduces and describes the
user
The information that a user may post on
his/her profile includes:
Names/nicknames
Email addresses
Phone numbers
Photos, videos
Personal interests
Names of schools, sports teams, and friends
http://www.sophos.comTop
Social Networking Sites
http://www.ebizmba.com
http://www.facebook.com
http://twitter.com
http://www.myspace.com
http://www.linkedin.com
http://www.ning.com
http://www.classmates.com
http://www.tagged.com
http://hi5.com
http://www.myyearbook.com
http://www.bebo.com
http://www.meetup.com
http://www.mylife.com
http://www.friendster.com
http://multiply.com
http://www.myheritage.com
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
9
Introduction to
Social Networking
Sites
Social Networking
Security Threats
Staying Safe
on Facebook
Staying Safe
on MySpace
Module
Flow
Attacks on a Social
Networking Sites
Security Risks
Involved in Social
Networking Sites
Cyberbullying
Identity Theft
Phishing Scams
Malware Attacks
Site Flaws
Objectionable Content
Overexposure
Contact with Predators
Contact Inappropriate
Adults and Businesses
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
11
Cyberbullying refers to the abuse of technology to harass or threaten the
Internet users
The information posted on social networking sites such as pictures, videos, comments,
updates can be used to
spread false rumors
,
threaten to reveal the information
on the
Internet, harass/blackmail the user, stalking the user, etc.
According to a research by the Pew Internet Project,
39%
of social network users had been
cyber‐bullied in some way, compared to
22%
of online teens who do not use social networks
Identity Theft
People often get carried away with
posting
information
onto social networking sites
Left in the hands of cyber criminals, such
information can be used to
hack into an online
services security questions
, leading to identity
theft
Attacker can also use the information to
penetrate into the corporate network
of a
company of his/her target
Alternatively, the attacker may find the
user’s
name
, browse through his/her social profile
He can then write an e‐mail based on the user’s
interests bearing a
malicious link or document
User
Attacker
Malicious email
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
13
Social networking sites contains
user’s information
like the email
addresses, archived messages
This information can be used to
customize email messages or fake
websites
designed such that the
victims disclose usernames,
passwords, credit card numbers,
etc.
Phishing
Scams
If a user clicks on the
Update
button, he/she is
redirected to a Facebook look‐alike
phishing site
Users are then asked to enter a
password
to complete
the Update procedure
Malware
Attacks
Malware attacks are carried out
through social engineering as users
are mostly
misled into clicking on
malicious links
embedded within
personal messages
Malicious software give attackers
access to your profile
and personal
information
Malicious software may also
send
messages automatically to your
"friends" list
, instructing them to
download the new application too
Another method of attack involves
applications
advertised on
social networking sites, which appear genuine
However, some of these applications install
malicious code
or
rogue antivirus software
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
15
Site
Flaws
There have been instances when site flaws in the social networking sites allow the
information of the users to be
accessed
, even though the
privacy settings
are set
Such information can include mother’s maiden name, often used as a
security question
in online
and real‐life security checks
Social
Networking
Sites Flaws
Server‐side flaws
Cross‐site scripting
Cross‐site request forgery
On many social
networking
communities, users post
material that is not
appropriate for children
This can include
obscene, racist or
violent text and images
Many community pages
may contain material
that is not appropriate
for the children
The child may be
involved in posting
pictures of himself or
herself or of friends that
may be misused
Individuals with
intention to exploit
minors may create
community pages
pretending to be teens
themselves
Objectionable Content
Overexposure
Contact with Predators
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
17
Introduction to
Social Networking
Sites
Social Networking
Security Threats
Staying Safe
on Facebook
Staying Safe
on MySpace
Module
Flow
Facebook Privacy Settings
Facebook allows the users to
set the privacy settings for:
Search
Friend requests
Messages
Friend List
Education and Work
Current city and Hometown
Likes, activities and other
connections
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
19
Profile
Settings
Set the profile settings as “
Only my friends
”‐By default, Facebook allows all of your
networks and all of your friends to be able to view your profile
The users reveal personal information to potential identity thieves if they leave this option
to default settings
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
21
Privacy Settings for Applications
Privacy settings for applications controls
what
information shared
with websites
and apps, including search engines
You can view your apps, remove any you
don't want to use, or
turn off platform
completely
Everybody on Facebook can read the user
notes, but it is advisable to
limit visibility
of notes
to just friends
Settings to
Block Users
This settings lets you
block people
from interacting with you or seeing your information
on Facebook
You can also specify friends you want to
ignore app invites
from, and see a list of the
specific apps that you've blocked from accessing your information and contacting you
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
23
Recommended Actions for Facebook
Search Settings
Allow anyone to see my
public search listing
Allow my public search listing to be indexed by external search enginesSee your picture
Send you a message
Poke you
Add you as a friend
View your friend list
Be careful
“No”
Be careful
“No”
“No”
Be careful
“No”
Option
Recommended Action
Reason
The users should select the option “Yes” only if they want
people they are familiar with to know that they are on
The user should not allow people who are not yet their
friends to view their friend list
Be cautious before accepting anyone's friend request
By responding to the poke from an unknown user, the users
will be allowing him/her to view their profile information
for a period of time
If the users respond to a message sent by someone that
they are not friends with, the unknown users will be able
to view the user’s profile
Do not share pictures that may embarrass or that are
personal
If enabled, it allows people using external search engines
like Google, Yahoo and MSN to find the user on Facebook
Facebook: Security Tips
Facebook: Security Tips
1. Adjust Facebook privacy settings to help protect identity
2.
Think carefully about who is allowed to become a friend
3. Show "limited friends" a cut‐down version of the profile
Facebook allows its users to make people 'limited friends' who only have partial
access to the user profile
This is useful if the users have connections who they do not feel comfortable
sharing personal information with
4.
Enable access to information only when necessary
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
25
Introduction to
Social Networking
Sites
Social Networking
Security Threats
Staying Safe
on Facebook
Staying Safe
on MySpace
Module
Flow
Step 1: Go to “Account Settings”
Go to
Account Settings
Privacy
Do not check
Online Now
if you do
not wish others to know when you
log in
Check
Show my birthday to my
friends
only if necessary
Do not check following options
under
applications
:
Do not allow my profile information to
be accessed by games and third party
services I haven’t connected to option
Do not allow communications from
games and third party services I
haven’t connected to
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
27
Step 2: Check Settings for “
Comments
”
and “
”
Go to
Account Settings
Comments
and check
Only
Friends can add comments
to my blog
Go to
Account Settings
and check
only people
I know
to receive emails
from people you know
Step 3: Check Settings for “Friends
Request” and “IM”
Go to
Account Settings
Friends Request
Check
Require CAPTCHA
[?] from users suspected
of spamming
and also
check other options
according to your choice
Go to
Account Settings
IM
Check
Only My IM
friends
to appear only
friends in the IM list
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
29
Step 4: Check Settings for
Stream Settings
Go to
Account Settings
My published activities
and check the proper option
according to your choice
Go to
Account Settings
My Friends' Activities
and check the proper option
according to your choice
Step 5: Settings for
Block Users By Age
Do not check
Allow users under 18 to contact me
Checking this option would allow all the fake users who pretend to be
Under 18
access to the account
To deny any unauthorized access to the profile:
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
31
Module
Summary
Social networking sites allow users to build online profiles, share information, pictures,
blog entries, music clips, etc.
The main profile page of a user of a social networking site introduces and describes the
user
Cyberbullying is the process of using technology to harass or bully someone
Social networking sites contain the user’s information like email addresses, archived
messages that can be used to customize email messages, or fake websites
Malware attacks are carried out through social engineering as users are mostly misled
into clicking malicious links embedded within personal messages
Set appropriate privacy and security defaults and choose a complex/unique password
for the account
Read the
privacy policy
and
terms of service
carefully
Do not post anything
personal
on the social networking site
Set appropriate
privacy and security defaults
to make your profile private
Choose a
complex/unique password
for the account
Be careful about
what is posted
on the Internet
Be careful installing
third‐party applications
Only accept
friend requests
from people you know
Only share limited
personal information
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.