Threats & Vulnerabilities in Online Social Networks

Similar documents
Exploiting Users' Inconsistent Preferences in Online Social Networks to Discover Private Friendship Links

Jason Polakis, Marco Lancini, Georgios Kontaxis, Federico Maggi, So5ris Ioannidis, Angelos Keromy5s, Stefano Zanero.

C1: Define Security Requirements

Trusted Profile Identification and Validation Model

OSN Attack Automated Identity Theft Attacks

Recommendation System for Location-based Social Network CS224W Project Report

SMART DEVICES: DO THEY RESPECT YOUR PRIVACY?

Privacy Based Protection Mechanism for Location Data with an Accurate Service

Web Security Vulnerabilities: Challenges and Solutions

Copyright

CS 161 Computer Security

Online Threats. This include human using them!

Reciprocal Access Direct for Online Social Networks: Model and Mechanisms

I. INTRODUCTION. T H Theepigaa. A Bhuvaneswari

A (sample) computerized system for publishing the daily currency exchange rates

Using Commutative Encryption to Share a Secret

Create strong passwords

Robust Defenses for Cross-Site Request Forgery

HY-457 Information Systems Security

Location Traceability of Users in Location-based Services

Robust Defenses for Cross-Site Request Forgery Review

Web Application Vulnerabilities: OWASP Top 10 Revisited

SOCIAL NETWORKING IN TODAY S BUSINESS WORLD

SOFIA: Social Filtering for Niche Markets

Supplementary file for SybilDefender: A Defense Mechanism for Sybil Attacks in Large Social Networks

7 The system should allow administrator to close a user profile. 8 The system shall make the old events invisible to avoid crowded geo scope.

Usable Security Introduction to User Authentication and Human Interaction Proof Research

All your face are belong to us: Breaking Facebook s Social Authentication

Biomedical Security. Some Security News 10/5/2018. Erwin M. Bakker

GATHERING SENSITIVE HEALTHCARE INFORMATION USING SOCIAL ENGINEERING TECHNIQUES

Facebook Immune System 人人安全中心姚海阔

Sybil defenses via social networks

Software Design Description Report

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Evaluating Three Scrutability and Three Privacy User Privileges for a Scrutable User Modelling Infrastructure

You are Who You Know and How You Behave: Attribute Inference Attacks via Users Social Friends and Behaviors

ECE646 Fall Lab 1: Pretty Good Privacy. Instruction

Frequently Asked Questions (FAQ)

Information Security CS 526 Topic 11

Group Name: Team Epsilon Max Hinson Jhon Faghih Nassiri

Research and Design of Crypto Card Virtualization Framework Lei SUN, Ze-wu WANG and Rui-chen SUN

A Remote Biometric Authentication Protocol for Online Banking

Outline Key Management CS 239 Computer Security February 9, 2004

Sanitization Techniques against Personal Information Inference Attack on Social Network

INTERNET SAFETY* GALEN GARRETSON RASCAL MARCH 2-3, * Sources include learnfree.org, PC World, wikpedia.com, techterms.com

Insider Threats. Nathalie Baracaldo. School of Information Sciences. March 26 th, 2015

Security and privacy in the smartphone ecosystem: Final progress report

Main area: Security Additional areas: Digital Access, Information Literacy, Privacy and Reputation

UnLinked: Private Proximity-Based Offline OSN Interaction

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Intruders, Human Identification and Authentication, Web Authentication

It Cannot Get Away: An Approach to Enhance Security of User Account in Online Social Networks

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Computer Security & Privacy

An Overview of Secure Multiparty Computation

A Review Paper on Network Security Attacks and Defences


Privacy preservation in the dissemination of location data

The Honest Advantage

A Rule-Based Intrusion Alert Correlation System for Integrated Security Management *

CIS 6930/4930 Computer and Network Security. Topic 6. Authentication

ITT Technical Institute. CS420 Application Security Onsite Course SYLLABUS

Secure Image Sharing on Shared Web Sites Using Adaptive Privacy Policy Prediction System

EasyCrypt passes an independent security audit

Secure Multiparty Computation

Security at the Digital Cocktail Party. Social Networking meets IAM

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Detection of lost status of mobile devices

Privacy-Enhancing Technologies & Applications to ehealth. Dr. Anja Lehmann IBM Research Zurich

AN IMPROVED PRIVACY POLICY INFERENCE OVER THE SOCIALLY SHARED IMAGES IN SOCIAL WEBSITES

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Network Access Control and VoIP. Ben Hostetler Senior Information Security Advisor

Social Networking Applied

ECE646 Fall Lab 1: Pretty Good Privacy. Instruction

Group Key Establishment Protocols

Configuring Twitter for a More Secure Social Networking Experience

Understanding Online Social Network Usage from a Network Perspective

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Passwords. Secure Software Systems

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

CSE 565 Computer Security Fall 2018

Governance Ideas Exchange

Privacy-Preserving of Check-in Services in MSNS Based on a Bit Matrix

Distributed ID-based Signature Using Tamper-Resistant Module

Relationship-Based Access Control (ReBAC or RAC)

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

CNT4406/5412 Network Security

Oklahoma State University Institute of Technology Face-to-Face Common Syllabus Fall 2017

Objectives of the Security Policy Project for the University of Cyprus

Security Policies and Procedures Principles and Practices

Usable Privacy and Security, Fall 2011 Nov. 10, 2011

Security Awareness. Chapter 2 Personal Security

Offline dictionary attack on TCG TPM weak authorisation data, and solution

A Survey of BGP Security Review

User Control Mechanisms for Privacy Protection Should Go Hand in Hand with Privacy-Consequence Information: The Case of Smartphone Apps

Web Security. Course: EPL 682 Name: Savvas Savva

Transcription:

Threats & Vulnerabilities in Online Social Networks Lei Jin LERSAIS Lab @ School of Information Sciences University of Pittsburgh 03-26-2015 201

Topics Focus is the new vulnerabilities that exist in online social networks Typical online social networks (OSN); E.g., Facebook & LinkedIn Location-based social networks (LBSN); E.g., Foursquare &Yelp Not the traditional problems in online systems Secure Communication Web-based Attacks; E.g., SQL Injection, Cross Site Scripting LERSAIS Lab @ School of Information Sciences 2

Outline Identity & Authentication Problems Email Address, Connections of Identities & Login Social Authentication Identity Validation Privacy Issues Privacy of User Profiles Privacy of Friendships Malicious Resources LERSAIS Lab @ School of Information Sciences Slide 3

Purpose Be aware of these problems & know how to mitigate or avoid the potential attacks Start to know current research topics regarding security & privacy in online social networks LERSAIS Lab @ School of Information Sciences 4

LERSAIS Lab @ School of Information Sciences 5

Background OSN User Profile Messages & Comments Pictures User Friendship Link Friend List Friend List LERSAIS Lab @ School of Information Sciences 6

LBSN User Create venues Explore various places Venue Check in at venues CHECK-IN (user, venue, time, ) Friendship Network VENUE (name, location, category, ) LERSAIS Lab @ School of Information Sciences 7

Entities, Elements & Mechanisms User s Social Network Friends Mutual Friends Recommended Friends User Identity / User Profile Attributes Venue (LBSN) Attributes User s Posts Messages Photos h k i ( ) Mechanisms Check-ins (LBSN) User Authentication Access Control Mechanisms LERSAIS Lab @ School of Information Sciences 8

Outline Identity & Authentication Problems Email Address, Connections of Identities & Login Authentication Privacy Issues Privacy of User Profiles Privacy of Friendships Malicious Resources LERSAIS Lab @ School of Information Sciences Slide 9

Email Address as Identity [1] Most online systems adopt a user ss email address as the user s identity Caused and causing many threats Used to identify various identities of a user in many online systems More vulnerable regarding online password cracking Share the same password Avoid the limits of fail login times Cracking one email address = Cracking related online accounts associated with this email address LERSAIS Lab @ School of Information Sciences 10

Email Address as Identity (cont.) Possible solutions Different email addresses? Different passwords? Password management? LERSAIS Lab @ School of Information Sciences Slide 11

Email Address as Identity (cont.) Email address is private & sensitive Anonymous Email Service Like Craigslist email system leijin@anonymous.com <-> leijin@gmail.com Anonymous.com Accept, extract messages and construct the new email, send No any record Not record leijin@gmail.com as a plaintext Gmail Not disclose leijin@anonymous.com LERSAIS Lab @ School of Information Sciences Slide 12

Outline Identity & Authentication Problems Email Address, Connections of Identities & Login Authentication Privacy Issues Privacy of User Profiles Privacy of Friendships Malicious Resources LERSAIS Lab @ School of Information Sciences Slide 13

Authentication problems in OSNs Authentication between a user and a social network system: facilitating login attempts (Login) Authentication between users: validating a user s identity (Identity Validation) LERSAIS Lab @ School of Information Sciences Slide 14

Login Motivations Difficult to remember text-based passwords Tend to use one simple password for multiple systems Social Authentication: adopting users knowledge in OSNs to authenticate users in order to facilitate their login attempts LERSAIS Lab @ School of Information Sciences Slide 15

Photo-Based Authentication Proposed by Yardi et al. [2] Basic idea: authenticate a user s login using the tagged photos in Facebook based on the assumption that a user can identify their friends from various photos LERSAIS Lab @ School of Information Sciences Slide 16

Photo-Based Authentication (cont.) Facebook Implementation It is triggered when the system detects a suspicious login attempt, according to a set of heuristics the user logs in from a different geographical location uses a new device (e.g., computer or smartphone) for the first time to access his account LERSAIS Lab @ School of Information Sciences Slide 17

Photo-Based Authentication (cont.) A sequence of 7 pages featuring authentication challenges after the password-based authentication Each challenge is comprised of 3 photos of an online friend; the names of 6 people from the user s social circle c are listed and the user has to select ect the one depicted The user is allowed to fail in 2 challenges, or skip them, but must correctly identify the people in at least 5 to pass the social authentication test LERSAIS Lab @ School of Information Sciences Slide 18

Issues in Photo-based Social Authentication Kim et al. [3] Friend information is not private enough People in the photos can be automatic recognized using face recognition ii tools Such a social authentication is vulnerable to statistical guessing attack for the names Polakis et al. [4] conducted the real attacks for the photobased social authentication in Facebook Access to 42% of friends -> solve 22% of Facebook social authentication tests Access to 120 faces of friends - > solve 100% LERSAIS Lab @ School of Information Sciences Slide 19

Improvements Polakis et al. [5] photo selection by using photos that fail software-based face recognition photo transformation where faces are transformed so as to render image matching techniques ineffective remaining recognizable to humans who are familiar with the depicted Results: Attack -> solve 0.4% of the challenges Users are able to identify their friends in over 99% of the photos with faces unrecognizable by software, and can solve over 94% of the challenges with transformed photos LERSAIS Lab @ School of Information Sciences Slide 20

Improvements (cont.) Jain et al. [6]: asks users to verify information about private their social contacts and their interactions Results: not as what they expected, since many users tend to forget their private information and their private activities t LERSAIS Lab @ School of Information Sciences Slide 21

Conclusions - Login Social authentication (e.g., (eg photo-based authentication) still needs many improvements Not each user has enough friends who are tagged in the photos No enough appropriate photos for authentications Theatrical analysis: How secure is it? LERSAIS Lab @ School of Information Sciences Slide 22

Identity Validation Motivations Difficult to identify the authenticity of a user s identityinanosn in Identity Clone Attacks [7] -> Various Security & Privacy Attacks LERSAIS Lab @ School of Information Sciences Slide 23

Cloned Identity LERSAIS Lab @ School of Information Sciences 24

Identity Clone Attack [7] - Design Attributes: name, education, birthday Friend network Friend List (FL): Connected friends of an ID Recommended Friend List (RFL): Generated by OSN systems (function of People You May Know on Facebook) Share same RFs Excluded Friend List (EFL): Social embarrassments Attackers - try to connect these individuals LERSAIS Lab @ School of Information Sciences 25

What are the best targets Not having Account Inactive Account Popular / Authority Account LERSAIS Lab @ School of Information Sciences 26

Attribute As Target Sub Targets: 1. Attribute Values 2. Privacy Settings LERSAIS Lab @ School of Information Sciences 27

Friend Networks As Target FL RFL EFL FL RFL EFL Faked ID LERSAIS Lab @ School of Information Sciences 28

Cloned Identity Detection [7] An Input Identity Profile Set Authentication Schemes Profile Filtering Profile Validation Candidate List Suspicious Identity List Fake Identity List Similarity Computation Thresholds Profile Similarity Schemes LERSAIS Lab @ School of Information Sciences 29

Profile Similarity il it Attribute Similarity S ( P, P) att c v SA cv A A c Friend Network Similarity For Basic Profile Similarity (BPS) v Basic Principle: Similar Attributes in Two Profiles S ( P, P) ( S S S ) Basic Principle: bfn c v ff frf fef Mutual Friends in Friend Networks For Multiple-faked l Identities Profile Similarity il it (MFIPS) S ( P, P) ( S S ) ( S S ) S mfn c v s ff s cf s frf s cfrf s fef Basic Principle: Similar Friends in Friend Networks LERSAIS Lab @ School of Information Sciences 30

Identity Validation Li et al. [8] propose a key exchange protocol that utilizes the secret questions, which work like a "naturally ypre-distributed" secret information between two parties LERSAIS Lab @ School of Information Sciences Slide 31

Identity Validation (cont.) Proposed by Zhao et al. [9] Basic Idea: A user trusts their friends and the trust in a social network system is transitive. A user could find a trusted path, indicating the transmission of the trust, to another in a social graph When two strangers meet in a social network, if they can find a trusted path, then they can rely on this common trusted persons in the path to authenticate each other LERSAIS Lab @ School of Information Sciences Slide 32

Conclusions - Identity Validation Many limitations Li et al: Friends in the physical world Not enough secrets How to select secrets Zhao et al: trust may not be transitive LERSAIS Lab @ School of Information Sciences Slide 33

Conclusions - Identity Validation (cont.) A practical approach h[ [7]: To ask users to provide their IDs in the real world Education LERSAIS Lab @ School of Information Sciences Slide 34

Outline Identity & Authentication Problems Email Address, Connections of Identities & Login Authentication Privacy Issues Privacy of User Profiles & Shared Resources Privacy of Friendships Malicious Resources LERSAIS Lab @ School of Information Sciences Slide 35

Infer User s Profile Information Assumptions: Friends tend to share the same interests Inferring a targeted user s private attribute based on his/her friends public attributes Example [10]: A user hides his education and occupation from the public Many of a user s friends are current students at the University of Pittsburgh Inference: University of Pittsburgh, Student LERSAIS Lab @ School of Information Sciences 36

Issues related to Shared Resources Photos A photo includes multiple individuals One of them posts it in his/her wall Privacy: others in the photos may be upset Check-ins (LBSNs) [11] A user exposes where and when he is A user exposes where his lives A user s friend or other people expose the user s location related information Existing Access Control mechanisms cannot address all of these problems [12] LERSAIS Lab @ School of Information Sciences 37

Outline Identity & Authentication Problems Email Address, Connections of Identities & Login Authentication Privacy Issues Privacy of User Profiles & Shared Resources Privacy of Friendships Malicious Resources LERSAIS Lab @ School of Information Sciences Slide 38

Issues Related to Users Friend Lists Importance of the friend list What a user s friends reveals Family, Work, Income, Reputation, Religion Used for Identity Clone Attacks Used for Inferring Private Attributes LERSAIS Lab @ School of Information Sciences 39

Attacks - Expose a User s s Social Network Mutual-friend based Attack [13] Friendship Identification and Inference Attack [14] LERSAIS Lab @ School of Information Sciences 40

Mutual Friend Feature Show mutual friends between two users Useful feature, e.g. Friend Recommendation, Friend Introduction Lack of the Access Control Mechanism! LERSAIS Lab @ School of Information Sciences 41

Attack Example E D A Alice B Bob C LERSAIS Lab @ School of Information Sciences 42

Defense Approaches Reason no restriction for querying mutual friends Defense approaches Hide user profile Access control to query mutual friends 43

Friendship Identification i & Inference Attack Users Privacy Settings for Friend Lists Private Friends w/o an excluding list Public LERSAIS Lab @ School of Information Sciences 44

Inconsistent Policies A s Friend List C A C C s Friend List A LERSAIS Lab @ School of Information Sciences 45

Inconsistent Preferences Example -1 F A T E B Inference G D C LERSAIS Lab @ School of Information Sciences 46

Inconsistent Preferences Example -2 Inference E A T B Inference D C LERSAIS Lab @ School of Information Sciences 47

Key Issue How to conduct effective inferences to identify the private friendships Guess Similarity-based inferences Random-walk inferences LERSAIS Lab @ School of Information Sciences Slide 48

Attack Schemes One attacker node & one target Adversary chooses a number of users, who are the most likely to be friends of a target, at one time based on the calculations l Multiple attacker nodes & one target Combine the attack knowledge (segments of the network) from different attacker nodes to be a more completed segment of the network Topology of the entire social network (multiple attacker nodes & multiple targets) Attack the most vulnerable targets first 49

Defense Approaches A s Friend List C s Friend List C A C A Squicciarini et al. -> voting algorithm & game theory Hu et al. -> Label Privacy Level, minimize privacy risk & sharing loss LERSAIS Lab @ School of Information Sciences 50

Outline Identity & Authentication Problems Email Address, Connections of Identities & Login Authentication Privacy Issues Privacy of User Profiles Privacy of Friendships Malicious Resources LERSAIS Lab @ School of Information Sciences Slide 51

Venue Attacks in LBSNs [15] Venue Attributes Creator Owner Name Address Geo-location Ct Category Statistical Information - Owner Promotion/Coupon (Set by Owner) LERSAIS Lab @ School of Information Sciences 52

Malicious Venue Creation Attack ANY user can create ANY type of a venue without being subjected to any AUTHENTICATION and the AUTHORIZATION from the actual owner Venue Not Created in a LBSN Does not exist in the real world: deceive and confuse users, destroy users trust tfor LBSNs Exists in the real world but not willing to share; e.g. home, private place Venue Already Created in a LBSN Create a similar venue using a similar/alternative name; e.g., School of Information Sciences - ischool LERSAIS Lab @ School of Information Sciences 53

Venue Ownership Hijacking Attack Bypass the owner authentication process & become the owner of the created venue Owner Authentication in Foursquare, Yelp and Facebook Place Phone number Address Impacts Expose customers visit information: users privacy Manipulate coupons/promotions: financial loss and/or destroy user trust on the venue Change the address of the venue LERSAIS Lab @ School of Information Sciences 54

Venue Location Hijacking Attack Venue s location is associated with its geo-location not the physical address Geo-location is dynamic in terms of possible inaccurate GPS signals Location update: the center of all the honest check-ins marked by a LBSN LERSAIS Lab @ School of Information Sciences 55

Users Honest Check-ins & Marked Users honest Check-ins & Marked as Host Check-ins by System as Dishonest Check-ins by System Users Dishonest Check-ins & Marked as Honest Check-ins by System Actual Location of the Venue Users Dishonest Check-ins & Marked as Dishonest Check-ins by System Manipulated Location of the Venue III IV LERSAIS Lab @ School of Information Sciences 56

The Movements of the Locations of the LERSAIS Lb Lab Correct Location 2013-04-08 2013-03-11 2013-03-07 2013-04-17 2013-05-02 2013-02-25 Targeted Location 2013-05-12 05 12 LERSAIS Lab @ School of Information Sciences 57

Combined Venue Attacks Venue Location Hijacking attack Venue Ownership Hijacking attack Malicious Venue Creation attack LERSAIS Lab @ School of Information Sciences 58

Moved 2 Miles away in May, 2012 Moved 3 Miles New Venue Created away in July, & Its Check-ins in 2012 August, 2012 LERSAIS Lab @ School of Information Sciences 59

References 1) Jin, L., Takabi, H., & Joshi, J. B. (2010, August). Security and privacy risks of using e-mail address as an identity. In Social Computing g( (SocialCom), 2010 IEEE Second International Conference on (pp. 906-913). IEEE. 2) Yardi, S., Feamster, N., & Bruckman, A. (2008). Photo-based authentication using social networks. In Proceedings of the first workshop on Online social networks (pp. 55-60). ACM. 3) Kim, H., Tang, J., & Anderson, R. (2012). Social authentication: harder than it looks. In Financial Cryptography and Data Security (pp. 1-15). Springer Berlin Heidelberg. 4) Polakis, I., Lancini, M., Kontaxis, G., Maggi, F., Ioannidis, S., Keromytis, A. D., & Zanero, S. (2012). All your face are belong to us: breaking Facebook's social authentication. In Proceedings of the 28th Annual Computer Security Applications Conference (pp. 399-408). ACM. 5) Polakis, I., Ilia, P., Maggi, F., Lancini, M., Kontaxis, G., Zanero, S.,... & Keromytis, A. D. (2014, November). Faces in the distorting mirror: Revisiting photo-based social authentication. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (pp. 501-512). ACM. 6) Jain, S., Lang, J., Gong, N. Z., Song, D., Basuroy, S., & Mittal, P. (2015). New Directions in Social Authentication. NDSS Workshop on Usable Security. 7) Jin, L., Takabi, H., & Joshi, J. B. (2011, February). Towards active detection of identity clone attacks on online social networks. In Proceedings of the first ACM conference on Data and application security and privacy (pp. 27-38). ACM. LERSAIS Lab @ School of Information Sciences 60

References 8) Li, L., Zhao, X., & Xue, G. (2012, May). An identity authentication protocol in online social networks. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security (pp. 28-29) 29). ACM. 9) Zhao, X., Li, L., & Xue, G. (2011, December). Authenticating strangers in fast mixing online social networks. In Global Telecommunications Conference (GLOBECOM 2011), 2011 IEEE (pp. 1-5). IEEE. 10) Mislove, A., Viswanath, B., Gummadi, K. P., & Druschel, P. (2010, February). You are who you know: inferring user profiles in online social networks. In Proceedings of the third ACM international conference on Web search and data mining (pp. 251-260). ACM. 11) Jin, L., Long, X., & Joshi, J. B. (2012, October). Towards understanding residential privacy by analyzing users' activities in foursquare. In Proceedings of the 2012 ACM Workshop on Building analysis datasets and gathering experience returns for security (pp. 25-32). ACM. 12) Jin, L., Long, X., Joshi, J. B., & Anwar, M. (2012, August). Analysis of access control mechanisms for users' check-ins in Location-Based Social Network Systems. In Information Reuse and Integration (IRI), 2012 IEEE 13th International Conference on (pp. 712-717). IEEE. 13) Jin, L., Joshi, J. B., & Anwar, M. (2013). Mutual-friend based attacks in social network systems. Computers & security, 37, 15-30. 14) Jin, L., Takabi, H., Long, X., & Joshi, J. (2014, November). Exploiting Users' Inconsistent Preferences in Online Social Networks to Discover Private Friendship Links. In Proceedings of the 13th Workshop on Privacy in the Electronic Society (pp. 59-68). ACM. 15) Jin, L., & Takabi, H. (2014, November). Venue attacks in location-based social networks. In Proceedings of the 1st ACM SIGSPATIAL International Workshop on Privacy in Geographic Information Collection and Analysis (p. 1). ACM. LERSAIS Lab @ School of Information Sciences Slide 61

Questions? LERSAIS Lab @ School of Information Sciences 62

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback