Social Networking:
Risks and realities
Nick Barron
nick.barron@pennantplc.co.uk
Who am I?
• Day job
– Employed by Pennant Plc www.pennantplc.co.uk
– Head of Group IT, Security controller, software
developer
• Meanwhile...
– Freelance security consultant/researcher
– SC magazine columnist
– IT advisor to DISA
• Disclaimers
– Views expressed are my own, not those of my employer
– Don’t try this at work without consent
– Check legal aspects
2
What am I talking about?
• What information can be obtained from online social
networks?
• How can it be (ab)used?
• What can you do to address the risks
• Focus on corporate liabilities/risks
• Mainly about risks of online social networks, but many
apply equally to old fashioned ones too!
3
The usual suspects
4
Not just for kids
Source: http://www.penn-olson.com/2010/02/19/the-social-media-age-distribution-stats/
Used with permission
5
How data leaks: users
• Oversharing
• Short-temper syndrome
• Underestimated automation
Did
you post it
online?
Possibly
private
Probably not
private
6
How data leaks: hacks
7
How data leaks: loose lips
8
How data leaks: loose lips
http://www.weknowwhatyouredoing.com
9
How data leaks: apps
10
How data leaks: location
11
Facebook never forgets!
12
Feature creep
13
Risks are real…
http://news.bbc.co.uk/1/hi/8134807.stm
14
Risks are real… (2)
https://www.zdnet.com/blog/facebook/chinese-spies-used-fake-facebook-profile-to-friend-nato-officials/10389
15
Risks are real (3)
16
Risks are real (4)
17
Risks are real (5)
• “All Your Contacts Are Belong to Us” WWW2009
http://www2009.eprints.org/56/
• Automatically create fake profiles and request friends
• Create profiles on other sites
18
Risks are real (6)
http://thecaucus.blogs.nytimes.com/2009/02/09/in-iraq-to-twitter-or-not-to-twitter/
19
Who cares?
20
Using the data (1)
21
Using the data (2)
• Online Privacy Foundation’s “Big 5” experiment
https://www.onlineprivacyfoundation.org/?p=329
– Establish Myers-Briggs characteristics
– Linguistic and post statistics analysis
– Statistically significant link between FB habits and
personality test results (but…)
– Twitter: are you a psychopath?!
• “Augmenting password recovery…”
http://www.dfrws.org/2011/proceedings/08-340.pdf
– Use online profiles to help guess passwords
– Early days but other research ongoing
– What about those password reset questions…?
22
Using the data (3)
• Facebook analysis to
determine Nigerian
scammers
http://preview.tinyurl.com/specops-paper
(PDF)
http://preview.tinyurl.com/specops-vid
(video)
23
Sanity check
• Your employees will use Facebook etc
– Even if blocked at work
– Use takes place outside corporate network perimeter
• Social network users are not customers,
they are product
• It is not in social network vendors’ commercial interests to
make your privacy a priority
– Long record of truly awful security
– Commercialisation is an incentive for more intrusion
24
Defences
25
Guidance
http://www.cpni.gov.uk/documents/publications/2010/2010032-gpg_online_social_networking.pdf
http://preview.tinyurl.com/gpg27
26
Guidance (2)
http://preview.tinyurl.com/sophossmt
27
Countermeasures
• Education, education, educations
– Most users don’t actually want to breach privacy
– Usually unaware of how much is available
– Better privacy awareness increases personal security as
well as business security
Used with kind permission of Scott
Hampson, www.agent-x.com.au
28
Countermeasures (2)
• Snoop yourself (Google, NodeXL, Maltego etc)
• Check exposure of key staff
• Include social networks in scope for penetration tests
(but check with ethics/legal departments)
29
Countermeasures (3)
• Blur data where possible
– Your friends will already know most of the useful info
– Minimise what goes into profile
– Seed a few bogus “facts”
– Turn off location features
– Check password reset policies
• But….
– Not having DOB no help when people say “Happy
Birthday” on your Facebook wall!
– May be breach of terms of service to lie
30
Countermeasures (4)
• Weed old accounts
– FriendsReunited, MySpace etc
• Compartmentation where possible
– Facebook for home stuff
– LinkedIn for business
– Flickr for pictures
• Email
– Avoid the use of corporate mail addresses for social
networking sites
– High value targets should consider use different email
addresses
31
Countermeasures (5)
• “Placeholder” profiles on
unused systems
• Look at ‘privacy’ settings
– KISS, don’t have too
many options
– Assume privacy controls
will fail, and consider
impact
– If in doubt, don’t post
Used with kind permission of Scott
Hampson, www.agent-x.com.au
32
Summary
• Online social networks are not going away any time soon
• There are real benefits to their use for many staff
• OSN vendors cannot be trusted to implement strong
security
• Education and defensive monitoring are the best
protections
• The risks apply to non-electronic social networks as well!
33
Links…
• www.44con.com (Sept 2012, lots of business level info too)
• www.agent-x.com.au for great cartoons!
• www.securityg33k.com
• www.facecrooks.com
• www.onlineprivacyfoundation.org
• harmonyguy.com
• www.social-engineer.org
• nodexl.codeplex.com
(free Excel plugin for social network analysis)
• www.paterva.com
(industry standard tool for network analysis)
34
Questions?
35