Practice Online Social Networking Safely
By Brian Dykstra
Special to Law.com
October 13, 2008
The value of networking for lawyers cannot be overstated. As a marketing tool, networking can be a law firm’s best advertisement for legal services. The message is carried by the actual service providers who have a stake in its delivery. All the same can be true of online social networking, but the online medium can harbor hidden dangers for lawyers that were highlighted at Black Hat 2008.
Many of the best presentations of Black Hat 2008 didn’t involve examples of new hacking exploits, but instead covered more subtle examples of how personal information and trust could be exploited. The presentation “Satan Is On My Friends List: Attacking Social Networks” by Nathan Hamiel (Idea Information Security) and Shawn Moyer (FishNet Security) provided a harrowing, yet entertaining, look at a number of ways that social networking sites and their users can be exploited.
For those of you that have avoided these sites on the Internet, or don’t have teenage children, social networking sites or social networking services (some are for-pay services) are Web sites that allow people with a common interest to form an “online community.” Typically this entails allowing users to easily create their own Web pages on the larger social networking site’s Web server where they can post digital media such as pictures, video and music. The social aspect of these sites comes in when other like-minded individuals can post comments to user’s pages, send e-mails, participate in online chats and generally be social. Some of the best known of these social networking sites include MySpace, Facebook, Bebo, Orkut, Friendster and Cyworld. Most of these social networking sites allow users to search for and connect with other users that share similar interests and become their “virtual friend.” The virtual friend is then added to a “friends list” that can help him or her connect with others again, furthering the extent of This extends the social network by connecting more and more users to each other.
While many social networking sites such as MySpace and Facebook are free to users, many other social networking and dating sites (just another form of social networking) such as Classmates.com, E-Harmony.com, Match.com and others charge for their services. In many cases the individual user is the publisher of his or her own content on the social networking space. However, in the past few years, social networking has gone professional. Musicians, actors and movie producers all have found ways to use social networking to promote themselves and their services. Corporate human resources departments use social network sites to post job listings as well as to check the “online persona” of potential hires. There are also a number of well-intentioned social sites such as PatientsLikeMe, SoberCircle, SixDegrees.org and the Network for Good, which use the power of social networks to connect people with health and charity interests. One of the largest corporate social networks is the professional networking site LinkedIn, which boasts over 25 million users in 150 industries. If you aren’t already involved in social networking chances are someone sitting next to you is.
As with all things that draw the attention of millions of Internet users and advertising dollars, hackers, spammers and other criminals aren’t far behind. In their Black Hat presentation, Hamiel and Moyer (Internet security “good guys”) outlined a series of attacks based upon what they called “featureabilities.” Featurebilites are insecure features in the architecture of social networking sites that are necessary for the user to get the media rich experience and interaction that they expect from social networks. The security weaknesses of these featureabilites have been well understood by both the computer security and hacking communities for a number of years. Examples of some of these dangerous featurabilities include:
Cross-Site Request Forgery : This attack works by exploiting the trust that a Web site has from a specific user. Web sites commonly perform tasks linked to specific URLs (Example: buying 1,000 shares of Amazon.com stock the URL might look like http://investment.com/stocks?buy=1000&symbol=AMZN that allow specific user-requested actions to be performed. If a legitimate user is logged into a social networking site, and a hacker tricks that person’s browser into making a request to a task URL, then the task is performed and logged by the legitimate user without his/her knowledge. Typically a hacker performs this attack by embedding malicious HTML or JavaScript code into an e-mail, forum posting or Web site link to request that a specific task be performed without the legitimate user’s knowledge. In their Black Hat example, Hamiel and Shawn used a very funny demonstration involving Alice Cooper, Bob Sagat and Eva Longoria to show how they could use CSRF in an image embedded in an e-mail to force their way onto a user’s MySpace Friends List without permission.
Cross-Site Scripting(XSS): This type of attack is commonly used by hackers to get an unsuspecting user’s Web browser to run malicious HTML or JavaScript code unknowingly. There are several different methods of XSS but in general they target a vulnerability in Web applications which exploits the automatic execution of scripts by a user’s Web browser. In social networking, a hacker normally attacks a user by embedding a XSS link in an e-mail or by using a stored XSS on a Web page.
Custom Social Net Apps: This last type of attack goes straight to one of the core problems in social network: lack of verification. As in many software applications that we commonly download and run from the Internet, there are thousands of plug-and-play applications that users can run on social networking sites. The social networking sites themselves don’t verify or validate user-provided applications and take no responsibility for any damage. In a worst-case scenario a user could unwittingly download and use a plug-and-play social networking application on their site that maliciously attacks visitors to their social site.
When asked what the single biggest threat facing social networking users is, most security professionals actually seem to agree that lack of verification is No.1. “The lack of an ability to verify anyone’s identity on socialnet sites is the biggest problem,” said Hamiel. He went on to say, “Someone could create a fake corporate “socialnet” complete with fake employees to draw unsuspecting social users in and put out whatever negative information they wanted with no verification”. As a demonstration of this capability Hamiel and Moyer created a fake LinkedIn account for computer security luminary Marcus J. Ranum.
With Ranum’s permission for the project, the pair spent about three hours collecting up press releases, bios and articles from Marcus to provide all the necessary background materials to establish what was dubbed “The Marcus Experiment.” With their fake Marcus Ranum LinkedIn social network site established, the duo identified likely dupes for their experiment by searching Google computer security professionals heavily involved in social networking and linking to their social networks. “In socialnets, friends are currency.” says Moyer. “By linking to these other security professionals we established legitimacy for our fake Marcus.”
In a period of less than 24 hours, the pair was able to establish connections to 50-plus chief security officers, corporate executives, certified information system security professionals. federal employees and Information Systems Security Association members. “We went into this knowing that there is a default trust culture in social networks with little verification, even among security professionals,” said Hamiel commenting about the success and scary outcome of the experiment.
“Socialnet abuse is not really a problem of identity theft,” says Hamiel “But social engineering of individuals can be very targeted through social networking.” Rohyt Belani of Intrepidus Security Group and spear phishing awareness training site PhishMe.com, explained that “For spear phishers, social networking sites are the best source of information about their targets. Social networking sites allow a phisher to craft legitimate looking e-mails discussing relevant subjects to target victims with.” Belani also said they had recently observed a lot of “major issues” with individuals providing in-depth, overly private personal information on publicly accessible resumes and job posting sites. “Many resume gathering and job posting sites function very much like social networking sites. Phishers visit them to gather information they can use against unsuspecting users,” said Belani.
Being consummate security professionals, Hamiel and Moyer provided a list of things that social network sites could do to improve security for their users:
• remove links to external content;
• drastically reduce the functionality of plug-in Application Programming Interfaces;
• look for ways that hackers might attack users (threat model the social networking site);
• establish a default “no trust” security model;
• establish a user account lifetime counter to identify recently created fake accounts;
• require a separate e-mail verification for corporate social networks; and
• encourage users to create their own online profiles before someone creates one for them.
If you are solicited by an individual that you may or may not know to join their social network, one of the simplest security precautions you can take is to pick up the phone and verify the invitation. For those of you involved in or considering becoming involved in a social networking site, before you post personal information online ask yourself this question: “If someone I didn’t know called me on the phone and asked me for all this information, would I give it to them?” Enjoy the Internet all you want -- but remember to practice safe social networking.
Brian Dykstra is a senior partner at Jones Dykstra & Associates, a Maryland-based consulting firm. Jones Dykstra & Associates specializes in e-discovery, computer forensics, expert witness testimony and computer intrusion response services.
REFERENCES
Auger, R. 2008, “The Cross-Site Request Forgery (CSRF/XSRF) FAQ," v1.59.
Taken from:
No comments:
Post a Comment