Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences...

7/31/2019 Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences SMIConference.com Marrakech 2011 Speaker Presentation

http://slidepdf.com/reader/full/preventing-fraud-and-managing-risks-in-social-media-by-michalis-mavis-during 1/90

Preventing

fraud

and

managing risks in

Social Media

by Michalis Mavis,

MSc,

MSc

f. Chairman of Hellenic Fraud ForumSecurity

Countermeasures



Our

Approach• Social Networking should be seen as a

positivesocial phenomenon.

• We will look at the security threats

& fraud cases in Social Networking .

• We will

make

recommendations

on how to address these, to gain

the full benefits offered by SNs.

2



Agenda• Understanding the opportunities and the risks

of social networks (SNs) to corporate security

and personal privacy.

• Discussing methods to protect you and your

business.• Identify the dangers for the industry.

• Legal and illegal methods used to get

confidential information

from

SNs.

• Conclusions and Recommendations



The Impact of potential hacking FB

• If the ‘Anonymous‘ hacking operation on 5th

Nov. is

successful,

(we

will

know

in

a few

days time) the impact of Facebook hack could

be to raise additional awareness on SNs

security issues

&

risks.

• Despite all of the previous attacks getting

some news coverage, now 750 million users of

FB will

be

painfully

aware

of

security

risks

threats and holes of the SNs .



It is not only Facebook

(FB) that

needs

security

measures

...



security issues

LinkedIn reports more than 100 million registered users, spanning

more than

200

countries

worldwide,

as

of

March

2011.



Linkedin Safer than other SNs

• LinkedIn is generally safer than MySpace and

Facebook, mainly because it's less feature‐rich

and thus

opens

fewer

potential

attack

vectors,

experts say.

• Linkedin supports also SSL technology (Secure

Sockets Layer)

for

logins

and

other

sensitive

pages such as member settings. SSL ensures that the information between your computer and

LinkedIn servers

is

encrypted

so

it

cannot

be

snooped on. But…



LinkedIn site

security

vulnerabilities• According to Rishi Narang ‐ an independent Internet security

researcher a serious problem of Linkedin was found in May 2011. LinkedIn's professional networking website has security flaws that makes

users'

accounts

vulnerable

to

attack

by

hackers

who

could

break in without ever needing passwords.

• The problems are related to the way LinkedIn manages cookies, that serve as a key to gain access to the account. One of them is

that

the

cookie

does

not

expire

for

a

full

year,

from

the

date

it

is

created !

• Most commercial websites would typically design their access

token cookies to expire in 24 hours, or even earlier if a user were to

first log off the account.

• The long

life

of

the

LinkedIn cookie

means

that

anybody

who

gets

hold of that file can load it on to a PC and easily gain access to the

original user's account for as much as a year.

May 2011



The ‘leo_auth_token’ cookie

• Among other cookies, the main authentication

cookie known as ‘leo_auth_token’ tells the

server that the user is already authenticated, and that there is no need for a password re‐

submission.

• “Once the attacker gets this cookie, he can

import it in his browser and, he may login in

your

Linkedin profile

as

owner,

change

it

and

do whatever he wants…



The cookie risk

• The user’s password in Linkedin is securely

sent over an encrypted channel, but cookies,

although encrypted,

are

sent

over

a plain

‐

text channel, allowing hackers to “sniff the

traffic” and get hold of these cookies.

• Although they

cannot

decrypt

the

cookie

files,

they can import them onto their browser and

authenticate themselves as the real account owner

without

the

need

of

any

password.



Recommendations by LinkedIn

• Choose wired or trusted and strongly encrypted wireless networks (Wi‐Fi) or Virtual Private Networks (VPNs) whenever possible.

• If you

ever

suspect

your

account

has

been

compromised,

you should change your password right away by following

these steps: – Go online using a trusted wired or encrypted wireless network

– Login

to

Linkedin.com using

a

computer,

protected

with

anti‐

virus software

– Go to Settings ‐> Change Password and change your password

• Some experts said an attacker could keep accessing an

account despite a password reset because cookies were

still valid

after

the

change

!!!

• FORTUNATELY THIS IS NOT CORRECT…



REAL SCENARIO

• You are connected in a network at office or home

and someone captures the cookies in traffic e.g.

by using

Firesheep and

your

account

is

hijacked.

• You as a user will not know that the cookie is

stolen or there have been any parallel login by

the attacker.

• LinkedIn doesn’t maintain any list of IP addresses

(for

a

user

to

view

at

his

account)

e.g.

as

Gmail or

Facebook does.



LinkedIn housekeeping

security measures

...

Pls Help! My SN

profile

has

been

hacked

!!



How to backup your Linkedin Profile

• Save your full profile to a pdf document, by

pressing the pdf icon under your photo.

• Save your connections, by following the link:

http://www.linkedin.com/addressBookExport

• Restore the

connections

in

case

of

problem

from the relevant file. Linkedin Connections

=> Add Connections => Contacts File ..........



Export Linkedin Connections



Quick tips on Security and Privacy

• Always have at least one other email address

assigned to your account should you lose

access to

the

primary

email

address.

• Log‐out your Linkedin Account when finished.

• Ensure your

computer’s

security

software

is

up to date.

•Don’t click on a link you don’t trust.

• Set your Profile settings.



Public Profile ?

• By default, visitors have access to your entire

profile—your picture, summary, current positions, education, website, groups and more.

• If your

intent

is

transparency,

then

full

view

is

recommended.

• However if you're not looking to

disclose all

of

your

information,

go

to the Profiles Settings section and

update by un‐checking the profile

features, that you don't want to bedisplayed

publicly.



Linkedin Settings



Two important settings

• Prevent your connections from seeing who

you are directly connected too. This will make

sure key

vendors

contacts

and

clients

connected through LinkedIn remains

confidential.

• Profile Views – What others see when you

visit their profile.



When you visit a Profile in Linkedin



Recent Security

Events

connected with

LinkedIn



Recent malware attack



Spam Emails to Linkedin users

• Spam emails looking as LinkedIn message notifications.

• The email included embedded links which, when

clicked, would redirect the user to a page that stated

“PLEASE WAITING….

4 SECONDS,” before

again

redirecting to Google’s home page.

• During those four seconds, the victim’s PC is infected

with the ZeuS data‐theft malware via a drive‐by

download.• After embedding itself within the user’s web browser,

ZeuS focuses on capturing login credentials and

passwords, which in turn can be used to access the

user’s personal

accounts

(financial

or

otherwise).



More SNs risks• With a variety of easy tricks, attackers can hijack a

person's SN account and use it as a launching

platform

for

additional

attacks

against

other

users.• The trusted relationships that make up a person's

network will then be used for future attacks.

• Those

attacks

may

be

incorporated

into

micro

botnets and produce high impact results.

• For example by searching through a page of messages

on Twitter, a motivated attacker can find the cell phone

numbers

of

VIP

people.



Recommendations• Never provide your Linkedin credentials

(email + password) when clicking on a link.

Always use https://www.linkedin.com to

login.

• Log‐out

immediately

when

finished.

• Set your browser to delete all

cookies at the end of the session

(when browser is closed).



SNs, the ideal area for intelligence

gathering and

attacks

...

SNs are the ideal environment for easy, massive, up to date

information gathering (intelligence).

Information about personnel (people), companies, new projects,

military issues, comments on important decisions, political beliefs etc.

It is done anonymously, legally and with very limited danger.

Open APIs included in Twitter and FaceBook, provide the

opportunity to attackers, to prepare and run malicious code of any kind.



Specialized Search Engines

Deep web vs. Surface web.

Only 1/500 of information available on the Internet is freely

available for the users.

The rest 499/500 is in closed Data Bases (?) messages of users

and various repositories that consist the deep web.

You need specialized search tools that may search thedeep web and provide info about information relationships.

You also need better visualization tools, so that we may

highlight those relationships.



About WhosTalkin

• WhosTalkin.com is a social media search tool that

allows users

to

search

for

conversations

surrounding the topics, that they care about most.

• Whether it be your favorite sport, favorite food,

celebrity, or

your

company's

brand

name.

• The search and sorting algorithms combine data

taken from over 60 of the internet's most popular

social media

gateways.



Yahoo pipes

Visual Tool that allows to prepare and run

specialized queries.

Content Search

Engines

// pipes.yahoo.com/



Snitch.nameDesigned to search from a central point various sites for

specific persons names.

Very famous in United States

Returns results from :

• Social Networks (FB, MySpace, Twitter…)• Business Networks (Linkedin)

• Academic Networks (Google Scholar, MIT…)

• Blogs (Wordpress…)

• General Nature web(Google, AnyWho…)

• US gov (CriminalSearch…) & Regional Data Bases



Maltego• Maltego highlights the relationships and connection between network and

resource based units.

• It helps to discover weak points in our infrastructure caused by people and

machine interaction.

• It uses a very user friendly GUI

• Highlights links between:

• Specific persons and groups (Social networks)• Organization and Companies

• Web sites

• Infrastructures(Domains, DNS names, Netblocks, IP’s)

• Sentences, documents, files.

Id Th ft i SN



Id‐Theft in SNs• Identity

theft

in

SNs is

one

of

the

most

important

threats as it may affect the reputation and privacy of the user. It may take place in different ways.

• In case

the

attacker

is

able

to

take

full

control

of

the

user’s account, he may publish comments in the

name of the legitimate user, change the current password and e‐mail address. Then use the

compromised account to spread malicious s/w.

• Id‐theft may have very serious impact to user’s personal life and reputation

at work.



Hijacking Social networks’ sessions

Blacksheep

What is Blacksheep ?

What is FireSheep ?



Firesheep characteristics• Firesheep targets

26

online

services,

and

includes many popular online services such as

Amazon,

Facebook,

Foursquare,

Google,

The

New York Times, Twitter, Windows Live,

Wordpress and Yahoo.

• The extension

is

also

customizable

allowing

a

hacker to target other Websites not listed by

Firesheep.

• It works over WiFi connections.



Firesheep steals SNs session cookies

• Firesheep uses a packet sniffer to intercept

unencrypted cookies from certain websites (such as

SNs Facebook and

Twitter)

as

the

cookies

are

transmitted over networks, exploiting session

hijacking vulnerabilities.

• It shows

the

discovered

identities

on

a sidebar

displayed in the browser, and allows the user to

instantly take on the log‐in credentials of the user

by

double‐

clicking

on

the

victim's

name.



Stealing the cookie info• As your browser swaps cookie information back and

forth with the Website a third party can hijack that

communication

and

capture

information

including

your user name and session ID. Typically, the cookie

will not contain your password.

• But

even

without

your

password,

the

fact

that

Firesheep has got your session cookie means that a

hacker can access your account and gain virtually

unrestricted

access.

If

the

hacker

got

your

Yahoo

Mail cookie they could read and send e‐mails.



BlackSheep countermeasure

• Black Sheep is a Firefox plugin designed to

combat Firesheep.

• BlackSheep drops ‘fake’ session

ID

information on the wire and then monitors

traffic to see if it has been hijacked.



Faceniff mobile phone sniffer

A similar tool called

Faceniff was released

for Android mobile

phones.

See relevant video



Instant upload to• If

you

access

Google

Plus

using

your

Android

phone, photos and videos you take are

automatically

uploaded

to

Google’s

cloud

via

a new tool called Instant Upload.

• Photos aren't shared by default, but are

stored on

a private

Picasa Web

folder

for

future sharing.



The SN is a tree.

Two users has a max of

6 persons distance.

The whole world is very

small finally.

Not difficult to become a friend

with the

target

The tree



Then initiate an attack...

Social Network on your Iphone !



Social Network on your Iphone !

What is Geo Tagging ?



What is Geo Tagging ?

Geo Tagging is the process

of adding geographical

identification

metadata to various media such as a

photos, videos, websites,

SMS messages,

etc.

Any use of geo tagging ?



Any use of geo tagging ?

• Geotagging can help users find a wide variety

of location‐specific information.

• For instance, one can find images taken near a

given location by entering latitude and

longitude coordinates

into

a suitable

image

Search Engine.

G T i



Geo Tagging concerns

• Smart phones may allow someone with the

necessary technical knowledge to find where

you are

on

every

moment,

with

a few

simple

clicks?

How to Disable Photos



How to Disable Photos

Geotagging on Your iPhone• Click on settings

• Go to

the

general

section

• Location services

• Turn

them

off

Location Based Services (LBS)



Location Based Services (LBS)

• Update the location privacy settings on your phone, SNs and the applications you use.

•Social Networks with geotagging facility ON may

allow some intruders to link information about you

more easily.

• If

needed

limit

people

who

are

able

to

use

and

see

network location services in your SN profile.

• Do you really need LBS ? Someone may connect the

pieces of

information

related

to

your

activities,

and

lead to problems.

Li it i i k



Limit your privacy risks• Don't geo‐tag your residence, your friends

house and children photos.

• Never include

GPS

coordinates

in

your

tweets, blogs or SN Accounts.

Interesting video from CNET



Interesting video from CNET



Facebook security

and

privacy

issues

Part of Facebook profile data



p

is visible

to

everyone

!!!

• Facebook discloses information that it sets as

visible to everyone and that you cannot make

private.

• This information may include sensitive for you

information like

your

name,

profile

picture,

gender and networks.

• So before you publish think twice.

Privacy issues



Privacy issues• You

also

don't

want

to

reveal

the

city

or

town

where you live, what your daily routine is, or

anything that will make it easy for anyone

reading your profile to find you in the real

world.

• You also

don't

want

to

reveal

your date of birth or informa‐

tion about your family.

One of FaceBook’s basic problems



One of FaceBook s basic problems

• Facebook relies on third party Java applications, so that the user is not only entrusting Facebookwith her/his login and password but also must trust

the

third

‐party

applications

that

provide

tools for Facebook users.

• There is a potential danger that the code you're

running on

the

site

is

malicious

or

points you to a site that contains

malicious code.

FaceBook Applications



FaceBook Applications

• Facebook granted programmers free

access

to

the

Facebook platform in May 2007, meaning that anybody with the necessary skills could create an

application, so that the number of Facebookapplications

has

grown

impressively.

• Facebook lets you add applications and tiny programs that run inside Facebook itself.

• Facebook applications are

small

programs

that

work

inside Facebook. They're similar to Web browser plug‐

ins (like video players) in that they let you do

something you couldn't do before you installed them.

• They're easy

to

install

and

appear

on

your

Facebook

Applications menu.

Id theft and Bad reputation



Id‐theft and Bad reputation

• You also need to be aware if someone have made

a profile using your name and contact information without your knowledge.

• This individual

can

go

on

to

post

messages

and

make statements in your "name" that will be

attributed to you.

• Make a Google

search

typing

your

own

name

on

a regular basis, or run automatic monitoring tools

to be informed if such event happens.

• Review each

one

to

ensure

that

they

are

pages

you registered for.



Best Practices



Best Practices

• Think carefully about who you allow to

become your friend. Friends may see most if

not all

of

your

profile

data.

• Assign to a few people only, ‘full friend

privileges’ (being able

to

access

all

your

full

profile data). To the rest assign ‘limited

friend access’.

• Activate security

features

in

your

profile.

Check what you allow to be visible



Check what you allow to be visible



How to connect in a secure way ?



• When you connect to your Facebook profile, someone may hack your credentials (email –

password).

A

hacked

profile

may

completely

damage your image/reputation or even your company brand name ... !!!

• So

you

need

to

find

how

to

make

your

profile

more secure.

• First step: Connect in a more secure way. Use

https.

How

can

you

activate

this

feature

of

Facebook ?



Click on security TAB



y

Select Secure Browsing and check



Select Secure Browsing and checkBrowse

Facebook on

a secure

connection

(https)

when

possible

Click and ... you may now connect



Click and ... you may now connect

in secure

https

mode

But are you really secure ?Whil l i i SSL i h i i



• While you can log in via SSL, once in, the session is

unencrypted and session

‐stealing

a Facebook connection

is

pretty easy (check Nick Barron articles).

• Several people have tried in the past and in most cases they

failed to

get

sensible

action,

having

reported

security

vulnerabilities.

• Facebook's security model has a lot of holes.

• Recent

errors

have

temporarily

revealed private chat sessions

to the public, and that it is

almost impossible to truly

delete data from

a Facebook

account.

Controlling your Facebook logins



Receive notifications for logins via SMS



Can you remove the tags ?



• You control

who

can

see

photos

‐videos

you

are

tagged in, that appear on your Profile.

• But, the owner of the photo can still share that

photo

with

people

you’re

not

friends

with.• If you don’t want your tag to

appear, remove it from

the

photo‐

video.

This

will

also prevent it from appea‐

ring on your Profile.



Make a back up of your FB profile



• What if your Facebook account was suddenly disabled?

This has happened to hundreds of users for various

reasons. E.g. Facebook password forgotten and Email used

password

hacked.

• Or when opening a second FaceBook Account using

the same Email address…

• To avoid

this

unpleasand situation

download

and

backup your Facebook data.

• A simple way to backup and archive your information

is by

using

the

Archive

Facebook Firefox extension.

Someone has hacked your FB profile and



changed

your

email• You can also get to know the new email id by

asking any of your Facebook friends to goto

your profile

and

look

for

your

email

id.

(In

case the hacker forgot to hide it from profile).

• Use your security question to reset your

password.

• In case you didn’t setup any security question

on your account previously, you can ask your friends

to

verify

you

account.



More security

features

Hackers are waiting in the corner...

Log in at www.facebook.com• Sometimes scammers will set up a fake page to look



p p g

like a Facebook login

page,

hoping

to

get

you

to

enter

your email address and password.

• Make sure you check the page's URL (web address)

before you

enter

your

login

information.

• When in doubt, you can always type "facebook.com"

into your browser to get back to the real Facebooksite.

• Remember if you Logged

once your browser there

is no need to log in again

(cookies do

the

rest).

What are the Active Sessions page?



• It shows

you

a list

of

the

recent

times

you've

accessed

your Facebook account.

• Each entry includes the date and time you signed into

Facebook, your

approximate

location

when

signing

in,

and the type of device you were using to access your account. You will also see the option to end any active

session on the right side of each entry.

• Note: The location you see is based on the IP address used to access your account. If you want to know the

specific IP information of a login, simply hover your

mouse over

that

session’s

location

data.



Compare people



A

not

so

innocent

Facebook application

Votes on yourself... from other people,



you may

even

don’t

know...

Joining a Facebook group



• In similar fashion, joining a Facebook group

may

get

you

more

than

you

bargained

for,

granting other members access to your data.

• Be extremely careful, before you join the

group. Check

its

reputation,

beforehand.

Some methods to attack FB accounts



• Keylogging.

• Facebook phishing.• Virus.

•Social engineering.

• Primary email address hack.



Facebook phishing (an example)



An attacker

uploads

a fake

version

of

facebook

onto a server and they send you a link to that

site. Once you try to log on, it will email your

username and password to the attacker.

An example : http://fb12.t35.com/login.html.

Social engineering



• If the

attacker

knows

your

email

address

he

tries to figure out your security question.

• He may ask the question and try to determine

the answer

to

the

security

question,

especially

if it’s something as simple as mothers maiden

name.

• Once he has the answer to the security

question he will try to reset your password.

Primary email address hack



• All they have to do is gain access to your email.

• Then they will easily be able to hack the

facebook password.

• Just they go to facebook and enter in ‘forgot

password.’ It

will

email

to

the

primary

facebookemail instructions on how to

reset the password.

To Hack Any Account In Seconds



• FireSheep hi‐ jacks other peoples session. In order to

break into someones account just open up FireSheep, click ‘Start Capturing’ and it will list all the users in your

network that

are

currently

logged

on.

• Sites like GMail, Yahoo and Facebook will most likely

appear.

• It steals session cookies . From there you can do what ever

you

want.

• Post on the wall, message someone, or if you wanted

even change the password. All this without me ever

knowing

what

the

old

password

was

and

without

leaving a trace.



Recommendations

B f l h li ki li k th t i



• Be careful

when

clicking

on

links

that

you

receive

unexpectedly from your friends.

• Only download software from websites you know and trust. Always check and verify the URL before opening the link, eg.

by using

WOT

(Web

of

Trust)

Firefox Extension.

• Enable a firewall on your computer.

• Make sure you have an up‐to‐date web browser equipped

with an anti‐phishing blacklist.

• Use up

‐to

‐date

Antivirus

s/w and

get

the

latest

O/S

updates.

• Make sure you’ve setup a security question on all of your online accounts. This will come in handy if you ever lose

access and need to prove who you are.

Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences...

Documents

Transcript of Preventing Fraud and Managing Risks in Social Media, by Michalis Mavis, during iCompetences...