Security in Social Networks
Content
FACULTY OF COMPUTER SCIENCE AND INFORMATION TECHNOLOGY
IAD2313 FUNDAMENTAL OF COMPUTER NETWORK
Cyber Security Security in Social Networks
INTRODUCTION Social network sites (SNSs) such as MySpace, Facebook, Twitter, and Tagged have attracted millions of users, many of whom have integrated these sites into their daily practices. As of this writing, there are hundreds of SNSs, with various technological affordances, supporting a wide range of interests and practices. While their key technological features are fairly consistent, the cultures that emerge around SNSs are varied. Most sites support the maintenance of pre-existing social networks, but others help strangers connect based on shared interests, political views, or activities. Some sites cater to diverse audiences, while others attract people based on common language or shared racial, sexual, religious, or nationality-based identities. Sites also vary in the extent to which they incorporate new information and communication tools, such as mobile connectivity, blogging, and photo/video-sharing. Scholars from disparate fields have examined SNSs in order to understand the practices, implications, culture, and meaning of the sites, as well as users' engagement with them. This special theme section of the Journal of Computer-Mediated Communication brings together a unique collection of articles that analyze a wide spectrum of social network sites using various methodological techniques, traditions, analytic approaches.scholarship By collecting these articles in this issue, our goaltheoretical is to showcase someand of the interdisciplinary around these sites. The purpose of this introduction is to provide a conceptual, historical, and scholarly context for the articles in this collection. We begin by defining what constitutes a social network site and then present one perspective on the historical development of SNSs, drawing from personal interviews and public accounts of sites and their changes over time. Following this, we review recent scholarship on SNSs and attempt to contextualize and highlight key works. We conclude with a description of the articles included in this special section and suggestions for future research.
Definition of social networking We define social network sites as web-based services that allow individuals to (1) construct a public or semi-public profile within a bounded system, (2) articulate a list of other users with whom they share a connection, and (3) view and traverse their list of connections and those made by others within the system. The nature and nomenclature of these connections may vary from site to site. While we use the term "social network site" to describe this phenomenon, the term "social networking sites" also appears in public discourse, and the two terms are often used interchangeably. We chose not to employ the term "networking" for two reasons: emphasis and scope. "Networking" emphasizes relationship initiation, often between strangers. While networking is possible on these sites, it is not the primary practice on many of them, nor is it what differentiates them from other forms of computer-mediated communication (CMC). What makes social network sites unique is not that they allow individuals to meet strangers, but rather that they enable users to articulate and make visible their social networks. This can result in connections between individuals that would not otherwise be made, but that is often not the goal, and these meetings are frequently between "latent ties" (Haythornthwaite, 2005) who share some offline connection. On many of the large SNSs, participants are not necessarily "networking" or looking to meet new people; instead, they are primarily communicating with people who are already a part of their extended social network. To emphasize this articulated social network as a critical organizing feature of these sites, we label them "social network sites." While SNSs have implemented a wide variety of technical features, their backbone consists of 1 visible profiles that display an articulated list of Friends who are also users of the system. Profiles are unique pages where one can "type oneself into being" (Sundén, 2003, p. 3). After joining an an SNS, an individual individual is asked asked to fill out out forms containing containing a series of questions. questions. The profile is generated using the answers to these questions, which typically include descriptors such as age, location, interests, and an "about me" section. Most sites also encourage users to upload a profile photo. Some sites allow users to enhance their profiles by adding multimedia content modifying theirthat profile's looktheir and profile. feel. Others, such as Facebook, allow users to add modulesor("Applications") enhance The visibility of a profile varies by site and according to user discretion. By default, profiles on Friendster and Tribe.net are crawled by search engines, making them visible to anyone, regardless of whether or not the viewer has an account. Alternatively, LinkedIn controls what a viewer may see based on whether she or he has a paid account. Sites like MySpace allow users to choose whether they want their profile to be public or "Friends only." Facebook takes a different approach — by by default, users who are part of the same "network" can view each other's profiles, unless a profile owner has decided to deny permission to those in their network. Structural variations around visibility and access are one of the primary ways that SNSs differentiate themselves from each other. After joining a social network site, users are prompted to identify others in the system with whom they have a relationship. The label for these relationships differs depending on the site —
popular terms include "Friends," "Contacts," and "Fans." Most SNSs require bi-directional confirmation for Friendship, but some do not. These one-directional ties are sometimes labeled as "Fans" or "Followers," but many sites call these Friends as well. The term "Friends" can be misleading, because the connection does not necessarily mean friendship in the everyday vernacular sense, and the reasons people connect are varied (boyd, 2006a). The public display of connections is a crucial component of SNSs. The Friends list contains links to each Friend's profile, enabling viewers to traverse the network graph by clicking through the Friends lists. On most sites, the list of Friends is visible to anyone who is permitted to view the profile, although there are exceptions. For instance, some MySpace users have hacked their profiles to hide the Friends display, and LinkedIn allows users to opt out of displaying their network. Most SNSs also provide a mechanism for users to leave messages on their Friends' profiles. This feature typically involves leaving "comments," although sites employ various labels for this feature. In addition, SNSs often have a private messaging feature similar to webmail. While both private messages and comments are popular on most of the major SNSs, they are not universally available. Not all social network sites began as such. QQ started as a Chinese instant messaging service, LunarStorm as a community site, Cyworld as a Korean discussion forum tool, and Skyrock (formerly Skyblog) was a French blogging service before adding SNS features. Classmates.com, a directory of school affiliates launched in 1995, began supporting articulated lists of Friends after SNSs became popular. AsianAvenue, MiGente, and BlackPlanet were early popular ethnic community sites with limited Friends functionality before re-launching in 2005-2006 with SNS features and structure. Beyond profiles, Friends, comments, and private messaging, SNSs vary greatly in their features and user base. Some have photo-sharing or video-sharing capabilities; others have built-in blogging and instant messaging technology. There are mobile-specific SNSs (e.g., Dodgeball), but some web-based SNSs also support limited mobile interactions (e.g., Facebook, MySpace, and Cyworld). Many SNSs target people from specific geographical regions or linguistic groups, although this does not always determine the site's constituency. Orkut, for example, was launched in the United States with an English-only interface, but Portuguese-speaking Brazilians quickly became the dominant user group (Kopytoff, 2004). Some sites are designed with specific ethnic, religious, sexual orientation, political, or other identity-driven categories in mind. There are even SNSs for dogs (Dogster) and cats (Catster), although their owners must manage their profiles. While SNSs are often designed to be widely accessible, many attract homogeneous populations initially, so it is not uncommon to find groups using sites to segregate themselves by nationality, age, educational level, or other factors that typically segment society (Hargittai, this issue), even if that was not the intention of the designers.
A History of Social Network Sites Sites According to the definition above, the first recognizable social network site launched in 1997. SixDegrees.com allowed users to create profiles, list their Friends and, beginning in 1998, surf the Friends lists. Each of these features existed in some form before Six Degrees, of course. Profiles existed on most major dating sites and many community sites. AIM and ICQ buddy lists supported lists of Friends, although those Friends were not visible to others. Classmates.com allowed people to affiliate with their high school or college and surf the network for others who were also affiliated, but users could not create profiles or list Friends until years later. Six Degrees was the first to combine these features. Six Degrees promoted itself as a tool to help people connect with and send messages to others. While Six Degrees attracted millions of users, it failed to become a sustainable business and, in 2000, the service closed. Looking back, its founder believes that Six Degrees was simply ahead of its time (A. Weinreich, personal communication, July 11, 2007). While people were already flocking to the Internet, most did not have extended networks of friends who were online. Early adopters complained that there was little to do after accepting Friend requests, and most users were not interested in meeting strangers. From 1997 to 2001, a number of community tools began supporting various combinations of profiles and publicly articulated Friends. AsianAvenue, BlackPlanet, and MiGente allowed users to create personal, professional, and dating profiles — users users could identify Friends on their personal profiles without seeking approval for those connections (O. Wasow, personal communication, August 16, 2007). Likewise, shortly after its launch in 1999, LiveJournal listed one-directional connections on user pages. LiveJournal's creator suspects that he fashioned these Friends after instant messaging buddy lists (B. Fitzpatrick, personal communication, June 15, 2007) — — o on n LiveJournal, people mark others as Friends to follow their journals and manage privacy settings. The Korean virtual worlds site Cyworld was started in 1999 and added SNS features in 2001, independent of these other sites (see Kim & Yun, this issue). Likewise, when the Swedish web community LunarStorm refashioned itself as an SNS in 2000, it contained Friends lists, guest books, and diary pages (D. Skog, personal communication, September 24, 2007). The next wave of SNSs began when Ryze.com was launched in 2001 to help people leverage their business networks. Ryze's founder reports that he first introduced the site to his friends — primarily members of the San Francisco business and technology community, including the entrepreneurs and investors behind many future SNSs (A. Scott, personal communication, June 14, 2007). In particular, the people behind Ryze, Tribe.net, LinkedIn, and Friendster were tightly entwined personally and professionally. They believed that they could support each other without competing (Festa, 2003). In the end, Ryze never acquired mass popularity, Tribe.net grew to attract a passionate niche user base, LinkedIn became a powerful business service, and Friendster became the most significant, if only as "one of the biggest disappointments in Internet history" (Chafkin, 2007, p. 1).
Figure 1. Timeline of the launch dates of many major SNSs and dates when community sites relaunched with SNS features
Like any brief history of a major phenomenon, ours is necessarily incomplete. In the following section we discuss Friendster, MySpace, and Facebook, three key SNSs that shaped the business, cultural, and research landscape.
Fraud on Social Networks Criminals may use social networks to connect with potential victims. This section discusses some of the typical scams and devices used to defraud consumers on social networks. Fraud may involve more than one of the techniques described below. Some types of fraud may not be described here. To learn more more about how to protect yourself, see Tips to Stay Safe, Private and Secure. Secure.
Identity Theft Identity thieves use an individual’s personal information to pretend to be them – often – often for financial gain. The information users post about themselves on social networks may make it possible for an identity thief to gather enough information to steal an identity. In 2009, researchers at Carnegie University Mellon published a study showing that it is possible to predict most and sometimes all of an individual’s 9-digit 9 -digit Social Security number using information gleaned from social networks and online databases. (See Predicting Social Security Numbers from Public Data by Acquisti and Gross) Information often targeted by identity thieves includes:
Passwords Bank account information Credit card numbers Information stored on a user’s user’s computer such as contacts contacts Access to the user’s computer without his or her consent (for example, through malware) malware) Social Security numbers. Remember that the key to identity theft is the Social Security number. Never provide a Social Security number through a social networking service.
Some fraud techniques to watch out for include:
Illegitimate third-party applications. These rogue applications may appear similar to other third-party applications but are designed specifically to gather information. This information may be sold to marketers but could also be useful in committing identity theft. These applications may appear as games, quizzes or questionnaires in the format of ―What Kind of Famous Person Are You?‖ You? ‖ (See ABC's ABC's Online Games Can Lead to Identity Theft) Theft)
False connection requests. Scammers may create fake accounts on social networks and then solicit others to connect with them. These fake accounts may use the names of real people, including acquaintances, or may may be entirely imaginary. Once the connection request is accepted, a scammer may be able to see restricted and private information on a user’s profile. (See ReadWriteWeb's Fake Social Networking Profiles: a New Form of Identity Theft in 2009) 2009)
Hijacking Accounts (see Hijacked accounts) accounts)
For advice on avoiding identity theft on social networks, see Tips to Stay Safe, Private and Secure. Learn more about protecting yourself from identity theft in general by reading PRC Fact Sheet 17: Coping with Identity Theft: Reducing the Risk of Fraud. If you believe you may be the victim of identity theft, read PRC Fact Sheet 17a: Identity Theft: What to Do if It Happens to You. You.
Malware Malware (malicious software) is a term that describes a wide range of programs that install on a user’s computer often through the use of trickery. Malware can spread quickly qu ickly on a social network, infecting the computer of a user and then spreading to his or her contacts. This is because the malware may appear to come from a trusted contact, and thus users are more likely to click on links and/or download malicious programs. (See Hijacked Accounts) Accounts) Some common techniques used in spreading malware include:
Shortened URLs, particularly on status update networks or newsfeeds. These may lead the user to download a virus or visit a website that will attempt to load malware on a user’s computer. computer. Messages that appear to be from trusted contacts that encourage a user to click on a link, view a video or download a file. An email appearing to be from the social network itself, asking for information or requesting a user click on a link. Third-party applications that infect computers with malicious software and spread it to contacts. (See Third-Party Applications) Applications) Fake security alerts – alerts – applications applications that pose as virus protection software and inform the user that his or her security software is out-of-date or a threat has been detected.
Social Engineering There are a variety of social engineering scamming techniques which trick users into entering sensitive information. This section describes a few of the well-known techniques.
Phishing attacks are when emails, instant messages or other messages claiming to be from a trusted source ask for information. For example, an email may appear to be from a bank and could direct a user to enter a password at a fake login page, or tell a user to call a phone number or risk having their account closed. For tips on how to spot and avoid phishing attacks, see FTC Alert How Not to Get Hooked by a 'Phishing' Scam and OnGuardOnline's Phishing page. Some Internet browsers, such as recent versions of
Mozilla Firefox and Internet Explorer, have taken steps to help identify fake websites. (See GetSafe Online's Avoid Criminal Websites for these and other tips.)
Spear phishing is a type of phishing attack that appears to be from a colleague, employer or friend and includes a link or something to download. (This is often the result of account hijacking.) These links or downloads can be malicious, such as viruses or fake websites that solicit personal information.
Misleading solicitations. A social network might use social engineering to make people feel obligated to join. This often occurs when one person joins and (often inadvertently) provides the social network with access to his or her contact list. The social network then sends out emails to all of his or her contacts, often implying they are from the individual who joined. For example, it has been reported that Tagged.com solicits contacts of users with emails claiming the recipient has been ―tagged.‖ These emails emails state: ―Is <user name> your friend? Please respond or <user name> may think you said no ::(( ‖ or ―<user name> sent you photos on Tagged.‖ The recipient may believe this is a personal invitation from the user and feel obligated to join the network, giving out his or her information and perhaps perpetuating the solicitations. See Time's Tagged: The World's Most Annoying Website for more information.
Hijacked accounts. A legitimate account may be taken over by an identity thief or malware for the purpose of fraud such as posting spam, sending out malware, stealing the private data of contacts or even soliciting contacts to send money. One typical scenario is when a hijacked account sends out messages stating that the account owner is overseas and in desperate straits. Contacts are urged to immediately wire money. A user may not realize his or her account has been hijacked for quite some time. An attack could also be in the form of a chat conversation.
Tips to Stay Safe, Private and Secure There are many ways that information on social networks can be used for purposes other than what the user intended. Below are some practical tips to help users minimize the privacy risks when using social networks. Be aware that these tips are not 100% effective. Any time you you choose to engage with social networking sites, you are taking certain risks. Common sense, caution and skepticism are some of the strongest tools you have to protect yourself. Registering an Account 1. Use a strong password different from the passwords you use to access other sites. See PRC’s 10 Rules for Creating a Hacker-Resistant Password PRC’s 2. If you are asked to provide security questions, use information that others would not know about you. 3. Never provide a work-associated email to a social network, especially when signing up. Consider creating a new email email address strictly to connect with your social networking profile(s). 4. Consider not using your real name, especially your last name. Be aware that this may violate the terms of service of some social networks. See Anonymity on Social Networks 5. Review the privacy policy and terms of service before signing up for an account. See Reading a Privacy Policy. Policy. 6. Be sure to keep strong antivirus and spyware protection on your computer. See How to Secure Windows and Your Privacy -- with Free Software. Software. 7. Provide only information that is necessary or that you you feel comfortable providing. When in doubt, err on the side of providing less information. Remember, you can always provide more information to a social network, but you can’t always remove remove information once it’s been posted. posted.
General Tips for Using Social Networks 1. Become familiar with the privacy settings available on any social network you use . 2. Do Don’t n’t share your birthday, age, or place of birth. This information could be useful to identity thieves and to data mining companies. A research study by Carnegie Mellon University found that Social Security numbers can be predicted based on publiclyavailable information, including your birthday, age and place of birth. The Social Security Administration will begin assigning randomized number series as of June 25, 2011. Unfortunately, the more predictable Social Security numbers will remain in effect for individuals born before June 25, 2011. If you do consider posting your birthday, age or place of birth, restrict who has access to t o this information using the site’s privacy settings. Also, some social networking sites allow you to show your birth month and day, but hide the year. 3. Stay aware of changes to a social network’s terms of service and privacy policy. You may be able to keep track of this by connecting to an official site profile, for example Facebook’s Site Governance. Consider subscribing to an RSS feed for Tosback, a project Facebook’s of the Electronic Frontier Foundation to track changes in website policies (covers some but not all social networks). 4. Be careful when you you click on shortened links. Consider using a URL expander (as an application added to your browser or a website you visit) to examine short URLs before clicking on them. Example of URL expanders include LongURL, Clybs URL Expander and Long URL Please (Privacy Rights Clearinghouse does not endorse one URL expander over another.) 5. Be very cautious of pop-up windows, especially any that state your security software is out of date or that security threats and/or viruses have been detected on your computer. Use your task manager to navigate away from these without clicking on them, then run your spyware and virus protection software. 6. Delete cookies, including flash cookies, every time you leave a social networking site. See PRC Fact Sheet 18: Privacy and the Internet 7. Don’t publicize vacation plans, especially the dates you’ll be traveling. Burglars can use this information to rob your house while you are out of town.
Facebook, Twitter Twitter and LinkedIn spam hoaxes Whether you use Facebook, Twitter, LinkedIn or any online site for social networking, online banking or day-to-day purchases, be aware of emails that claim to be from these sites but are actually hoaxes and may contain malicious content. I have received numerous emails that allege to be from my bank, yet are actually sent by a spammer in the hopes of obtaining my online username and password. Similarly, emails claiming to be Twitter and Facebook invitations are now commonplace. (See Figure 4.) The messages may even contain an attached ZIP file that recipients are asked to open to see who invited them. The attachment actually contains a mass-mailing worm, which can cause damage to both your computer and your reputation.
How is it possible to identify the legitimate messages from the hoaxes?
Use an up-to-date email client such as Microsoft Outlook 2007, Outlook Express or Mozilla Thunderbird which have spam filtering enabled and checks for “phishing” messages (phishing messages are falsified emails that use these tactics to obtain your username, password or other personal information) Never open an attachment unless it’s fro m someone you know, and you are expecting to receive it. If you have any doubt, then contact the individual and ask if he/she actually did send it.
Use up-to-date antivirus/anti-malware software on your computer to block any harmful files that you may have accidentally opened. Always use common sense on the web and in email; take an extra moment or two to think about what you have received or are about to do.
Conclusion Social networking sites can be valuable sales and marketing tools, as well as fun diversions. Inherent in these applications are security risks that can put the individual or a company in a compromising position or at serious risk. Aside from not using these sites at all, end-user education, alongside documented policies and procedures, is the most fundamental protection that exists. A well-informed user will not only help to maintain security, but will also educate others on these issues and establish best practices which can be standardized and updated as applications mature or as new applications come along.
References Social Network Sites: Definition, History, and Scholarship http://jcmc.indiana.edu/vol13/issue1/boyd.ellison.html
Social Networking Privacy:How to be Safe, Secure and Social
http://www.privacyrights.org/social-networking-privacy
The Security Risks of Social Networks
http://www.focus.com/fyi/security-risks-social-networks/ http://www.focus.com/fyi/security-risks-social-networks/
Social networking and security risks By risks By Brad Dinerman http://www.gfi.com/whitepapers/Social_Networking_and_Security_Risks.pdf http://www.gfi.com/whitepapers/Social_Networking_and_Security_Risks.pdf
Prepared Prepare d by
Lecturer
:
Muhammad Amirul Bin Talib (3112036181)
:
Muhammad Rais Bin Ibrahim (3112031871)
:
Mohd Noor Rizal Bin Arbain Arbain
