It is the time to share the information for the last 3 lectures. I will mainly focus on the Security and Privacy Issue in Social Networking. As you know, almost everyone should have at least one account on famous social network platform, for instance, Facebook, Twitters, etc. We are living in a world where people would communicate by sending a text message from their mobile phone, post comments on their favorite online network.
Having the social networking sites, it provides the following benefits:
1. People can find easily and reach their audience for their businesses
2. It help a business to improve its reputation.
3. It provide low cost marketing with free advertising.
4. It increases the personal touch of each others.
Having the social networking sites, it provides the following benefits:
1. People can find easily and reach their audience for their businesses
2. It help a business to improve its reputation.
3. It provide low cost marketing with free advertising.
4. It increases the personal touch of each others.
However, due to the social networking, the main two issues can be the XSS Attacks/ worms and LikeJacking.
1. XSS Attacks
.jpg)
XSS attacks are attacks that target the end user instead of your actual site. As private information is a valuable items. Hackers want to steal it. Under XSS Situation, hackers can steal the end users cookie data or redirecting to a different site, to embedding a browser exploit on a page. Anything that can be done with JavaScript.
Do you know the "Samy worm"? It was an XSS worm developed to propagate across the MySpace social-networking site. It gained significant media attention.
The worm carried a payload that would display the string "but most of all, Samy is my hero" on a victim's profile. When a user viewed that profile, they would have the payload planted on their page. Within just 20 hours, over one million users had run the payload. It propagated across so fast over the site. MySpace XSS worm that effectively shut the site down for a few days in October 2005. Luckily, no private information was stolen at that time.
Do you know the "Samy worm"? It was an XSS worm developed to propagate across the MySpace social-networking site. It gained significant media attention.
The worm carried a payload that would display the string "but most of all, Samy is my hero" on a victim's profile. When a user viewed that profile, they would have the payload planted on their page. Within just 20 hours, over one million users had run the payload. It propagated across so fast over the site. MySpace XSS worm that effectively shut the site down for a few days in October 2005. Luckily, no private information was stolen at that time.
How to prevent XSS Attacks?
The following list outlines the general approaches to prevent cross-site scripting attacks:
- Encode output based on input parameters.
- Filter input parameters for special characters.
- Filter output based on input parameters for special characters.
For example, in ASP.NET, use URLEncode and HTMLEncode to encode the output data to the web site.
Possible sources of malicious data
While the problem applies to any page that uses input to dynamically generate HTML, the following are some possible sources of malicious data to help you spot check for potential security risks:
- Query String
- Cookies
- Posted data
- URLs and pieces of URLs, such as PATH_INFO
- Data retrieved from users that is persisted in some fashion such as in a database
2. Likejacking
Facebook-enabled clickjacking attack that tricks users into clicking links that mark the clicked site as one of your Facebook "likes." These likes then show up on your profile and, of course, in your Facebook News Feed where your friends can see the link and click it, allowing the vicious, viral cycle to continue.
Usually, the content of the likejacking site is video. The content is very interesting and attractive. It attracts users to click on the links and watch the video into details. Victims then invited to a Facebook application asking them for user information and access to the user profile. Using this permission, the application posts spam, asks users to fill out surveys (a genuine source of commission revenue). Our privacy and credit cards information may be stolen in this case.
How to prevent Likejacking?
The following ways can prevent Likejacking:
1) If a link leads you a page which says "Click here to continue", close the page.
2) Watch out for Facebook content that involves a lot of clicking before you get to the point.
1) If a link leads you a page which says "Click here to continue", close the page.
2) Watch out for Facebook content that involves a lot of clicking before you get to the point.
3) Facebook taking steps with pop-up message to warns users if they want to open a suspected link.
4) Log in the website and log out after uses.
Conclusion
Actually, we get used to social network and sometimes we may forget to verify the integrity of contents in our friends posts. We should look at it carefully before clicking any suspected link in order to protect our privacy data carefully. "Please slow down our steps. Think before action!"
Reference
Reference
Website and personal security is utterly important. It’s good to have a reminder that we need to be aware on what we are clicking on and signing up to.
回覆刪除Um, as a user, i think we have to be careful when using the social network too. I understand parties are developing more and more security measures to secure the social network. Yet, just like antivirus programs, we can never eliminate all the possible dangers. Therefore, may be we have to adjust out awareness against the social networks too, just like how we can identify possible torjan programs or websites, we better develop our identification on the social community too for identifying possible threats.
回覆刪除Likejacking, a form of clickjacking, which is a malicious technique of tricking users of a website into posting a Facebook status update for a site they did not intentionally mean to “like”. A solution to likejacking was developed at one of Facebook's hackathons and a "Like" bookmarklet is also available that avoids the possibility of likejacking present in the Facebook “like” button.
回覆刪除About the XSS Attacks...couldn't agree more!!! I also use similar methods to encrypt output data on J2EE platform.However when i share this information to other colleagues they don't see the potential risk behind.Seems that web application developers often pay no attention to security issues unless something bad happens.
回覆刪除XSS Attacks is not a big difficult thing that everyone with little technique can perform. So everyone on the internet can be the hacker to hijack your information. Like dvbbs and showerror.asp, everyone can download and host on their website. If he/she post a link on any social network platform, like facebook, and ask friend to click. Tons of information are leaking.
回覆刪除I think the likejacking is really a difficult thing to prevent from happening. It's purely by a public javascript. I would suggest logout the facebook on your browser everytime you finished surfing. It helps.
回覆刪除To prevent from likejacking, my suggestion is same but I will use the private mode to view these links, so no cookies will be loaded or stored from these websites as well.
回覆刪除Haha, interesting. I prefer to create a fake facebook account to avoid the likejacking issue.
回覆刪除It is good to see some detail information to protect our data. Some attacks are widely existed today. We had better know something about them.
回覆刪除