security at the digital cocktail party
DESCRIPTION
Security at the Digital Cocktail Party. S ławomir Górniak, ENISA. What I’m going to talk about. Social Networking and its benefits Social Networking is an Identity Management System (noy always a good one) Key vulnerabilities Attacking the vulnerabilities at the root - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/1.jpg)
Security at the Digital Cocktail PartySławomir Górniak, ENISA
![Page 2: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/2.jpg)
What I’m going to talk about
• Social Networking and its benefits• Social Networking is an Identity Management
System (noy always a good one)• Key vulnerabilities• Attacking the vulnerabilities at the root• Portable data – social networking sites as
Identity Providers
![Page 3: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/3.jpg)
Social Networking – Digital Cocktail Party
• Define my profile (define myself online- interests, skills etc…)
• Define relations to other profiles (including some access control)
• Interact with my “Friends” via IM, wall posts, blogs.
![Page 4: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/4.jpg)
• More privacy than a blog – restrict your data within your network.
• SN is an IDM tool• Discovery of like-minded individuals and
business partners• “Social Capital” has been shown to reduce
crime
Social Networking Plus Points
![Page 5: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/5.jpg)
Social Networking Plus Points
• Social Networks business benefits–Increase interactivity–Exploit the value of relationships–Publicise and test results in trusted
circles–Develop circles of competence
![Page 6: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/6.jpg)
Identity Management System
• Storage of personal data• Tools for managing how data is viewed• Access control to personal data based on
credentials.• Tools for finding out who has accessed
personal data.
![Page 7: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/7.jpg)
Identity Management System
• Storage of personal data• Tools for managing personal data and how
it’s viewed• Access control to personal data based on
credentials.• Tools for finding out who has accessed
personal data.
![Page 8: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/8.jpg)
Social Networking is an Identity Management System.
LOTS of Juicy Personal data:
Recognise these from somewhere?
(a) Racial or ethnic origin (b) Political opinions(c) Religious beliefs(e) Physical or mental health or condition(f) Sex life
(EU Directive 95/46 – definition of sensitive personal data)
![Page 9: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/9.jpg)
Identity Management System
• Storage of Personal Data
• Tools for managing personal data and how it’s viewed
• Access control to personal data based on credentials.
• Tools for finding out who has accessed personal data.
![Page 10: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/10.jpg)
Tools for organising my personal data
![Page 11: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/11.jpg)
Identity Management System
• Storage of Personal Data• Tools for managing personal data and how
it’s viewed
• Access control to personal data based on credentials.
• Tools for finding out who has accessed personal data.
![Page 12: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/12.jpg)
![Page 13: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/13.jpg)
Tools for managing access based on credentials
![Page 14: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/14.jpg)
Identity Management System
• Storage of Personal Data• Tools for managing personal data and how
it’s viewed• Access control to personal data based on
credentials.
• Tools for finding out who has accessed personal data.
![Page 15: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/15.jpg)
![Page 16: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/16.jpg)
Social Networking is an Identity Management System.
But not always a very good one
![Page 17: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/17.jpg)
Inappropriate (and often irreversible) Disclosure
(Face obscured by me)
![Page 18: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/18.jpg)
10 Minutes’ Surfing of Myspace - Example
![Page 19: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/19.jpg)
Inappropriate Disclosure
![Page 20: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/20.jpg)
Digital Cocktail Party
![Page 21: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/21.jpg)
It’s OK because only my network can see my profile data
![Page 22: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/22.jpg)
Access Control Based on Credentials?
![Page 23: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/23.jpg)
Low friending thresholds (poor authentication)
![Page 24: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/24.jpg)
Only my friends can see my data?
Most users don’t realise the size of their audience.
• Only Everyone in the London Network?• Only Everyone who pays for a LinkedIn
Pro account?• Only Everyone in your email address
book?• Only Social Network employees?• Only anyone who’s willing to pay for
behavioural advertising?• Only Plastic green frogs?
![Page 25: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/25.jpg)
It’s OK because I don’t use my real name?
![Page 26: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/26.jpg)
Data mining tools
MyFaceID application will automatically process your photos, find all faces, help you tag them and let you search for similar people.
![Page 27: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/27.jpg)
Which fortunately don’t work very well
![Page 28: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/28.jpg)
It’s OK because I can delete my embarassing revelations?
![Page 29: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/29.jpg)
“Social Networking is like the Hotel California. You can check out, but you can never leave”
Nipon Das to the New York Times
Lock-in – the Hotel California effect.
![Page 30: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/30.jpg)
• Caches• Internet archives• “Disactivation” of the account
• Delete comments from other people’s walls?
Why not?
![Page 31: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/31.jpg)
It’s OK because I use the privacy settings?
![Page 32: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/32.jpg)
![Page 33: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/33.jpg)
The usual suspects
• SN Spam• XSS, widgets and other bad programming
threats• Extortion and bullying• Profile squating/theft• Aggregators – one password unlocks all
..do more damage!– SN gives away the relationships for free– SN is highly viral
![Page 34: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/34.jpg)
Why? The root cause
The value of the network (e.g. 15 billion US$ and counting) is:– Its personal data– Its ability to profile people for
advertising– Its ability to spread information
virally
We need to break the lock-in effect.
![Page 35: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/35.jpg)
Speed of spread => Economic and Social Success
Privacy
Economic success is inversely proportional to strength of privacy settings
![Page 36: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/36.jpg)
Attacking the root cause
• Break data monopolies to improve privacy and security:– Standardised portable networks (checking out of the
Hotel California and going to another one)
– Portable, standardised access-control and security (with a secure briefcase).
– Privacy and anonymity tools for social networks, better authentication and encryption.
![Page 37: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/37.jpg)
Nice idea but where's the business model?
![Page 38: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/38.jpg)
Stop press – some developments
• The big players embrace data portability and portable authentication!
• Social Networking takes another step in the direction of IAM!
![Page 39: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/39.jpg)
Google Friend Connect
• Sign-in with an existing Google, Yahoo, AIM, or OpenID account
• Invite and show activity to existing friends from social networks such as Facebook, Google Talk, hi5, orkut, Plaxo
• Browse member profiles across social networks
• Based on Open IAM compatible standards
![Page 40: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/40.jpg)
![Page 41: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/41.jpg)
![Page 42: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/42.jpg)
![Page 43: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/43.jpg)
Social Networking takes another step in the direction of IAM?
![Page 44: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/44.jpg)
Take home messages
• Social Networking applications are an Identity Management System
• Recommendations: create clear corporate policies on social network usage inside AND out of the office. E.g.- Clearly define which corporate data is not
permitted on social networks.- Recommend privacy settings to be used on
networks- Conduct awareness-raising campaigns
(educating people is vital!)
![Page 45: Security at the Digital Cocktail Party](https://reader036.vdocuments.us/reader036/viewer/2022081603/56814299550346895daecccd/html5/thumbnails/45.jpg)
Thank you!
More information:
http://tinyurl.com/2h7s5e
( http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_social_networks.pdf )