Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identity Theft and Social Networks

Posted by michael on from the stealing-whuffie dept.

scubacuda writes "This Security Focus article looks at the lack of security social network sites have, particularly their lack of SSL logins, which means a user's session ID will be logged on any proxy and possibly sniffed. From the article: '[A]ccording to [Clay] Shirky, one thing is certain: "The value of each site is communally-created. Links and transactions are more important than individuals." In other words, each community creates its own kind of value. Thus, an attacker might hit Tribe to farm social networks for spam victims; and then he might exploit LinkedIn to get the contact information for a VC he wants to meet.'"

16 of 190 comments (clear)

  1. it's always been this way by ohzero · · Score: 2, Informative
    the web doesnt change anything. Especially if you're talking about "hackers." SSNs, Credit Card numbers, and many other implements of destruction have been made available to those who would crack systems or sift through garbage cans since I can remember. There's really two points that matter:
    • There are people who participate in identity theft via any means possible, because that's the life they lead.
    • Social security numbers in and of themselves ARE the vulnerable entry point because the information flow to and from them is bidirectional.
    The only possible suggestion here is the same one that's been played over and over on the record entitled "keeping your information safe for dummies," which is "use caution and reason in any transaction you make.
    --
    -- http://www.criticalassets.com
  2. I had to hack phpbb and get an SSL cert... by mellon · · Score: 2, Informative

    ...which cost me >$100, in order to have some password security on the bulletin board I run. phpbb would mail the password out in the clear, and didn't allow you to log in over SSL. It wasn't a big deal to hack it, but I was surprised that it wasn't an option. It may be that more people would use decent security if the software they ran supported it.

    1. Re:I had to hack phpbb and get an SSL cert... by mellon · · Score: 2, Informative

      They don't work with enough browsers. :'(

      They claim that they do, but I tried one (a two-month demo cert), and immediately ran into users that couldn't use the cert. I have a lot of users with really old computers. Sigh.

    2. Re:I had to hack phpbb and get an SSL cert... by Anonymous+Crowhead · · Score: 2, Informative

      We had that problem too. After tweaking the SSLCipherSuite directive in http.conf (and canceling support for Netscape 4.x), we have solved most if not all of the issues.

  3. COPIED POST by Anonymous Coward · · Score: 2, Informative

    Post above is copied from one made months ago by a different poster. Please mod accordingly.

  4. disposable CC numbers by aaandre · · Score: 3, Informative

    Citibank provides disposable CC numbers for one time use only, or for use with only one merchant (i.e. subscription).

    You log on to their web site with your account info and gener... Oh, wait...

  5. Article Slant by bradfitz · · Score: 5, Informative

    I'm Brad Fitzpatrick, from LiveJournal.

    The reporter who talked to me obviously wanted a fun slant for her article: "Look at all this insecure crap out there!"

    Things we talked about that she decided to ignore in her article:

    -- we've been working on challenge/response logins in JavaScript so passwords don't go in the clear. it's like Digest auth but in JS instead. We had this working when we talked to her, and since then it's gone into final user testing on our public test site. it'll probably go live this weekend. (I remember when I talked to her I compared it to HTTP Digest Auth and I had to explain what Digest auth was to her..... this is a _security_ reporter?)

    -- we never said SSL wasn't important or security wasn't a priority. we told her it HAS BEEN a priority, but performance stuff keeps getting in the way. in fact, we have SSL stuff working and it's going live at the same time as the challenge/response logins. we just told her that it's hard to do right when you have a shitload of servers.

    -- we let users bind their login session to their IP, so damage from cookie theft over non-SSL is mitigated

    -- we don't let users do any major action (like, oh, change the account's password) without the original password.

    -- we have no many anti-hijacking measures in place to let owners of accounts restore their stolen accounts. and you know what? it's not because of SSL... it's because of people just people plain dumb/trusting/gullible. SSL isn't a magic security wand.

    Anyway, please recognize an article on a security site wants a "security's terrible!" slant. Who wants to read an article saying, "Yup, security's pretty good and improving." The security situation isn't as grim as it's made out to be.

    1. Re:Article Slant by metalpet · · Score: 3, Informative

      yeah, journalists with an agenda are a bit evil, but it's not all bad:
      - LJ gains some exposure from this
      - real security folks reading over this most likely won't feel livejournal is that far behind. Half of the complains in the articles are generic (phishing, impact of social networks on an account compromise), and the other half is mild (there might be XSS there, just like anywhere else), or unreasonable (what? you're sending session cookies over a non-SSL connection? how dare you!)

      Brad, I'd suggest you post a copy of your reply at this url:
      http://securityfocus.com/cgi-bin/sfonline/fo rms/co mment_form.pl?section=news&id=7739
      SecurityFocus happens to have a fairly visible forum system, you might as well use it.

  6. Re:Compare with Europe by HeghmoH · · Score: 3, Informative

    I don't know what the bank example is doing in your list. If I want to store money in some bank under whatever name I want, why shouldn't I be able to do it? A bank account alone doesn't get me very far. Now, if I were to start taking out loans and so on, things get sticker, but if I just want a checking account, I shouldn't have to make an appointment a week in advance, then show up and have to show identity, proof of residency, proof of address, proof of salary, and on and on and on. (This isn't made-up, I actually had to do this.) When I last opened a bank account in the US, which was a while ago, they basically asked for my money. I like this. There isn't really an opportunity for fraud by providing bad information.

    I have no real contention with the rest of your statements, just this one.

    --
    Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
  7. Re:Even with SSL by netjeff · · Score: 4, Informative

    SSL connections are vulnerable to MiTM attacks [...] In a dorm or corporate lan environment, all it takes is one trojaned laptop running a sniffer, and all you CC numbers are belong to us.

    A trojaned laptop running a sniffer is not a man-in-the-middle (MiTM) attack. SSL is safe against sniffers. For MiTM, you need to compromise a router/switch. Or else compromise a proxy that the network requires you to use for external web-access.

  8. Re:Happened to someone else? by Anonymous Coward · · Score: 1, Informative

    There's nothing funny about the sheer volume of plagiarised posts made today. Stupid little kiddies are trying to make the site unreadable, and they're getting close to succeeding.

  9. shame really by Anonymous Coward · · Score: 1, Informative


    as they have a SSL certificate, they just 302 you instead of processing the login then 302 you

    but i guess programmers know best right ?

  10. Re:Happened to someone else? by AndroidCat · · Score: 2, Informative
    And what's worse, they only seem to have 13 of my posts on file!

    The posting-bots are only half of it. I'm sure that they keep a large enough stable of minimum use puppet IDs such that some of them always have mod points. (Remember the BBS program Pyroto Mountain? Slashdot reminds me of that sometimes.)

    The other day, I noticed a new article had over 50 posts, and all but 10 had been modded down to -1. This must be a real pain for the slashdot crew.

    --
    One line blog. I hear that they're called Twitters now.
  11. Re:Compare with Europe by Perky_Goth · · Score: 2, Informative

    it sure as hell looks pretty trivial to forge an ID card... but, it does bring some security.
    However... i had to cancel a few cards at the bank, and they asked me for no ID. I had to renew my drivers license, and no ID again. So, all of those who are crying about loss of freedom, it's not a big deal. In Portugal, police can take you in for identification if you can't provide it, but that's it.
    And about mailboxes... they're not that safe... i open mine with an old bicicle lock key...

  12. Re:eCommerce Failure by thogard · · Score: 2, Informative

    use a check card
    How stupid.

    With a check card, your have all the liability while with the credit card its with the bank (-$50 in both cases according to the law but set at $0 by the CC compaines)

    If I take $10,000 out of your account and the bank finds you at fault even if you never had more than $100 in the account, they will take all of your next paycheck. With a CC, your stuck with a bad credit report. Don't consider the best case for fraud, always consider the worst case when weighing your options.

  13. For the record... by jvaillant · · Score: 2, Informative
    LinkedIn has been using SSL since day one, not just for the login page but for every page of the site. The application is also constantly tested and hardened against XSS and other OWASP vulnerabilities. Security is a real concern to us and is factored in every aspect of our design and implementation.

    Jean-Luc Vaillant, VP Engineering, LinkedIn