Slashdot Mirror
Identity Theft and Social Networks
scubacuda writes "This Security Focus article looks at the lack of security social network sites have, particularly their lack of SSL logins, which means a user's session ID will be logged on any proxy and possibly sniffed. From the article: '[A]ccording to [Clay] Shirky, one thing is certain: "The value of each site is communally-created. Links and transactions are more important than individuals." In other words, each community creates its own kind of value. Thus, an attacker might hit Tribe to farm social networks for spam victims; and then he might exploit LinkedIn to get the contact information for a VC he wants to meet.'"
...it is rather scary how little attention people pay to security. The article even states: "...site performance is our highest priority, and SSL is a pain." While it can be costly to set up security (ie, paying security consultants ;) ), if done right from the start it is less expensive than trying to fit it in after the fact.
It is certainly less expensive than having your site hacked and/or having users leave when people post their private thoughts publicly!
libertarianswag.com
One friend feared that she might lose her job when a private entry about problems with her supervisor was made public
Rule 1:
If you want to keep something confidential, don't post it on a free website.
If they aren't using SSL, they are basically saying they don't value privacy the way you value your privacy."
Duh. Unless you use encryption, almost anything you send on the internet can be intercepted. Conduct yourself accordingly.
It saddens me that nothing will be done until some poor fella pays very dear when someone finds the motivation to sue, gets a good lawyer and wins big.
It seems that in most things related to security, and not only virtual security, people don't start taking measures until something bad happens and they are made to pay for it...
What do we expect anyway, common sense is the less common of senses..
... y Dios vio que Linux era bueno... Genesis 99.666
Nothing to do with laziness. SSL adds extra strain on the system. It's cheaper to not use it. And I really don't see the need for SSL on LiveJournal... it's a journal site, not a bank account.
SSL is safe for people who read warning messages.
The same is true IRL as well. Put the best lock on your front door that you want, it really doesn't matter. I'm coming in through the window anyway. Boarding up the windows reduces the utility of your house and just forces me to come in through the basement.
.
You could build a wall around the house I suppose, which again is a pain for you, not to mention expensive, and doesn't slow me down all that much really, but it makes me nice and invisible from the street once I get in. So now you have to add all the electronic gizmos. .
I think Patton had something to say about fortifications.
Most physical security amounts to efforts to keep slightly dishonest people honest as regards your property. You don't have to outrun the bear, just your buddy.
The bad guys are going to do a certain amount of winning. It's selfish but the trick is to do your best to make sure it's the other guy who looks like the rube so you get left alone.
'Cause if they really, really want you, they're going to get you sooner or later.
Having bodyguards didn't help Indira Gandhi one little bit.
KFG
Well, yeah, and the idea of real-life face to face social networks is also inherently insecure. The more you interact with other people the greater the chances that one of them (or someone who knows one of them, or happens to eavesdrop on one of them) will take advantage of you. But interacting with other people is not automatically a "bad idea" because of this, and the same is true online. You need to weigh the security risks along with other factors (e.g. the social benefits of networking in this manner, or the amount of critical information that is actually compromised by these risks). I think friendster-style web-based networks are valuable enough that people should see what can be done to make them more secure rather than abandoning them as inherently insecure.
On the other hand, I tend to think people who live through their on-line journal / blog need to find a real life.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
To this day, I can not figure out how to change your eBay password over an SSL connection. Sure, you can login via SSL, but you can't send you new password over SSL.
This kind of defeats the purpose of using SSL. Once it's sent in plaintext, it's not secure.
Rather than concentrate on more and more extreme punishments, maybe we should concentrate our resources on more and more effective ways of catching fraudsters? Y'think?
Apparently I have to wait another couple of minutes before posting this, so on another subject: why oh why oh why are CD players so big? I mean, with the latest codecs, you ought to be able to store much much longer audio streams on those tiny little CDs you can fit in your pocket. So why not start making more portable CDs like that and standardize on a format and codec?
And what's the deal with all those endings for Lord of the Rings: Return of the King? Some of us had to go for a pee for crying out loud. Did any of them add any value to the film whatsoever? No, so why include them? And is the rumour true that the Special Edition Extended DVD version of Return of the King will be essentially the same film only with another three hours of endings tacked on to the end?
in most European countries (except e.g. the UK) every citizen is required to have a national ID card which you show whenever somebody has to be sure of your ID. (These cards have all kinds of witty security features to make them really hard to counterfeit.)
Even though this looks like a copy, I'll respond.
I am a french citizen. I have a CARTE NATIONALE D'IDENTITE, which consists of a photograph attached with 2 rivets to a cheap paper and a bad stamp. With this document I can enter france (and most of the EU), and it's trivial to forge this document.
This is the same as the morons that are happy about the fact that the police in my area cannot get into a high speed chase unless they are in pursuit of someone who is in the commission of a felony. Well, guess what kiddies; fleeing and eluding is a felony in itself and will thus warrant a high speed chase.
The bottom line is that it's very easy to talk smack on the internet but I can assure you that if a cop asked for your ID...you damned sure would hand it over.
"The strong will do what they want, the weak will do what they must."
-Thucydides
I think what you say is wrong.
SSL/TLS is not vulnerable to MiTM when configured properly and used properly.
The main cause why MiTM on SSL can happen in the wild is that most browsers allow you to override SSL-warnings and establish a connection even tho the identify of the other end can't be guaranteed.
Whenever your browser presents you with a warning message (whatever it is) regarding the SSL-connection that it is about to establish then make sure to realize that you could as well switch back to plain http at that point.
Funny, both those documents said the user's client would display a big red warning saying: "HEY DUMBASS, THERE IS SOMETHING WRONG WITH THE SERVER'S KEY." It isn't the protocol's problem if the user doesn't understand basic security and will ignore warnings.
So because one crappy browser has a bug which may potentially be exploited, we should forget about using SSL for security? Whatever you say.
BTW, I check the cert every time I log into an important site, though an IE bug won't affect me because I use that other crappy dragon browser (for HTTPS anyway, I use Dillo for most everything else.)
I don't know what the AC's problem was (Troll? LJ is just a blog site, and the article even said the main problem was users giving away their passwords), but it is stupid to say some javascript code is as secure as SLL. Especially using windows troll logic--"there is a potential hole in X, so it negates the tonnes of glaring holes in my favorite Y. Y is clearly better." It may be more secure than nothing, but don't just make crap up.
Maybe you should've pointed out Master Fitzpatrick already said he was working on it and asked the AC troll why it wanted to break into 14 year old girl's blog accounts anyway. ;-)
I'm a little wary of some of these social network tools, because social network information is incredibly valuable & sensitive. Putting my info onto Friendster seems like yielding too much of my privacy, and I guess I also don't see the payoff. In direct personal relationships, my liability is limited both in scope and in time. If I meet a vicious sociopath, there's only so much he can do, he can pretty much only get me without a lot more work, and I'm mostly vulnerable to him only when I'm nearby.
Now let's say some bad guy gets the Friendster data. How hard can that be, considering how poor data protection in general is? The marvelous thing about data security is that once the data is loose, it could go anywhere. After all information wants to be distributed on SPAM CDs.
The bad guy could be a blackmailer, or perhaps just a law & order type who believes in guilt by association, or a politician and suddenly one of my friends is on an enemies list.
It was horrifying when we heard that the Colombian cartels were getting telco records, and murdering people based on them. This is similarly sensitive information.
One friend suggested that I join up anonymously if I was uncomfortable with the privacy issues of Friendster. Unfortunately, I've still compromised the privacy of everyone else on my list, and anyone who was interested could fairly easily interpolate my identity based on all the other data that is valid. That's a side effect of one of the coolest things about Friendster. People can fake accounts, but it has little effect, because the fakes won't go anywhere much.
Sure, probably nobody will come looking for me, but I lock my doors at night anyway.
I do know people who wouldn't have gotten certain jobs if their network of friends was known.
Assembly is the reverse of disassembly.
Are there many people out there that do not understand that just clicking Yes when they're presented with a warning will expose them to all kinds of malicious attacks from some random web site? Yes, sure.
But any security system is only going to hold up if the people using it understand it's limitations. Namely, in the case of SSL/TLS, that the Root CA's whose certs are embedded in your browser are doing a proper job of only handing out certs to trustworthy people.
And how many "security experts" still believe that using your own CA is somehow less secure than one of the commerical ones, when dealing with VPN/Intranet traffic?
If I want to store money in some bank under whatever name I want, why shouldn't I be able to do it?
:)
Well, if it's an interest bearing account, then the IRS may want to know about it, since IIRC, dividends are taxable income (though with current rates, it's not very much).
Also, the bank wants to know it's you, so that when you come back later for your money, they can still verify it's you
Finally, there's the crime issue. Criminals would love to be able to just store their money under any name, as that would make it much harder for the authorities to find it.
"Save the whales, feed the hungry, free the mallocs" -- author unknown