Identity Theft and Social Networks

scubacuda writes "This Security Focus article looks at the lack of security social network sites have, particularly their lack of SSL logins, which means a user's session ID will be logged on any proxy and possibly sniffed. From the article: '[A]ccording to [Clay] Shirky, one thing is certain: "The value of each site is communally-created. Links and transactions are more important than individuals." In other words, each community creates its own kind of value. Thus, an attacker might hit Tribe to farm social networks for spam victims; and then he might exploit LinkedIn to get the contact information for a VC he wants to meet.'"

As a CISSP...

[bc90021]

...it is rather scary how little attention people pay to security. The article even states: "...site performance is our highest priority, and SSL is a pain." While it can be costly to set up security (ie, paying security consultants ;) ), if done right from the start it is less expensive than trying to fit it in after the fact.

It is certainly less expensive than having your site hacked and/or having users leave when people post their private thoughts publicly!

Re:As a CISSP...

[bc90021]

That is true, however:

I wasn't scoffing. ;)

Secondly, it is easy to let security go slack. And that is my point. I have seen way too many places do just that. Everyone starts small. But how many people plan to stay that way?

How hard is it to use two commands to generate a CSR? If you don't know how to do it, Google for it. GeoTrust has step-by-step instructions, as it's in their interest. Don't know how to run Apache securely? Pay a consultant, or ask a knowledgeable friend. By posting to craigslist or slashdot, they could have found someone willing to trade services for potential profit sharing or even a free account for life.

I'm not saying that things like memcache or the databases aren't important, and shouldn't have been prioritised. But they ignored security, and their customers have already payed the price in some instances. There comes a point where the diminishing returns of working on everything *but* security will start to directly affect everything else, and that is what has happened here.

what a bunch of idiots...

One friend feared that she might lose her job when a private entry about problems with her supervisor was made public

Rule 1:
If you want to keep something confidential, don't post it on a free website.

If they aren't using SSL, they are basically saying they don't value privacy the way you value your privacy."

Duh. Unless you use encryption, almost anything you send on the internet can be intercepted. Conduct yourself accordingly.

it'll go on like this until somebody pays dear...

[demonhold]

It saddens me that nothing will be done until some poor fella pays very dear when someone finds the motivation to sue, gets a good lawyer and wins big.

It seems that in most things related to security, and not only virtual security, people don't start taking measures until something bad happens and they are made to pay for it...

What do we expect anyway, common sense is the less common of senses..

Re:lazy

[}InFuZeD{]

Nothing to do with laziness. SSL adds extra strain on the system. It's cheaper to not use it. And I really don't see the need for SSL on LiveJournal... it's a journal site, not a bank account.

Re:Even with SSL

[m0rph3us0]

SSL is safe for people who read warning messages.

Re:Well, duh.

[commodoresloat]

Well, yeah, and the idea of real-life face to face social networks is also inherently insecure. The more you interact with other people the greater the chances that one of them (or someone who knows one of them, or happens to eavesdrop on one of them) will take advantage of you. But interacting with other people is not automatically a "bad idea" because of this, and the same is true online. You need to weigh the security risks along with other factors (e.g. the social benefits of networking in this manner, or the amount of critical information that is actually compromised by these risks). I think friendster-style web-based networks are valuable enough that people should see what can be done to make them more secure rather than abandoning them as inherently insecure.

social networks = valuable private data

[obtuse]

I'm a little wary of some of these social network tools, because social network information is incredibly valuable & sensitive. Putting my info onto Friendster seems like yielding too much of my privacy, and I guess I also don't see the payoff. In direct personal relationships, my liability is limited both in scope and in time. If I meet a vicious sociopath, there's only so much he can do, he can pretty much only get me without a lot more work, and I'm mostly vulnerable to him only when I'm nearby.

Now let's say some bad guy gets the Friendster data. How hard can that be, considering how poor data protection in general is? The marvelous thing about data security is that once the data is loose, it could go anywhere. After all information wants to be distributed on SPAM CDs.

The bad guy could be a blackmailer, or perhaps just a law & order type who believes in guilt by association, or a politician and suddenly one of my friends is on an enemies list.

It was horrifying when we heard that the Colombian cartels were getting telco records, and murdering people based on them. This is similarly sensitive information.

One friend suggested that I join up anonymously if I was uncomfortable with the privacy issues of Friendster. Unfortunately, I've still compromised the privacy of everyone else on my list, and anyone who was interested could fairly easily interpolate my identity based on all the other data that is valid. That's a side effect of one of the coolest things about Friendster. People can fake accounts, but it has little effect, because the fakes won't go anywhere much.

Sure, probably nobody will come looking for me, but I lock my doors at night anyway.

I do know people who wouldn't have gotten certain jobs if their network of friends was known.