Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identity Theft and Social Networks

Posted by michael on from the stealing-whuffie dept.

scubacuda writes "This Security Focus article looks at the lack of security social network sites have, particularly their lack of SSL logins, which means a user's session ID will be logged on any proxy and possibly sniffed. From the article: '[A]ccording to [Clay] Shirky, one thing is certain: "The value of each site is communally-created. Links and transactions are more important than individuals." In other words, each community creates its own kind of value. Thus, an attacker might hit Tribe to farm social networks for spam victims; and then he might exploit LinkedIn to get the contact information for a VC he wants to meet.'"

6 of 190 comments (clear)

  1. Even with SSL by tr0llx0r · · Score: 4, Interesting

    you're far from safe. SSL connections are vulnerable
    to MiTM attacks - we saw this with M$ Passport, hotmail
    etc. The only solution to these problems, is
    for people (ie the average user of /.) to realise
    that anything they transmit over the net is sniffable
    with a little effort.

    In a dorm or corporate lan environment, all it takes
    is one trojaned laptop running a sniffer, and all
    you CC numbers are belong to us.

    GNAA!

  2. eCommerce Failure by pipingguy · · Score: 5, Interesting


    All the more reason to allow "anonymous", one-time use of purchased credits.

    Like phone cards - pay cash and use it online as you wish without easy tracking.

    Believe it or not, there are a lot of people online that don't have credit cards but would like to buy stuff over the internet (or people that *have* credit cards but are afraid to expose their information.

    Yeah, some people are going to bring up the "you are only liable for fifty bucks, anyway" issue.

    1. Re:eCommerce Failure by Detritus · · Score: 4, Interesting

      Check with your bank on their policies for overdrawn accounts before you rely on separate accounts. When a check was presented that was far in excess of my checking account balance (due to MICR data entry error), my ex-bank just took the money from another account that had sufficient funds to cover the check. I didn't find out about it until I got my monthly statement. As far as I can tell, no human was involved in making the decision. The bank runs on autopilot for routine decisions. I eventually got all of my money back and the service charges refunded, but it was a pain in the butt.

      --
      Mea navis aericumbens anguillis abundat
  3. It's an interesting proposition by Fortunato_NC · · Score: 5, Interesting

    In "The Cuckoo's Egg", one of Cliff Stoll's key points was that the more secure a network becomes, the less useful it is to its users, because it becomes more inconvenient to work with. In a network where the entire idea is to exchange "personal" data such as contact info, then restrictions placed to enforce good security have a way of reducing the value of the network.

    But without such security, you have a "tragedy of the commons" type effect where the greedy among us abuse the good nature of others, again, reducing the value of the network.

    Seems like a rather immutable Catch-22 to me...

    --
    Blogging Weight Loss, Distance Education, and more at verlin.com
  4. Re:As a CISSP... by filth+grinder · · Score: 5, Interesting

    As you said, it's cheaper to do it right the first time, design good comprehensive security in from the ground up.

    Now, I'll tell you how it works in the real world. Most of these social network sites are designed small. Some odd project that happens to catch on and spiral out from there. Most sites start out small and then explode. This isn't giant corporations with lots of employees. Hell, most of them aren't even start ups. They are guys in basements who had an idea for a site, it took off. Through donations and subscriptions they gains size and scaled their programs up. Now they need to worry about things like SSL and site performance, and it's too late.

    It should have been done from the ground up, but it wasn't. Things like SSL and good tight security don't get built in when you never intend for projects to get as big as it does.

    Look at a site like Livejournal. It started small, and now it's taken off to being incredibly popular. They had a small team working on the site who had to decide what stuff needed to be done. Once the site got large, you have to go, "well, the site is running slow as it is, do we set up some more databases, work on memcache, or impliment SSL which will bog down performance even more." Obviously in order to stay in business they had to improve the site performance and struggle to keep good service up. It's easy to let security go slack.

    It's even easier to sit back and scoff, "you should have done it in the beginning".

  5. University requirements by thedillybar · · Score: 4, Interesting

    While taking a physics class at the University of Michigan, I was required to sign up for an "online homework" website. It was 30 some dollars, and was considered homework for the class (i.e. you take the class, you sign up and pay).

    Sure enough, their Terms of Service require me to prevent others from obtaining my login/password. It goes on to say that if someone steals it, there is basically no way to reverse their actions.

    Fine. Except for the fact that after signing up, they immediately e-mail me my password in plaintext. There's no SSL whatsoever on the site, and no way whatsoever to change my password.

    After e-mailing the company involved, I was simply informed that the site will not be changed. I complained to both the professor and the University. Apparently no one pays attention to this, or they just don't care enough to do something about it. What else can I do? (besides leave the University, obviously)