Slashdot Mirror
Identity Theft and Social Networks
scubacuda writes "This Security Focus article looks at the lack of security social network sites have, particularly their lack of SSL logins, which means a user's session ID will be logged on any proxy and possibly sniffed. From the article: '[A]ccording to [Clay] Shirky, one thing is certain: "The value of each site is communally-created. Links and transactions are more important than individuals." In other words, each community creates its own kind of value. Thus, an attacker might hit Tribe to farm social networks for spam victims; and then he might exploit LinkedIn to get the contact information for a VC he wants to meet.'"
...it is rather scary how little attention people pay to security. The article even states: "...site performance is our highest priority, and SSL is a pain." While it can be costly to set up security (ie, paying security consultants ;) ), if done right from the start it is less expensive than trying to fit it in after the fact.
It is certainly less expensive than having your site hacked and/or having users leave when people post their private thoughts publicly!
libertarianswag.com
Oh, wait...
I was a victim of identity theft once and made a police complaint, an FTC complaint, etc.. They all said that it was unlikely anyone would ever be caught. Haven't heard anything for 2 years now. They need to start castrating identity thieves... it's getting out of hand.
One friend feared that she might lose her job when a private entry about problems with her supervisor was made public
Rule 1:
If you want to keep something confidential, don't post it on a free website.
If they aren't using SSL, they are basically saying they don't value privacy the way you value your privacy."
Duh. Unless you use encryption, almost anything you send on the internet can be intercepted. Conduct yourself accordingly.
you're far from safe. SSL connections are vulnerable /.) to realise
to MiTM attacks - we saw this with M$ Passport, hotmail
etc. The only solution to these problems, is
for people (ie the average user of
that anything they transmit over the net is sniffable
with a little effort.
In a dorm or corporate lan environment, all it takes
is one trojaned laptop running a sniffer, and all
you CC numbers are belong to us.
GNAA!
All the more reason to allow "anonymous", one-time use of purchased credits.
Like phone cards - pay cash and use it online as you wish without easy tracking.
Believe it or not, there are a lot of people online that don't have credit cards but would like to buy stuff over the internet (or people that *have* credit cards but are afraid to expose their information.
Yeah, some people are going to bring up the "you are only liable for fifty bucks, anyway" issue.
In "The Cuckoo's Egg", one of Cliff Stoll's key points was that the more secure a network becomes, the less useful it is to its users, because it becomes more inconvenient to work with. In a network where the entire idea is to exchange "personal" data such as contact info, then restrictions placed to enforce good security have a way of reducing the value of the network.
But without such security, you have a "tragedy of the commons" type effect where the greedy among us abuse the good nature of others, again, reducing the value of the network.
Seems like a rather immutable Catch-22 to me...
Blogging Weight Loss, Distance Education, and more at verlin.com
It saddens me that nothing will be done until some poor fella pays very dear when someone finds the motivation to sue, gets a good lawyer and wins big.
It seems that in most things related to security, and not only virtual security, people don't start taking measures until something bad happens and they are made to pay for it...
What do we expect anyway, common sense is the less common of senses..
... y Dios vio que Linux era bueno... Genesis 99.666
Nothing to do with laziness. SSL adds extra strain on the system. It's cheaper to not use it. And I really don't see the need for SSL on LiveJournal... it's a journal site, not a bank account.
An insecure network is useless to this user (for purposes that I deem to be in need of security), no matter how "convenient" it is.
Generally speaking, I wonder how the numbers of people who would refuse to use a given network because it is inconveniently secure compare to the numbers of people who would start using it if was no longer inconveniently insecure?
Takahashi Rumiko made beats! DON, taku, DON, taku. . .
Well, yeah, and the idea of real-life face to face social networks is also inherently insecure. The more you interact with other people the greater the chances that one of them (or someone who knows one of them, or happens to eavesdrop on one of them) will take advantage of you. But interacting with other people is not automatically a "bad idea" because of this, and the same is true online. You need to weigh the security risks along with other factors (e.g. the social benefits of networking in this manner, or the amount of critical information that is actually compromised by these risks). I think friendster-style web-based networks are valuable enough that people should see what can be done to make them more secure rather than abandoning them as inherently insecure.
Citibank provides disposable CC numbers for one time use only, or for use with only one merchant (i.e. subscription).
You log on to their web site with your account info and gener... Oh, wait...
I'm Brad Fitzpatrick, from LiveJournal.
The reporter who talked to me obviously wanted a fun slant for her article: "Look at all this insecure crap out there!"
Things we talked about that she decided to ignore in her article:
-- we've been working on challenge/response logins in JavaScript so passwords don't go in the clear. it's like Digest auth but in JS instead. We had this working when we talked to her, and since then it's gone into final user testing on our public test site. it'll probably go live this weekend. (I remember when I talked to her I compared it to HTTP Digest Auth and I had to explain what Digest auth was to her..... this is a _security_ reporter?)
-- we never said SSL wasn't important or security wasn't a priority. we told her it HAS BEEN a priority, but performance stuff keeps getting in the way. in fact, we have SSL stuff working and it's going live at the same time as the challenge/response logins. we just told her that it's hard to do right when you have a shitload of servers.
-- we let users bind their login session to their IP, so damage from cookie theft over non-SSL is mitigated
-- we don't let users do any major action (like, oh, change the account's password) without the original password.
-- we have no many anti-hijacking measures in place to let owners of accounts restore their stolen accounts. and you know what? it's not because of SSL... it's because of people just people plain dumb/trusting/gullible. SSL isn't a magic security wand.
Anyway, please recognize an article on a security site wants a "security's terrible!" slant. Who wants to read an article saying, "Yup, security's pretty good and improving." The security situation isn't as grim as it's made out to be.
To this day, I can not figure out how to change your eBay password over an SSL connection. Sure, you can login via SSL, but you can't send you new password over SSL.
This kind of defeats the purpose of using SSL. Once it's sent in plaintext, it's not secure.
I don't know what the bank example is doing in your list. If I want to store money in some bank under whatever name I want, why shouldn't I be able to do it? A bank account alone doesn't get me very far. Now, if I were to start taking out loans and so on, things get sticker, but if I just want a checking account, I shouldn't have to make an appointment a week in advance, then show up and have to show identity, proof of residency, proof of address, proof of salary, and on and on and on. (This isn't made-up, I actually had to do this.) When I last opened a bank account in the US, which was a while ago, they basically asked for my money. I like this. There isn't really an opportunity for fraud by providing bad information.
I have no real contention with the rest of your statements, just this one.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
While taking a physics class at the University of Michigan, I was required to sign up for an "online homework" website. It was 30 some dollars, and was considered homework for the class (i.e. you take the class, you sign up and pay).
Sure enough, their Terms of Service require me to prevent others from obtaining my login/password. It goes on to say that if someone steals it, there is basically no way to reverse their actions.
Fine. Except for the fact that after signing up, they immediately e-mail me my password in plaintext. There's no SSL whatsoever on the site, and no way whatsoever to change my password.
After e-mailing the company involved, I was simply informed that the site will not be changed. I complained to both the professor and the University. Apparently no one pays attention to this, or they just don't care enough to do something about it. What else can I do? (besides leave the University, obviously)
Oh well... Bruce Schneier's old but well written doc always comes to mind when thinking of this topic: "Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier
Computer security has been victim of the "year of the..." syndrome. First it was firewalls, then intrusion detection systems, then VPNs, and now certification authorities (CAs) and public-key infrastructure (PKI). "If you only buy X," the sales pitch goes, "then you will be secure." But reality is never that simple, and that is especially true with PKI. (source)
Most people like fast content and often overlook security. Hell eBay out of all sites, billions in transactions, and SSL is an option! How sickening is that.
MoFscker
This is the same as the morons that are happy about the fact that the police in my area cannot get into a high speed chase unless they are in pursuit of someone who is in the commission of a felony. Well, guess what kiddies; fleeing and eluding is a felony in itself and will thus warrant a high speed chase.
The bottom line is that it's very easy to talk smack on the internet but I can assure you that if a cop asked for your ID...you damned sure would hand it over.
"The strong will do what they want, the weak will do what they must."
-Thucydides
I'm a little wary of some of these social network tools, because social network information is incredibly valuable & sensitive. Putting my info onto Friendster seems like yielding too much of my privacy, and I guess I also don't see the payoff. In direct personal relationships, my liability is limited both in scope and in time. If I meet a vicious sociopath, there's only so much he can do, he can pretty much only get me without a lot more work, and I'm mostly vulnerable to him only when I'm nearby.
Now let's say some bad guy gets the Friendster data. How hard can that be, considering how poor data protection in general is? The marvelous thing about data security is that once the data is loose, it could go anywhere. After all information wants to be distributed on SPAM CDs.
The bad guy could be a blackmailer, or perhaps just a law & order type who believes in guilt by association, or a politician and suddenly one of my friends is on an enemies list.
It was horrifying when we heard that the Colombian cartels were getting telco records, and murdering people based on them. This is similarly sensitive information.
One friend suggested that I join up anonymously if I was uncomfortable with the privacy issues of Friendster. Unfortunately, I've still compromised the privacy of everyone else on my list, and anyone who was interested could fairly easily interpolate my identity based on all the other data that is valid. That's a side effect of one of the coolest things about Friendster. People can fake accounts, but it has little effect, because the fakes won't go anywhere much.
Sure, probably nobody will come looking for me, but I lock my doors at night anyway.
I do know people who wouldn't have gotten certain jobs if their network of friends was known.
Assembly is the reverse of disassembly.