Identity Theft and Social Networks

scubacuda writes "This Security Focus article looks at the lack of security social network sites have, particularly their lack of SSL logins, which means a user's session ID will be logged on any proxy and possibly sniffed. From the article: '[A]ccording to [Clay] Shirky, one thing is certain: "The value of each site is communally-created. Links and transactions are more important than individuals." In other words, each community creates its own kind of value. Thus, an attacker might hit Tribe to farm social networks for spam victims; and then he might exploit LinkedIn to get the contact information for a VC he wants to meet.'"

It's just common sense

[Waffle+Iron]

Only a total idiot would post a message on a site that doesn't use a secure login procedure.

Oh, wait...

Re:How often they get caught

[Brahmastra]

I was a victim of identity theft once and made a police complaint, an FTC complaint, etc.. They all said that it was unlikely anyone would ever be caught. Haven't heard anything for 2 years now. They need to start castrating identity thieves... it's getting out of hand.

what a bunch of idiots...

One friend feared that she might lose her job when a private entry about problems with her supervisor was made public

Rule 1:
If you want to keep something confidential, don't post it on a free website.

If they aren't using SSL, they are basically saying they don't value privacy the way you value your privacy."

Duh. Unless you use encryption, almost anything you send on the internet can be intercepted. Conduct yourself accordingly.

eCommerce Failure

[pipingguy]

All the more reason to allow "anonymous", one-time use of purchased credits.

Like phone cards - pay cash and use it online as you wish without easy tracking.

Believe it or not, there are a lot of people online that don't have credit cards but would like to buy stuff over the internet (or people that *have* credit cards but are afraid to expose their information.

Yeah, some people are going to bring up the "you are only liable for fifty bucks, anyway" issue.

It's an interesting proposition

[Fortunato_NC]

In "The Cuckoo's Egg", one of Cliff Stoll's key points was that the more secure a network becomes, the less useful it is to its users, because it becomes more inconvenient to work with. In a network where the entire idea is to exchange "personal" data such as contact info, then restrictions placed to enforce good security have a way of reducing the value of the network.

But without such security, you have a "tragedy of the commons" type effect where the greedy among us abuse the good nature of others, again, reducing the value of the network.

Seems like a rather immutable Catch-22 to me...

Re:As a CISSP...

[filth+grinder]

As you said, it's cheaper to do it right the first time, design good comprehensive security in from the ground up.

Now, I'll tell you how it works in the real world. Most of these social network sites are designed small. Some odd project that happens to catch on and spiral out from there. Most sites start out small and then explode. This isn't giant corporations with lots of employees. Hell, most of them aren't even start ups. They are guys in basements who had an idea for a site, it took off. Through donations and subscriptions they gains size and scaled their programs up. Now they need to worry about things like SSL and site performance, and it's too late.

It should have been done from the ground up, but it wasn't. Things like SSL and good tight security don't get built in when you never intend for projects to get as big as it does.

Look at a site like Livejournal. It started small, and now it's taken off to being incredibly popular. They had a small team working on the site who had to decide what stuff needed to be done. Once the site got large, you have to go, "well, the site is running slow as it is, do we set up some more databases, work on memcache, or impliment SSL which will bog down performance even more." Obviously in order to stay in business they had to improve the site performance and struggle to keep good service up. It's easy to let security go slack.

It's even easier to sit back and scoff, "you should have done it in the beginning".

Article Slant

[bradfitz]

I'm Brad Fitzpatrick, from LiveJournal.

The reporter who talked to me obviously wanted a fun slant for her article: "Look at all this insecure crap out there!"

Things we talked about that she decided to ignore in her article:

-- we've been working on challenge/response logins in JavaScript so passwords don't go in the clear. it's like Digest auth but in JS instead. We had this working when we talked to her, and since then it's gone into final user testing on our public test site. it'll probably go live this weekend. (I remember when I talked to her I compared it to HTTP Digest Auth and I had to explain what Digest auth was to her..... this is a _security_ reporter?)

-- we never said SSL wasn't important or security wasn't a priority. we told her it HAS BEEN a priority, but performance stuff keeps getting in the way. in fact, we have SSL stuff working and it's going live at the same time as the challenge/response logins. we just told her that it's hard to do right when you have a shitload of servers.

-- we let users bind their login session to their IP, so damage from cookie theft over non-SSL is mitigated

-- we don't let users do any major action (like, oh, change the account's password) without the original password.

-- we have no many anti-hijacking measures in place to let owners of accounts restore their stolen accounts. and you know what? it's not because of SSL... it's because of people just people plain dumb/trusting/gullible. SSL isn't a magic security wand.

Anyway, please recognize an article on a security site wants a "security's terrible!" slant. Who wants to read an article saying, "Yup, security's pretty good and improving." The security situation isn't as grim as it's made out to be.