[ISN] Defences lacking at social network sites

From: InfoSec News (isn@private)
Date: Mon Jan 05 2004 - 00:28:47 PST

  • Next message: InfoSec News: "[ISN] File and email encryption with GnuPG (PGP), part two"

    http://www.theregister.co.uk/content/55/34687.html
    
    By SecurityFocus
    Posted: 02/01/2004
    
    Services like LiveJournal and Tribe are poised to be the next big 
    thing on the Web in 2004, but their security and privacy practices are 
    more like 1997, writes Annalee Newitz. 
    
    Brad Fitzpatrick is president of LiveJournal.com, a social discovery 
    Web site where over 1.5 million users post diary entries they want to 
    share with friends. Although members post extremely sensitive 
    information in their journals -- everything from their plans to commit 
    suicide or sabotage their boss to their latest sexual adventures -- 
    Fitzpatrick admits that security on his site isn't a priority. 
    
    On the initial login page, LiveJournal members send their passwords in 
    the clear. "We're hoping to change that in the next month," 
    Fitzpatrick said. "But site performance is our highest priority, and 
    SSL is a pain." 
    
    Jack (not his real name) is an LJ user whose account was compromised. 
    He isn't sure how it happened, but one day he logged in and discovered 
    a huge portion of his journal entries had been deleted. The attacker 
    didn't stop there -- she or he also plundered his friends' "locked" 
    entries (visible only to other friends) and reposted extremely private 
    exchanges as public entries in Jack's journal. Although he quickly 
    changed his password and fixed the problem, the damage was done. "My 
    friends were really upset and the bad feelings persist," he said. One 
    friend feared that she might lose her job when a private entry about 
    problems with her supervisor was made public on Jack's journal. "It's 
    still cached on Google," he explained, "although it would probably be 
    hard for most people to find unless they knew all the details." 
    
    Security measures are equally weak on social discovery Web site 
    Tribe.net, whose member base has swollen to 65,000 since it launched 
    six months ago. Paul Martino, CTO of Tribe, chuckled at the idea that 
    his site might use SSL for member logins. "We don't need high 
    industrial strength encryption for that," he said. "We use standard 
    security techniques like unique session IDs." 
    
    As security professionals know, there are any number of ways to defeat 
    unique session IDs. Jeff Williams, CEO of Aspect Security, works on 
    Web applications security issues for large financial, health and 
    government institutions. He explained that Tribe.net's refusal to use 
    SSL means that "the session ID, which is included in the URL, will be 
    logged on any proxy. Or you can capture it off the wire with dsniff. 
    If they aren't using SSL, they are basically saying they don't value 
    privacy the way you value your privacy." 
    
    Cross-site scripting could be another problem. Martino says Tribe does 
    "tag scrubbing" to protect against people embedding hostile scripts on 
    their posts to the site. But security pros say an attacker might be 
    able to target specific members by sending a specially crafted URL 
    that direct them to a form with hidden tags designed to suck up their 
    cookies. Williams explained that "XSS is amazingly widespread. Plus, 
    XSS vulnerabilities are easy to discover and exploit." 
    
    The Open Web Application Security Project, where Williams also works, 
    ranks cross-site scripting number four on its list of the top ten web 
    application vulnerabilities. "We try hard to [protect against XSS 
    attacks], but there's always something new," said Fitzpatrick. "The 
    only solution would be to lose link tags, and that's not a good 
    solution." 
    
    Security consultant and Nmap author Fyodor speculated that social 
    discovery sites are also vulnerable to a class of attack that is 
    familiar to anyone who uses eBay: "You can trick a user into divulging 
    their username/password by sending them to a fake login page you 
    control. For example, you could send an email, forged as coming from 
    Tribe, which says they need to agree to a new ToS or their account 
    will be deactivated. Then you give them a URL that is cloaked to 
    appear authoritative for Tribe but really could be modified to go to 
    the attacker's password capture page." 
    
    What makes these attacks novel in the context of a social discovery 
    site isn't how they are deployed, but why. What does an attacker have 
    to gain by spoofing the identity of a member of Tribe or LinkedIn? 
    What kinds of damage can be done by hacking into a LiveJournal 
    account? The answer has to do with the public's growing dependence on 
    social reputation systems. 
    
    As we come closer to quantifying reputation, the identities we use in 
    online communities begin to have real-world value. A top-ranked member 
    of a network like eBay might be able to sell more items than her 
    peers. A high-karma user on a site devoted to legal issues could have 
    a tremendous influence over public policy. According to social 
    networks analyst Clay Shirky, identity spoofing is possibly the 
    greatest threat to social discovery networks. "When your reputation is 
    valuable, it becomes worth exploiting. It makes a stolen identity a 
    more valuable commodity." 
    
    LiveJournal's abuse manager Mark Ferrell said he receives at least 
    five reports of ID hijacking per day. 
    
    By impersonating a highly-reputable person, an attacker might gain 
    access to that person's social network, business contacts and private 
    life. Spammers might launch highly personalized campaigns. And sexual 
    predators could use their victims' friend lists to find more people to 
    harass. 
    
    The Social Defense Model 
    
    But social discovery site owners and users say they have foolproof 
    protection against identity spoofing: the communities themselves. Call 
    it the social defense model. These sites are using the connections 
    between members to defend against technical and social attacks. 
    
    The more articulated a social network gets, the harder it is to 
    pretend to be a member of it for personal gain. Online communities can 
    launch counter-attacks that resemble virtual community policing. When 
    a spammer created a fake profile on Tribe and used it to post junk 
    messages, reports Tribe moderator Liz Warner, "People used social 
    pressure to quash [it]." After seeing the first junk post, Tribe 
    members quickly alerted moderators, who deleted the spammer'
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jan 05 2004 - 02:55:53 PST