http://www.theregister.co.uk/content/55/34687.html By SecurityFocus Posted: 02/01/2004 Services like LiveJournal and Tribe are poised to be the next big thing on the Web in 2004, but their security and privacy practices are more like 1997, writes Annalee Newitz. Brad Fitzpatrick is president of LiveJournal.com, a social discovery Web site where over 1.5 million users post diary entries they want to share with friends. Although members post extremely sensitive information in their journals -- everything from their plans to commit suicide or sabotage their boss to their latest sexual adventures -- Fitzpatrick admits that security on his site isn't a priority. On the initial login page, LiveJournal members send their passwords in the clear. "We're hoping to change that in the next month," Fitzpatrick said. "But site performance is our highest priority, and SSL is a pain." Jack (not his real name) is an LJ user whose account was compromised. He isn't sure how it happened, but one day he logged in and discovered a huge portion of his journal entries had been deleted. The attacker didn't stop there -- she or he also plundered his friends' "locked" entries (visible only to other friends) and reposted extremely private exchanges as public entries in Jack's journal. Although he quickly changed his password and fixed the problem, the damage was done. "My friends were really upset and the bad feelings persist," he said. One friend feared that she might lose her job when a private entry about problems with her supervisor was made public on Jack's journal. "It's still cached on Google," he explained, "although it would probably be hard for most people to find unless they knew all the details." Security measures are equally weak on social discovery Web site Tribe.net, whose member base has swollen to 65,000 since it launched six months ago. Paul Martino, CTO of Tribe, chuckled at the idea that his site might use SSL for member logins. "We don't need high industrial strength encryption for that," he said. "We use standard security techniques like unique session IDs." As security professionals know, there are any number of ways to defeat unique session IDs. Jeff Williams, CEO of Aspect Security, works on Web applications security issues for large financial, health and government institutions. He explained that Tribe.net's refusal to use SSL means that "the session ID, which is included in the URL, will be logged on any proxy. Or you can capture it off the wire with dsniff. If they aren't using SSL, they are basically saying they don't value privacy the way you value your privacy." Cross-site scripting could be another problem. Martino says Tribe does "tag scrubbing" to protect against people embedding hostile scripts on their posts to the site. But security pros say an attacker might be able to target specific members by sending a specially crafted URL that direct them to a form with hidden tags designed to suck up their cookies. Williams explained that "XSS is amazingly widespread. Plus, XSS vulnerabilities are easy to discover and exploit." The Open Web Application Security Project, where Williams also works, ranks cross-site scripting number four on its list of the top ten web application vulnerabilities. "We try hard to [protect against XSS attacks], but there's always something new," said Fitzpatrick. "The only solution would be to lose link tags, and that's not a good solution." Security consultant and Nmap author Fyodor speculated that social discovery sites are also vulnerable to a class of attack that is familiar to anyone who uses eBay: "You can trick a user into divulging their username/password by sending them to a fake login page you control. For example, you could send an email, forged as coming from Tribe, which says they need to agree to a new ToS or their account will be deactivated. Then you give them a URL that is cloaked to appear authoritative for Tribe but really could be modified to go to the attacker's password capture page." What makes these attacks novel in the context of a social discovery site isn't how they are deployed, but why. What does an attacker have to gain by spoofing the identity of a member of Tribe or LinkedIn? What kinds of damage can be done by hacking into a LiveJournal account? The answer has to do with the public's growing dependence on social reputation systems. As we come closer to quantifying reputation, the identities we use in online communities begin to have real-world value. A top-ranked member of a network like eBay might be able to sell more items than her peers. A high-karma user on a site devoted to legal issues could have a tremendous influence over public policy. According to social networks analyst Clay Shirky, identity spoofing is possibly the greatest threat to social discovery networks. "When your reputation is valuable, it becomes worth exploiting. It makes a stolen identity a more valuable commodity." LiveJournal's abuse manager Mark Ferrell said he receives at least five reports of ID hijacking per day. By impersonating a highly-reputable person, an attacker might gain access to that person's social network, business contacts and private life. Spammers might launch highly personalized campaigns. And sexual predators could use their victims' friend lists to find more people to harass. The Social Defense Model But social discovery site owners and users say they have foolproof protection against identity spoofing: the communities themselves. Call it the social defense model. These sites are using the connections between members to defend against technical and social attacks. The more articulated a social network gets, the harder it is to pretend to be a member of it for personal gain. Online communities can launch counter-attacks that resemble virtual community policing. When a spammer created a fake profile on Tribe and used it to post junk messages, reports Tribe moderator Liz Warner, "People used social pressure to quash [it]." After seeing the first junk post, Tribe members quickly alerted moderators, who deleted the spammer' - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jan 05 2004 - 02:55:53 PST