Hamiel and Moyer have apparently presented on the security failures of social networks, before. I arrived a little late at their talk on Saturday and barely managed to find a spot to stand.
Their talk resonated with one of the themes of Blaze’s key note. Many of the problems they discussed are ones that the network implementers and operators should have known better. They focused a good deal on MySpace, but also examined LinkedIn and Facebook. MySpace may have more problems because it is one of the older social networks. Worse, they institutionalized the inclusion of third party content as a large part of their platform.
OpenSocial apparently has not fared better than the individual efforts by social network developers. Despite the opportunity to leverage broader expertise, the underlying focus of the work remains the same, user convenience in building and communicating with their network. Security really should be a priority with such standards focused, group efforts and I think their is an opportunity for true open alternatives like the work being done by the DataPortability and autonomo.us folks to do better.
The lack of attention to security has turned each of these networks increasingly into what the presenters referred to as botnet light.
The social aspect also makes these services very attractive targets for entirely non-technological attacks. It makes sense, the providers derive value from the results of the users’ social calculus, their participation in and construction of large personal graphs. One of the presenters described these groupings as essentially focus groups, which is what the ad driven services want, but also makes them ripe for very targeted, context dependent social engineering.
They discussed a couple of experiments they conducted to prove their point. In one, they spoofed Marcus Ranum’s profile on one of these sites, with his permission. On another, a more professionally oriented one, they fabricated a profile for a professional recruiter from whole cloth including several juicy job openings. In both cases it was astonishing the amount of personal information they were able to harness through legitimate means with an illegitimate profile. It really does call for social network providers to do something in the way of authenticating identity. Right now none of them appear to do much of anything.
For their part, the presenters are currently working on a Firefox extension, CSRFblocker, somewhat inspired by AdBlocker. Even in the process of building the extension, though, they have uncovered some telling misunderstandings. Many of the existing content blocking tools only block the rendering of that content. The tools still make the request for that content so are still vulnerable to most attacks. Hopefully the new extension from hexsec will be available soon and will help shore up some of these deficiencies.