Forgot your password?
typodupeerror
Security The Internet

Identity Theft and Social Networks 190

Posted by michael
from the stealing-whuffie dept.
scubacuda writes "This Security Focus article looks at the lack of security social network sites have, particularly their lack of SSL logins, which means a user's session ID will be logged on any proxy and possibly sniffed. From the article: '[A]ccording to [Clay] Shirky, one thing is certain: "The value of each site is communally-created. Links and transactions are more important than individuals." In other words, each community creates its own kind of value. Thus, an attacker might hit Tribe to farm social networks for spam victims; and then he might exploit LinkedIn to get the contact information for a VC he wants to meet.'"
This discussion has been archived. No new comments can be posted.

Identity Theft and Social Networks

Comments Filter:
  • by Anonymous Coward
    Guess it doesn't matter if you just stay anonymous.
    • shame really (Score:1, Informative)

      by Anonymous Coward

      as they have a SSL certificate [slashdot.org], they just 302 you instead of processing the login then 302 you

      but i guess programmers know best right ?
  • As a CISSP... (Score:5, Insightful)

    by bc90021 (43730) * <<ten.12009cb> <ta> <12009cb>> on Friday January 02, 2004 @06:03PM (#7863464) Homepage
    ...it is rather scary how little attention people pay to security. The article even states: "...site performance is our highest priority, and SSL is a pain." While it can be costly to set up security (ie, paying security consultants ;) ), if done right from the start it is less expensive than trying to fit it in after the fact.

    It is certainly less expensive than having your site hacked and/or having users leave when people post their private thoughts publicly!
    • Re:As a CISSP... (Score:5, Interesting)

      by filth grinder (577043) on Friday January 02, 2004 @06:13PM (#7863550)
      As you said, it's cheaper to do it right the first time, design good comprehensive security in from the ground up.

      Now, I'll tell you how it works in the real world. Most of these social network sites are designed small. Some odd project that happens to catch on and spiral out from there. Most sites start out small and then explode. This isn't giant corporations with lots of employees. Hell, most of them aren't even start ups. They are guys in basements who had an idea for a site, it took off. Through donations and subscriptions they gains size and scaled their programs up. Now they need to worry about things like SSL and site performance, and it's too late.

      It should have been done from the ground up, but it wasn't. Things like SSL and good tight security don't get built in when you never intend for projects to get as big as it does.

      Look at a site like Livejournal. It started small, and now it's taken off to being incredibly popular. They had a small team working on the site who had to decide what stuff needed to be done. Once the site got large, you have to go, "well, the site is running slow as it is, do we set up some more databases, work on memcache, or impliment SSL which will bog down performance even more." Obviously in order to stay in business they had to improve the site performance and struggle to keep good service up. It's easy to let security go slack.

      It's even easier to sit back and scoff, "you should have done it in the beginning".
      • Re:As a CISSP... (Score:1, Interesting)

        by Anonymous Coward
        Actually, it's easy just to stick Apache in front of an app, buy a certificate, and turn on SSL. These securityfocus guys are engaging in yellow journalism here, trying to make a story where one doesn't really exist.
        • It certainly is easy to set up SSL, more or less the moment you start collecting money (or the moment you're confident enough that money will eventually come that you buy a certificate out of pocket).

          The problem is that SSL (as usually practiced on the web...ie server-side certificates but no user-side ones) is in no sense whatsoever a solution to the security problems that these sites potentially face. Web-style SSL is a fair-to-middlin' solution to the nonexistent problem of man-in-the-middle sniffing of
      • Re:As a CISSP... (Score:5, Insightful)

        by bc90021 (43730) * <<ten.12009cb> <ta> <12009cb>> on Friday January 02, 2004 @06:27PM (#7863648) Homepage
        That is true, however:

        I wasn't scoffing. ;)

        Secondly, it is easy to let security go slack. And that is my point. I have seen way too many places do just that. Everyone starts small. But how many people plan to stay that way?

        How hard is it to use two commands to generate a CSR? If you don't know how to do it, Google for it. GeoTrust has step-by-step instructions, as it's in their interest. Don't know how to run Apache securely? Pay a consultant, or ask a knowledgeable friend. By posting to craigslist or slashdot, they could have found someone willing to trade services for potential profit sharing or even a free account for life.

        I'm not saying that things like memcache or the databases aren't important, and shouldn't have been prioritised. But they ignored security, and their customers have already payed the price in some instances. There comes a point where the diminishing returns of working on everything *but* security will start to directly affect everything else, and that is what has happened here.
      • I work for such a site (wiw.hu). The parent gives a perfect description of our situation.
      • Now they need to worry about things like SSL and site performance, and it's too late.

        It's never late. Getting working site under SSL is 2 hours to 2 days work. I did it few times and never had any serious performance problems.

        And if performance is still a problem, isn't reasonable to consider a web-hosting? If application is done one anything that a web-hosting company can run (Perl, Java, ASP, even Zope) then both performance and SSL are even less problem - most of hosting companies provide SSL and hav

      • Look at a site like Livejournal. It started small, and now it's taken off to being incredibly popular. They had a small team working on the site who had to decide what stuff needed to be done. Once the site got large, you have to go, "well, the site is running slow as it is, do we set up some more databases, work on memcache, or impliment SSL which will bog down performance even more." Obviously in order to stay in business they had to improve the site performance and struggle to keep good service up. It's
  • by Waffle Iron (339739) on Friday January 02, 2004 @06:07PM (#7863498)
    Only a total idiot would post a message on a site that doesn't use a secure login procedure.

    Oh, wait...

  • by Anonymous Coward on Friday January 02, 2004 @06:08PM (#7863505)
    One friend feared that she might lose her job when a private entry about problems with her supervisor was made public

    Rule 1:
    If you want to keep something confidential, don't post it on a free website.

    If they aren't using SSL, they are basically saying they don't value privacy the way you value your privacy."

    Duh. Unless you use encryption, almost anything you send on the internet can be intercepted. Conduct yourself accordingly.
  • Even with SSL (Score:4, Interesting)

    by tr0llx0r (730590) on Friday January 02, 2004 @06:08PM (#7863507)
    you're far from safe. SSL connections are vulnerable
    to MiTM attacks - we saw this with M$ Passport, hotmail
    etc. The only solution to these problems, is
    for people (ie the average user of /.) to realise
    that anything they transmit over the net is sniffable
    with a little effort.

    In a dorm or corporate lan environment, all it takes
    is one trojaned laptop running a sniffer, and all
    you CC numbers are belong to us.

    GNAA!
    • Re:Even with SSL (Score:5, Insightful)

      by m0rph3us0 (549631) on Friday January 02, 2004 @06:26PM (#7863643)
      SSL is safe for people who read warning messages.
    • Re:Even with SSL (Score:5, Informative)

      by netjeff (163914) on Friday January 02, 2004 @07:12PM (#7863924) Homepage
      SSL connections are vulnerable to MiTM attacks [...] In a dorm or corporate lan environment, all it takes is one trojaned laptop running a sniffer, and all you CC numbers are belong to us.

      A trojaned laptop running a sniffer is not a man-in-the-middle (MiTM) attack. SSL is safe against sniffers. For MiTM, you need to compromise a router/switch. Or else compromise a proxy that the network requires you to use for external web-access.
    • Re:Even with SSL (Score:2, Insightful)

      by Kent Recal (714863)
      I think what you say is wrong.
      SSL/TLS is not vulnerable to MiTM when configured properly and used properly.

      The main cause why MiTM on SSL can happen in the wild is that most browsers allow you to override SSL-warnings and establish a connection even tho the identify of the other end can't be guaranteed.

      Whenever your browser presents you with a warning message (whatever it is) regarding the SSL-connection that it is about to establish then make sure to realize that you could as well switch back to plain ht
    • Re:Even with SSL (Score:3, Insightful)

      by stefanb (21140) *

      [A]nything they transmit over the net is sniffable with a little effort.

      I do realize this is /. but this is just bullshit. SSL/TLS is not vulnerable to man in the middle attacks as long as the trust chain is not violated.

      Are there many people out there that do not understand that just clicking Yes when they're presented with a warning will expose them to all kinds of malicious attacks from some random web site? Yes, sure.

      But any security system is only going to hold up if the people using it understand

  • eCommerce Failure (Score:5, Interesting)

    by pipingguy (566974) on Friday January 02, 2004 @06:08PM (#7863509) Homepage

    All the more reason to allow "anonymous", one-time use of purchased credits.

    Like phone cards - pay cash and use it online as you wish without easy tracking.

    Believe it or not, there are a lot of people online that don't have credit cards but would like to buy stuff over the internet (or people that *have* credit cards but are afraid to expose their information.

    Yeah, some people are going to bring up the "you are only liable for fifty bucks, anyway" issue.
    • by aaandre (526056)
      Citibank provides disposable CC numbers for one time use only, or for use with only one merchant (i.e. subscription).

      You log on to their web site with your account info and gener... Oh, wait...
    • Re:eCommerce Failure (Score:3, Interesting)

      by metlin (258108)
      There is another solution to this - use a check card.

      I have an account which has very little money that I use just for online transactions and at clubs.

      Usually, my online purchases don't exceed $100, so I just pay using that account. And when there is a need for me to pay more than that amount, I just transfer the amount to my checking account.

      Not exactly very convenient, but it works just fine for me. And it sure as hell is safe.

      • That's a good idea, but it lacks marketing impact.

        The poor typically don't have multiple bank accounts.
        • True, but just how difficult is it to set up a new account?

          In fact, there are a lot of banks that support small businesses and have no minimum balance requirements (Wachovia [wachovia.com], for one) for checking accounts. And there is almost no fee for maintaining the accounts, either.

          I know that its not a "cool" idea but the point is that its simple and it works! I think once people are convinced of the after-effects of identity thefts, it would not be too hard.

          Its almost like having multiple slashdot ids ;-)
      • Re:eCommerce Failure (Score:5, Interesting)

        by Detritus (11846) on Friday January 02, 2004 @08:05PM (#7864273) Homepage
        Check with your bank on their policies for overdrawn accounts before you rely on separate accounts. When a check was presented that was far in excess of my checking account balance (due to MICR data entry error), my ex-bank just took the money from another account that had sufficient funds to cover the check. I didn't find out about it until I got my monthly statement. As far as I can tell, no human was involved in making the decision. The bank runs on autopilot for routine decisions. I eventually got all of my money back and the service charges refunded, but it was a pain in the butt.
      • Re:eCommerce Failure (Score:3, Informative)

        by thogard (43403)
        use a check card
        How stupid.

        With a check card, your have all the liability while with the credit card its with the bank (-$50 in both cases according to the law but set at $0 by the CC compaines)

        If I take $10,000 out of your account and the bank finds you at fault even if you never had more than $100 in the account, they will take all of your next paycheck. With a CC, your stuck with a bad credit report. Don't consider the best case for fraud, always consider the worst case when weighing your options.
    • Yeah, you may only be liable for $50, but the extra bottle of Tums you down after seeing your balance skyrocket plus the fun of playing with your CC company disputing the transactions makes up for the rest of the balance. I'm moving to companies that offer one-use numbers.
      • fun of playing with your CC company disputing the transactions

        In my experience (mostly secondhand), disputing the transactions is ridiculously easy (provided you have a good credit rating and history of paying on time)... the credit card company just eats the charges and goes on its merry way, and doesn't even make a significant effort to find the perps.

        This is not especially comforting, being that if this is happening with any sort of frequency, you know the company's not going to say, "Well, we'll just
  • by ohzero (525786)
    the web doesnt change anything. Especially if you're talking about "hackers." SSNs, Credit Card numbers, and many other implements of destruction have been made available to those who would crack systems or sift through garbage cans since I can remember. There's really two points that matter:
    • There are people who participate in identity theft via any means possible, because that's the life they lead.
    • Social security numbers in and of themselves ARE the vulnerable entry point because the information flow
  • by Fortunato_NC (736786) <verlinh75 @ m s n . com> on Friday January 02, 2004 @06:11PM (#7863532) Homepage Journal
    In "The Cuckoo's Egg", one of Cliff Stoll's key points was that the more secure a network becomes, the less useful it is to its users, because it becomes more inconvenient to work with. In a network where the entire idea is to exchange "personal" data such as contact info, then restrictions placed to enforce good security have a way of reducing the value of the network.

    But without such security, you have a "tragedy of the commons" type effect where the greedy among us abuse the good nature of others, again, reducing the value of the network.

    Seems like a rather immutable Catch-22 to me...
    • Define "user" (Score:4, Interesting)

      by czardonic (526710) on Friday January 02, 2004 @06:24PM (#7863626) Homepage
      An insecure network is useless to this user (for purposes that I deem to be in need of security), no matter how "convenient" it is.

      Generally speaking, I wonder how the numbers of people who would refuse to use a given network because it is inconveniently secure compare to the numbers of people who would start using it if was no longer inconveniently insecure?
      • An insecure network is useless to this user (for purposes that I deem to be in need of security), no matter how "convenient" it is.
        And yet you use /. insecurely...
      • An insecure network is useless to this user (for purposes that I deem to be in need of security), no matter how "convenient" it is.
        That's nonsense, I can't imagine a setup that couldn't be made more secure by making it even more useless. Putting information on a computer at all is a concession to security for the sake of convenience. The hardest database to steal is two tons of filing cabinets in a vault.
    • The same is true IRL as well. Put the best lock on your front door that you want, it really doesn't matter. I'm coming in through the window anyway. Boarding up the windows reduces the utility of your house and just forces me to come in through the basement.

      You could build a wall around the house I suppose, which again is a pain for you, not to mention expensive, and doesn't slow me down all that much really, but it makes me nice and invisible from the street once I get in. So now you have to add all the e
    • I was on a Yahoo or Google group for promoting an annual event that didn't require a log-in to post a question. The problem is that it was spammed with nasty political crap and the admins didn't care, they would rather see spam than turn away a person too impatient to log in. OK, that's my slant but I think the point remains.

      The admins thought that registering is too much of a pain so it stays open. The problem that didn't register with their little minds was that if a user weren't going to spend the ti
  • by demonhold (735615) on Friday January 02, 2004 @06:13PM (#7863543) Journal
    It saddens me that nothing will be done until some poor fella pays very dear when someone finds the motivation to sue, gets a good lawyer and wins big.

    It seems that in most things related to security, and not only virtual security, people don't start taking measures until something bad happens and they are made to pay for it...

    What do we expect anyway, common sense is the less common of senses..

  • Most community sites seem to be local run affairs by the kid down the hall in his spare time, not by those with the money to spend on SSL certs. That, and given the value of the Internet is to allow people to connect in new ways unencumbered by worrying how to pay for it suggests that the problem here is not how to provide technically secure transactions.
    The problem here is how to create personaly security on the Internet. When you're in the mall, gals keep their bags so the flap is on the inside. Guys don
  • by mellon (7048) * on Friday January 02, 2004 @06:20PM (#7863598) Homepage
    ...which cost me >$100, in order to have some password security on the bulletin board I run. phpbb would mail the password out in the clear, and didn't allow you to log in over SSL. It wasn't a big deal to hack it, but I was surprised that it wasn't an option. It may be that more people would use decent security if the software they ran supported it.
  • Article Slant (Score:5, Informative)

    by bradfitz (23252) * on Friday January 02, 2004 @06:48PM (#7863773) Homepage
    I'm Brad Fitzpatrick, from LiveJournal.

    The reporter who talked to me obviously wanted a fun slant for her article: "Look at all this insecure crap out there!"

    Things we talked about that she decided to ignore in her article:

    -- we've been working on challenge/response logins in JavaScript so passwords don't go in the clear. it's like Digest auth but in JS instead. We had this working when we talked to her, and since then it's gone into final user testing on our public test site. it'll probably go live this weekend. (I remember when I talked to her I compared it to HTTP Digest Auth and I had to explain what Digest auth was to her..... this is a _security_ reporter?)

    -- we never said SSL wasn't important or security wasn't a priority. we told her it HAS BEEN a priority, but performance stuff keeps getting in the way. in fact, we have SSL stuff working and it's going live at the same time as the challenge/response logins. we just told her that it's hard to do right when you have a shitload of servers.

    -- we let users bind their login session to their IP, so damage from cookie theft over non-SSL is mitigated

    -- we don't let users do any major action (like, oh, change the account's password) without the original password.

    -- we have no many anti-hijacking measures in place to let owners of accounts restore their stolen accounts. and you know what? it's not because of SSL... it's because of people just people plain dumb/trusting/gullible. SSL isn't a magic security wand.

    Anyway, please recognize an article on a security site wants a "security's terrible!" slant. Who wants to read an article saying, "Yup, security's pretty good and improving." The security situation isn't as grim as it's made out to be.
    • Re:Article Slant (Score:4, Informative)

      by metalpet (557056) on Friday January 02, 2004 @07:07PM (#7863879) Journal
      yeah, journalists with an agenda are a bit evil, but it's not all bad:
      - LJ gains some exposure from this
      - real security folks reading over this most likely won't feel livejournal is that far behind. Half of the complains in the articles are generic (phishing, impact of social networks on an account compromise), and the other half is mild (there might be XSS there, just like anywhere else), or unreasonable (what? you're sending session cookies over a non-SSL connection? how dare you!)

      Brad, I'd suggest you post a copy of your reply at this url:
      http://securityfocus.com/cgi-bin/sfonline/fo rms/co mment_form.pl?section=news&id=7739
      SecurityFocus happens to have a fairly visible forum system, you might as well use it.
    • Re:Article Slant (Score:3, Interesting)

      by gilgongo (57446)
      Not trying to troll, but how do we know you're the real Brad Fitzpatrick?

      Ha ha, only serious. But your profile is blank, and I can't see your PGP key - which might be construed as ironic under the circumstances ;-)

    • That's strange that your answer at the original article comments has so litle of the details you unveiled here.
    • -- we've been working on challenge/response logins in JavaScript so passwords don't go in the clear. it's like Digest auth but in JS instead. We had this working when we talked to her, and since then it's gone into final user testing on our public test site. it'll probably go live this weekend. (I remember when I talked to her I compared it to HTTP Digest Auth and I had to explain what Digest auth was to her..... this is a _security_ reporter?)

      I just have to comment on this. Many people have Javascript sw

  • eBay's lack of SSL (Score:4, Insightful)

    by thedillybar (677116) on Friday January 02, 2004 @06:48PM (#7863776)
    To this day, I can not figure out how to change your eBay password over an SSL connection. Sure, you can login via SSL, but you can't send you new password over SSL.

    This kind of defeats the purpose of using SSL. Once it's sent in plaintext, it's not secure.
  • by thedillybar (677116) on Friday January 02, 2004 @06:57PM (#7863814)
    While taking a physics class at the University of Michigan, I was required to sign up for an "online homework" website. It was 30 some dollars, and was considered homework for the class (i.e. you take the class, you sign up and pay).

    Sure enough, their Terms of Service require me to prevent others from obtaining my login/password. It goes on to say that if someone steals it, there is basically no way to reverse their actions.

    Fine. Except for the fact that after signing up, they immediately e-mail me my password in plaintext. There's no SSL whatsoever on the site, and no way whatsoever to change my password.

    After e-mailing the company involved, I was simply informed that the site will not be changed. I complained to both the professor and the University. Apparently no one pays attention to this, or they just don't care enough to do something about it. What else can I do? (besides leave the University, obviously)
    • by Anonymous Coward
      While taking a physics class at the University of Michigan, I was required to sign up for an "online homework" website. It was 30 some dollars, and was considered homework for the class (i.e. you take the class, you sign up and pay).

      Sure enough, their Terms of Service require me to prevent others from obtaining my login/password. It goes on to say that if someone steals it, there is basically no way to reverse their actions.

      Fine. Except for the fact that after signing up, they immediately e-mail me my pas
    • by Anonymous Coward
      Publicize it.

      Get an article in the college's paper (I assume you have one there?) complaining about this and explaining how someone could hijack this system.

      Be sure, however, that the article does not use your name. The only problem with this would be if you complained to them in a non-anonymous manner. The sad thing is that whenever you do whistle-blowing like this, you NEED to be anonymous. I did my best to follow my own advice when reporting vulnerabilities to the staff of my college and, thankfully
    • Sure enough, their Terms of Service require me to prevent others from obtaining my login/password. It goes on to say that if someone steals it, there is basically no way to reverse their actions.

      Well, -you- are trying to prevent others from obtaining it while they might not be. If something does happen, point fingers. You kept up your end, and mentioning their problem then might help. And my guess is you'll have an advantage legally?
  • FUD (Score:4, Interesting)

    by segment (695309) <sil.politrix@org> on Friday January 02, 2004 @07:04PM (#7863863) Homepage Journal
    For most (l)users who don't understand SSL, most times they'll end up ignoring OpenSSL certs that weren't signed by so-called 'Trusted Signers', often going into a site without using SSL, thinking the cert is not to be trusted. I threw a 4096bit cert for my FOIA docs [politrix.org], Openwebmail, and some other stuff, and people always ask me about that annoying little 'Trusted Signer" warning.

    Oh well... Bruce Schneier's old but well written doc always comes to mind when thinking of this topic: "Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

    Computer security has been victim of the "year of the..." syndrome. First it was firewalls, then intrusion detection systems, then VPNs, and now certification authorities (CAs) and public-key infrastructure (PKI). "If you only buy X," the sales pitch goes, "then you will be secure." But reality is never that simple, and that is especially true with PKI. (source [schneier.com])

    Most people like fast content and often overlook security. Hell eBay out of all sites, billions in transactions, and SSL is an option! How sickening is that.

  • it's copying.

    Ben
    • Re:It's not stealing (Score:1, Interesting)

      by Anonymous Coward
      Kinda. I was going to say that thats certainly a misuse of 'Theft', stealing it isn't you're right but what is it? Copying is impersonation fraud in a legal sense.

      I think it's quite unique because the 'victim' can actually play no role whatsoever in the crime.

      The person being attacked is the idiot whos beleif (security) is so slack that s/he takes an impersonator to be you. If you lose money as a result of this your real beef should be with that person who failed to apply proper scrutiny.

      Thats one way of
  • YourReputation.com (https://www.yourreputation.com) is another real-world social network type of site that doesn't have such flaws. It uses SSL for its logins, and third-party, commercial-grade identity verification before people can post. We believe this is the type of service all social network sites should switch to, to protect their userbase.
  • Anyone who cares about security should setup their own site for their community and close it down and have it use SSL. This way it's also not such a big strain on CPU as this is only for a few people.

    In addition you set the policy and shouldn't let anyone else in, so your posts can't be leaked. (Though you should be prepared for it, as anything that is on an internet-connected device has to be considered in-danger)

    In addition I'm still not sure why people and businesses still use _unsigned_ and _unencrypt
  • Consider the fact that its just as easy to get such sensitive information by installing spy cam or hidden microphone in your home, through your friends, etc with or without SSL.

    Online or offline, there's always a trade-off between convenience and security and these sites are no exception. SSL tends to be slower because it requires more round trips between the server and client, much more processing power, etc and sites know that performance affects their popularity.

    The rule of thumb should be: get info
  • For the record... (Score:2, Informative)

    by jvaillant (737620)
    LinkedIn has been using SSL since day one, not just for the login page but for every page of the site. The application is also constantly tested and hardened against XSS and other OWASP vulnerabilities. Security is a real concern to us and is factored in every aspect of our design and implementation.

    Jean-Luc Vaillant, VP Engineering, LinkedIn

Man must shape his tools lest they shape him. -- Arthur R. Miller

Working...