Defences lacking at social network sites

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/34687.html

By SecurityFocus
Posted: 02/01/2004

Services like LiveJournal and Tribe are poised to be the next big 
thing on the Web in 2004, but their security and privacy practices are 
more like 1997, writes Annalee Newitz. 

Brad Fitzpatrick is president of LiveJournal.com, a social discovery 
Web site where over 1.5 million users post diary entries they want to 
share with friends. Although members post extremely sensitive 
information in their journals -- everything from their plans to commit 
suicide or sabotage their boss to their latest sexual adventures -- 
Fitzpatrick admits that security on his site isn't a priority. 

On the initial login page, LiveJournal members send their passwords in 
the clear. "We're hoping to change that in the next month," 
Fitzpatrick said. "But site performance is our highest priority, and 
SSL is a pain." 

Jack (not his real name) is an LJ user whose account was compromised. 
He isn't sure how it happened, but one day he logged in and discovered 
a huge portion of his journal entries had been deleted. The attacker 
didn't stop there -- she or he also plundered his friends' "locked" 
entries (visible only to other friends) and reposted extremely private 
exchanges as public entries in Jack's journal. Although he quickly 
changed his password and fixed the problem, the damage was done. "My 
friends were really upset and the bad feelings persist," he said. One 
friend feared that she might lose her job when a private entry about 
problems with her supervisor was made public on Jack's journal. "It's 
still cached on Google," he explained, "although it would probably be 
hard for most people to find unless they knew all the details." 

Security measures are equally weak on social discovery Web site 
Tribe.net, whose member base has swollen to 65,000 since it launched 
six months ago. Paul Martino, CTO of Tribe, chuckled at the idea that 
his site might use SSL for member logins. "We don't need high 
industrial strength encryption for that," he said. "We use standard 
security techniques like unique session IDs." 

As security professionals know, there are any number of ways to defeat 
unique session IDs. Jeff Williams, CEO of Aspect Security, works on 
Web applications security issues for large financial, health and 
government institutions. He explained that Tribe.net's refusal to use 
SSL means that "the session ID, which is included in the URL, will be 
logged on any proxy. Or you can capture it off the wire with dsniff. 
If they aren't using SSL, they are basically saying they don't value 
privacy the way you value your privacy." 

Cross-site scripting could be another problem. Martino says Tribe does 
"tag scrubbing" to protect against people embedding hostile scripts on 
their posts to the site. But security pros say an attacker might be 
able to target specific members by sending a specially crafted URL 
that direct them to a form with hidden tags designed to suck up their 
cookies. Williams explained that "XSS is amazingly widespread. Plus, 
XSS vulnerabilities are easy to discover and exploit." 

The Open Web Application Security Project, where Williams also works, 
ranks cross-site scripting number four on its list of the top ten web 
application vulnerabilities. "We try hard to [protect against XSS 
attacks], but there's always something new," said Fitzpatrick. "The 
only solution would be to lose link tags, and that's not a good 
solution." 

Security consultant and Nmap author Fyodor speculated that social 
discovery sites are also vulnerable to a class of attack that is 
familiar to anyone who uses eBay: "You can trick a user into divulging 
their username/password by sending them to a fake login page you 
control. For example, you could send an email, forged as coming from 
Tribe, which says they need to agree to a new ToS or their account 
will be deactivated. Then you give them a URL that is cloaked to 
appear authoritative for Tribe but really could be modified to go to 
the attacker's password capture page." 

What makes these attacks novel in the context of a social discovery 
site isn't how they are deployed, but why. What does an attacker have 
to gain by spoofing the identity of a member of Tribe or LinkedIn? 
What kinds of damage can be done by hacking into a LiveJournal 
account? The answer has to do with the public's growing dependence on 
social reputation systems. 

As we come closer to quantifying reputation, the identities we use in 
online communities begin to have real-world value. A top-ranked member 
of a network like eBay might be able to sell more items than her 
peers. A high-karma user on a site devoted to legal issues could have 
a tremendous influence over public policy. According to social 
networks analyst Clay Shirky, identity spoofing is possibly the 
greatest threat to social discovery networks. "When your reputation is 
valuable, it becomes worth exploiting. It makes a stolen identity a 
more valuable commodity." 

LiveJournal's abuse manager Mark Ferrell said he receives at least 
five reports of ID hijacking per day. 

By impersonating a highly-reputable person, an attacker might gain 
access to that person's social network, business contacts and private 
life. Spammers might launch highly personalized campaigns. And sexual 
predators could use their victims' friend lists to find more people to 
harass. 

The Social Defense Model 

But social discovery site owners and users say they have foolproof 
protection against identity spoofing: the communities themselves. Call 
it the social defense model. These sites are using the connections 
between members to defend against technical and social attacks. 

The more articulated a social network gets, the harder it is to 
pretend to be a member of it for personal gain. Online communities can 
launch counter-attacks that resemble virtual community policing. When 
a spammer created a fake profile on Tribe and used it to post junk 
messages, reports Tribe moderator Liz Warner, "People used social 
pressure to quash [it]." After seeing the first junk post, Tribe 
members quickly alerted moderators, who deleted the spammer'



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.