Classification of social media › Collaborative projects (Wikipedia) › Blogs (Twitter, Tumblr) › Content communities (Youtube) › Social networking (Facebook, Google Plus) › Virtual game-worlds (WoW, SWTOR) › Virtual Social worlds (Second Life)
Facebook › Self-XSS › Spam › Threats to privacy / Identity theft › Clickjacking
› Cross-site scripting or "Self-XSS.“ For example a message: “Why are you tagged in this video?” and the Facebook Dislike button take you to a webpage that tries to trick you into cutting and pasting a malicious JavaScript code into your browser’s address bar. Self-XSS attacks can also run hidden, or obfuscated, JavaScript on your computer allowing for malware installation without your knowledge.
› Threats to privacy / Identity theft Facebook scams also tap into interest in the news, holiday activities and other topical events to get you to innocently reveal your personal information. Facebook posts such as “create a Royal Wedding guest name” and "In honor of Mother’s Day" seem innocuous enough, until you realize that information such as your children’s names and birthdates, pet’s name and street name now reside permanently on the Internet. Since this information is often used for passwords or password challenge questions, it can lead to identity theft.
“Clickjacking" or "likejacking," also known as "UI redressing” › Tricks web users into revealing confidential information or takes control of their computer when they click on seemingly innocuous webpages. Clickjacking takes the form of embedded code or script that can execute without the user's knowledge. One disguise is a button that appears to perform another function. Clicking the button sends out the attack to your contacts through status updates, which propagates the scam
“Facebook Removing Option To Be Unsearchable By Name, Highlighting Lack Of Universal Privacy Controls” ( ook-search-privacy/) ook-search-privacy/
Facebook’s security features: › In theory, new Facebook security features provide protection against scams and spam but unfortunately they’re mainly ineffectual. Self-XSS, clickjacking and survey scams essentially did not exist just a few years ago, but they now appear on Facebook and other social networks on a daily basis
› Check to see that you're logging in from a legitimate Facebook page with the facebook.com domain › Remote logout › Common sense › Use an up-to-date browser that features an anti-phishing black list
Youtube › Availability of many videos and the incredible volumes of traffic the site receives, it shouldn’t come as surprise that cybercriminals are looking to reap some benefit Links in the video description to full video -> leads to online survey rabbit hole
› Google account (Gmail, Youtube, Drive etc.) One account linked to many services -> One password to get access to all of the services Article: ”Android one-click Google authentication method puts users, businesses at risk” ( 355/Android_one_click_Google_authentication_ method_puts_users_businesses_at_risk) 355/Android_one_click_Google_authentication_ method_puts_users_businesses_at_risk
Verification › Password + SMS/Phone call verification › IP-based verification › Revoke unauthorized access › Track account activity › Create a strong password
Web 2.0 describes web sites that use technology beyond the static pages of earlier web sites Web 2.0 is the popular term for advanced Internet technology and applications including blogs, wikis, RSS and social bookmarking. The two major components of Web 2.0 are the technological advances enabled by Ajax and other new applications such as RSS and Eclipse and the user empowerment that they support.
› Insufficient Authentication Controls In many Web 2.0 applications, content is trusted in the hands of many users, not just a select number of authorized personnel. That means there's a greater chance that a less-experienced user will make a change that will negatively affect the overall system. › Cross Site Scripting In a stored cross site scripting (XSS) vulnerability, malicious input sent by an attacker is stored in the system then displayed to other users. At risk are blogs, social networks, and wikis › Phishing Although phishing isn't just a risk associated with Web 2.0 technologies by any means, the multitude of dissimilar client software in use makes it harder for consumers to distinguish between the genuine and the fake web sites
› Information Leakage Web 2.0 combined with our "work-from-anywhere" lifestyle has begun to blur the lines between work and private life. Because of this psychological shift, people may inadvertently share information their employer would have considered sensitive. › Injection Flaws Web 2.0 technologies tend to be vulnerable to new types of injection attacks including XML injection, XPath injection, JavaScript injection, and JSON injection for no other reason beyond the fact that the Web 2.0 applications tend to use and rely on those technologies With increased use, comes increased risk.
Flash › A major advantage of using the Flash Player for Web 2.0 applications is consistent development across operating systems and browsers and a lot less overhead programming around differences and needing to debug and test on every configuration. › The Flash Player has more reach than any browser or operating system, and is being distributed faster than any other technology › Transformation of Flash from purely an animation engine to a runtime for rich media and rich internet applications has been happening for several years now
› The new Flash Player 9 has even stronger enterprise data connectivity including client support for Flex Enterprise Services which enables use of message queues, integration with JMS, remote procedure calls, and data synchronization. This enables not only simple applications like photo viewers, but also sophisticated business applications.
Video:
trends/security-trends/social-networking- security-threats/facebook.aspx trends/security-trends/social-networking- security-threats/facebook.aspx ube-threats/ ube-threats/ otect-yourself-against-phishing/ otect-yourself-against-phishing/ 20-security-threats#awesm=~olQQwNPj77bba security-threats#awesm=~olQQwNPj77bba1