Andrew Lee K7 Computing
Lysa Myers WestCoast Labs
Social networks have become a fact of web life and many of us will have found friends, old and new, through various sites.
With this amazing connectivity comes challenges: how to maintain privacy, and how to avoid exploitation. Unfortunately, social networking (SN) sites are prime targets for attackers; not only through malware, which has certainly become commonplace, but also through the sort of data that they contain about members. Many people will use several SN sites, perhaps thinking that they will keep business and personal life separate, but a clever attacker could correlate data between the sites.
If an attacker can gain access to a person's profile on a SN site, it is quite possible to completely compromise that person, perhaps enough to fully impersonate them, certainly to damage their reputation.
Since many SN users do little checking before adding 'friends' or new contacts, the opportunity for serious identity fraud increases greatly the more sites they use. Additionally, family members will often be represented in friend lists, giving opportunity to discover key information (mother's maiden name?) and relationships between family members.
Various sites have different policies on privacy, which may vary by location - particularly between the USA and Europe, raising additional problems where search engines may be able to index personal sites.
In this paper we expound various possible attacks using SN and, using ourselves as guinea-pigs (one USAian and one European variety) attempt to prove the viability of these attacks.
We also examine ways in which the problems can be mitigated. We hope that by raising the issues the problems will be taken seriously and examined more closely, without generating unnecessary fear, and avoiding knee jerk reactions against this potentially wonderful technology.