Threat Risks Identification and a Control Method

In Social Networks Security Emerging Threats

Majid Nasiri Nejad
Jan 22, 1984 Majid.nasirinejad@gmail.com M1-4-20 Crystal Condo Jalan Pualam 7/32 40000 - Shah Alam Selangor Malaysia Tel: +60143146426 Year: 2010 - Course Title: Computer Science Faculty of Information Technology Multimedia University Cyberjaya, Selangor, Malaysia

AbstractSocial networks are attractive websites in recent years with increasing number of users and also rising privacy and security issues. In this article the emerging threats for security of social networks have been discussed. We found threat risks and measured each one; the softwares theory for helping social networks users has also been presented. Keywords-emerging threats; Social network security

I. INTRODUCTION Social networks are new form of creating dynamic websites which are based on Web 2.0 technology where users can share information, pictures, videos and communicate with each others. By growing new web and storage technologies and therefore increasing data transfer speed through the internet, social networks are boosted. Regardless of famous social networks such as MySpace, Facebook and LinkedIn, there are some specific social networks like MyNASA which are designed for space science fans. It is believed that, as a person need to be identified by a social ID in social

life a user must be also known by a unique name and ID to access the social networks. Most of the social networks must ask their users to register and provide some mandatory information. In every social network, information and relations of each user are two important factors. At a glance, filling registration form is easy. We know some fields are compulsory and others are optional, so users can always add, remove or edit their information ever after the initial registration. In this research, social networks users have been divided to three main categories. i. Professional Users: Users of This group concern about their personal privacy, so they read sign-up terms and conditions and privacy-policy rules carefully. These users are more conservative for providing data in compulsory fields. Senior managers and CEOs are good example of this group. ii. Curious Users: Users of this category are more curious to

complete registration forms. They do not have any problem for providing their postal addresses, phone numbers, social IDs or maybe bank account numbers using either right or wrong information. Teenage students are usually placed in this category. iii. Amateur Users: Majority of social networks users are categorized under this group who are more cautious than the previous groups to keep their personal information safe, although without having adequate information or being deceived by some tricky registration forms, they will fill up all the form fields using right information. The below table shows the result of a research which has been done by pingdom.com is the average age distribution among the social networks using 19 SNs [1]. Age
0-17 18-24 25-34 35-44 45-54 55-64 65 +
Table -1

II. BACKGROUND OF THE PROBLEM Risks Identification A. Social Networks System problems Problems in hardware, platforms and connection links are some of the social networks system problems. For example if user wants to send a message or a photo by mobile platform, while the connection is not encrypted, so the cybercriminal can grab the data on air. Or in FB it is known that, when a user writes a wrong message on a friends wall, the message is delivered to the users email immediately and can not be deleted by the user. B. Users activity On the one hand the professional users are cautious about providing their data, so they are under less attack of malwares, worms, viruses or cybercriminals. On the other hand with the less information being provided by the curious users they are not the target of data abuse, but the third group who have not enough information and share their real data are the best victims. C. Data Leaking for commercial abuse. Untimely SMS, many spam emails and full postal box with brochures are less problematic of leaking users profile information for commercial abuse. D. Data mining by cybercriminal. One of the data leaking problems on social networks is phishing, data and web mining to find out most important public and private information of users like social number, insurance number, bank account numbers, phone numbers even dependents information and so on, by cybercriminal.

Percent (%)
15 10 18 25 19 10 3

The rest of the paper has been divided into five sections: section II defines background of the problem which has been found from many social networking sites and literature review is described in section III. The following section IV is operation. Also, section V is the conclusion.

Meausuring Risks Server devices, firewalls, operation systems with professional experts and programmers who implement and support social networks and software platform abilities are the most important parameters for social networks problems. Total active users (users who have returned to the site in the last 30 days) have direct effect on social networks security. Facebook by more than 500 mm users has a higher risk than Twitter by 170mm or MySpace with 130mm users [2]. By increasing the active users number the chance of making them aware of the threats decreases since social networks care more about the quantity than quality and also as a result of this increment more data centers and storage capacity and needed to expand the network plan which can leads to increasing the ways of attacks. User activity is one of the factors that can cause reverse effect on social network security. The most active users are members between 25-54 years old and they have the highest risk of data leaking. Definitely, calculating the losses cause by commercial abuse from leaking data of social networks is not possible, but the act of using this data in inappropriate commercial abuse is common. Commercial abuses do not have direct effects on the real life and are not included in dangerous threats but data and web mining by cybercriminal through fake sites, emails or hacking are very dangerous threats. Those can affect the users systems by collecting data and stealing most needed documents. These risks can influence the users real life.

Loosing job, menace and bribery offer can be the result of this data leaking. For instance, by accessing the public and private information, a thief can make a fake email and connect to bank for changing the internet bank password or calling the users and asking for resetting their password to 1234 due to some technical problem (as an excuse for making such a request) and assuring them that they can change their password later. After risks identification and measuring the probability of them, social networks managers must consider ways for preventing. Some of them are sorted as below: 1- Continuous training for staff and experts who are working directly in social networks by cyber ethic programs for keeping all data and prepare all requirements they need. Also social networks managers must classified them for accessing to users data. 2- Update ongoing platform software which is the connection between the users, center of documents storage and private data. 3- Checking accurately all the applications that are installed on the social network periodically and randomly. 4- Making users aware of threats in registration page and during the first time use of a social network. 5- Conduct an education center by animation lessons with easy and fast access to all the pages for every user. 6- Commitment all application developer to declare users where the public or private information are used in the software.

7- Send periodic messages to every user and describe new settings and how they can change security settings. 8- Cooperate with computer security companies and allow them to control users information and also find new security strategies. 9- Computer security companies can produce special applications for social networks to find and identity Worms, Trojans, Viruses, Spams and Malwares to protect users data abuse. III. LITERATURE REVIEW Nowadays, with growing social networks, an attempt to find personal information by inviting users to install applications on their personal pages has been increased. According to the research findings in 2007 on 150 top Facebook applications showed that, 82% of applications need public information, 9.3% use of private information (e.g., birthday) and 8.7% did not need any information for activating. Since all of the applications are given full access to private data, this means that 90.7% of applications are being given more privileges than they need [3].

Particularly, private information is very valuable when the information of many people is gathered on social networks (Devine, 2008), it provides data source for marketing and data mining. These data can be collected by sniper software, script codes and cookies. Also with the relation between users, friends and FOF (friends of friends) each person can be a cause of data leaking for the others. With the latest research has been done by Bitdifender Company, 20% of Facebook users send spam messages to friends and also 60% of applications try to collect data for using them in the future [4]. Famous social networks are promisor to keep users data safe but with new web technologies, for instance HTML5 and CSS3, creating dynamic websites will facilitate we need a powerful tools for controlling personal data. According to the findings of a research in Ireland for analyzing social networking users, the results showed that 83% of participants indicated that they use the same password for multiple accounts. For the personal data security on social networks sites, 28% of people do not use the privacy settings provide and 10% are unsure so we presume they do not [5]. By the end of 2008, the Kaspersky Lab collection contained more than 43,000 malicious files relating to social networking sites [6].

Figure 1

SAT is flexible. With data and web mining it can learn how to contact with each user. SAT can check all the messages and links post To/From users for Viruses, Trojans and Spams threats. SAT can send information messages with child elements and animations for children or scientific language for specialist and senior students also with daily notice for amateur and usual users.

Figure - 2

IV. OPERATION In the following operations role of computer security companies is sketched. Computer security companies has been established with users demand to help for preventing their systems of virus, malware, worm and spam attacks, are the best choice with the powerful software for increasing social networks security. These companies must start to provide information to their customers for introducing new attacks of social networks. Definitely this action will affect to reduce callback to support departments in the next years. Especially to social networking, it has been theory for controlling and increasing security for users. SecurityAssisTant (SAT) is a software which helps social network users to know the risks before happened. SAT can be associated when user is online. SAT can analysis user activity and will announce the periodic report.

SAT Operations: SAT can be an application of a computer security company on social networks that all users allowed activities must be controlled by it. At the first SAT make a table contains relations of user.

Figure - 3

For instance, with refer to Figure-3 user A have two friends B and C also E, F are FOF of B, C. User D is FOF of F through G. On the other side, user A

installed applications 1 and 2. SAT immediately updated the table for user A.
Relation Friend B Friend C Friend E Friend F Friend G Friend D Application 1 Application 2
Table - 2

Risk 2 3 6 8 12 27 35 59

risks must be detected by social networks before happens to the users. If the risks are dangerous a way for solving the problem must be found out but if they are not dangerous the structure must be known for next operations.

REFERENCES
[1] Pingdom[2010] Study:Ages of social network users,Feb 16,2010, from http://royal.pingdom.com/2010/02/16/study-ages-of-socialnetwork-users/ List of Social Networking Websites , Oct,2010 from http://en.wikipedia.org/wiki/List_of_social_networking_websites A. Felt and D. Evans, Privacy Protection for Social Networking APIs, , 2007, from http://www.cs.virginia.edu/felt/privacy/ C. McCarthy. Study: Fifth of Facebook users exposed to malware , Nov 23,2010 , from http://news.cnet.com/830113577_3-20023626-6.html?tag=topTechContentWrap;editorPicks M. Lang, (2009) Social Networking and Personal Data Security: A Study of Attitudes and Public, IEEE Computer Society, ICMeCG.2009.105 Kaspersky Lab, Malware Evolution 2008,2009,14, from http://www.kaspersky.com

[2] [3] [4]

Since the first friends are approved directly by user, so their risks are less than others. If the first level friends use malware so the risks will increase and SAT will notify the user. If user stay safe, their friends are safe. SAT can analyze applications which have been installed by users on self-page and reports private and public information where the user information has been shared. By SAT analysis, social networks applications department knows which software is the most dangerous and who has made and shared it. V. CONCLUSION For increasing users security Social networks must start to learn how user can be protected from data leaking by configure right privacy settings and given announcement periodically for learning risks by users language. Actually they must cooperate with computer security companies for reducing server side problems. Also an application between user activity and social network platform can increase user security and decrease threats. New

[5]

[6]