Short RAID 2010 Report: A New Threat for Social Networks?

It has been over a month since I returned from the RAID conference in Canada. This year, RAID was organized in Ottawa, the capital. I tend to think that Ottawa was declared “the capital” for its location rather that its size. Although half of its inhabitants speak English, more than 30% are French speakers. Ottawa is connected by several bridges to its neighbour Quebec where French is the official language.

Since I flew all the way from Europe, I was jet-lagged and woke up at 6am on the first day. This always seems to happen to me when I travel west. This time, however, it was not too bad.

The conference was located in one of the highest buildings in Ottawa. That is, high in Ottawa standards (i.e., maybe 30 floors). The breakfast was served on the upper floor which  had a wonderful view of the Canadian landscape. I was the first at breakfast that day and I really appreciated the “lungo” Canadian coffee (we Italians normally are not used to that).

The conference lasted three days and featured many interesting sessions such Malware Detection, Network Security, System Forensics and Web Security. My talk was in the Web Security session, although the topic of our paper was more related to privacy in social networks rather than web security:)
The title of our paper was Abusing Social Networks for Automated User Profiling. You can find the presentation on the homepage of the conference.

In the talk, I showed how trivial it is for an attacker to abuse a common functionality of many social networks, called “finding friends”, to map thousands of public profiles to e-mail addresses. Normally, e-mail is considered private information and is not disclosed.
The “finding friends” feature allows users to look up their friends and easily establish friendships. This is why almost every social network site promotes this functionality.

Unfortunately, by mapping a user profile to the registered e-mail address, an attacker can correlate many profiles that have been created on different social networks. Hence, sensitive information can be extracted about users. For example, the same user might be registered on two (or more) networks with the same e-mail address, but with different information in the created profiles.

In our experiments, we leveraged the “finding friends” functionality to link profiles and e-mails. We were able to query and extract information from social networks such as Facebook (e.g., up to 10 million e-mail lookups per day, with a single machine, and on a single IP).

Our research showed that thousands of users were registered on different social networks with inconsistent information. For example, about 12% of the 876,000 user identities we extracted pretended to be male and female at the same time.

We discovered that eight popular social network providers are vulnerable to this attack: Facebook, MySpace, Twitter, LinkedIN, XING, Badoo, Friendster and NetLOG. We contacted their security departments, and some of them have now built in some defence mechanisms (against large-scale querying).

The slides and the paper describe in detail the system we implemented and list our findings.

The conference featured many  interesting talks. I especially enjoyed the keynote of Eric Chien, the Technical Director of Symantec Security Response. Eric discussed two recent threats, Hydraq and Stuxnet, that shifted back the attention from large-scale attacks (e.g., such as worms and bots) to targeted attacks. Interestingly, targeted attacks were actually more common in the past (i.e., in the 90s where Unix servers were often victims of specific attacks).

In the High-Performance session, I liked the work of Vasiliadis and Ioannidis called GrAVity. GrAVity is framework that exploits the GPU to enhance the performance of current Anti-virus solutions. The authors claim that they can improve the throughput by +12% against standard CPU installations (e.g. ClamAV). In fact, one of the technical challenges I’m facing with my current Ph.D. research is the long time spent to scan a machine.

That’s all folks! I am looking forward to next year’s RAID. D1 will be co-chairing the conference next year.


About embyte
This entry was posted in Conferences, General, Web Security and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s