Worldwide, Social networking sited are an established trend. Sites like Frienster, Orkut, Lunarstorm, and Bebo are commonly used accross Europe, Latin America, and the pacific. the US- launched facebook reports that 14.5% of its users in Canada and 11.6% in United kingdom.In china,Xiaonei has become the most popular Internet site.hi5 is the most popular social networking site in Central American contries such as Costa rica,Ecuador,Guatemala,and Nicaragua.in Mexico,hi5 is the fifth most visited internet site behind google, windows live,youtube and Metroflog.
What are social networking sites?
Social networking sites are created upon the concept of maintaining social contacts where we are connected to others through our acquaintances.so these sites are also well known as "friend-of-a-friend" sites.The main use of some these sites may be purely social, which allows the users to maintain their friendships or other relationships ,while there are some other sites which are maintained for business purposes.
The social networking sites offer some sort of communication via email,chat,instant
messenger,communities etc which allows the users to connect with others.The features of all these sites may not be the same but they enables you to provide information about yourself and other things which you want to share with others.Most of the sites have forums or communities based on specific criteria or interest. By browsing through these sites you can select and connect to people of similar interests.
What security implications do these sites present?
Social networking sites depend on connections and communication,so we need to provide some personal information.people have the option to decide how much information they want to reveal or share with others. Such provision may not be available when meeting others face to face because
Through internet one can remain anonymous
A sense of security because there is no physical interaction
You can modify the information so that only friends can read it and others may not
You have the chance to impress friends or associates
Most of the people use these sites for social contacts and are not a threat.Because of the amount of personal information available and accessibility,people having malicious intentions may take advantage of you.they convince individuals to form online relationships and then meet them in person which may lead to dangerous situation.a malicious person can get hold of your friend by using personal information regarding your place,hobbies ,friends list or threaten you that they have access to your personal or finanacial data.In addition to that attackers use these popular sites to distribute malicious code.they create some customized applications which are not recognizable but can infect your computer. Especially applications that are offered by third parties are susceptible.
How can we protect ourself?
Be sure that the amount of personal information that you share with others may not pose a threat to you.only post the information to people you are comfortable with.do not post address or your daily routine to strangers.be careful regarding your profile photographs and email IDs and other connections.
Internet is a public connection so once you post an information you can not remove it completely as there may be cached or saved versions .
Using some features of internet people can duplicate their identities so beware of strangers.be cautious when interacting with strangers or considering to meet them.
Always verify whether the information you get on internet is genuine or not because people do not always post original information either intentionally or unintentionally.some may post false or misleading information for fun.
By using the customized settings of the site we can enable our privacy because default settings allows everyone to view your profiles.even privacy settings also pose risk some times so do not post any personal information which you don't want to share with public.
Passwords are used to protect your accounts.always select a strong password which cannot be guessed by others.this helps you to prevent others from accessing your accounts.
Privacy policies are used to reduce spam. Some sites give your email addresses to
other companies which sends email continuously leading to increase in spam.
Anti virus software must be installed in your computer to detect and remove the viruses. Your anti virus must be updated in order to recognize and protect your computer from new viruses.
Younger generation is more attracted to these social networking sites and hence are more vulnerable to the threats these sites pose.most of the sites are having restrictions on age but there are chances to join these sites by giving false information about age.parents should take care by teaching their children about internet security, guiding them to appropriate sites and monitoring their internet usage.
Legal & Etical ASPECTS :-
Laws Pertaining to Social Networking Sites
The two most important statutes to consider when discussing the legal liabilities and obligations of the social networking sites are Section 512(c) of the Digital Millenium Copyright Act and Section 230 of the Communications Decency Act.
Section 512
Section 512(c) removes liability for copyright infringement from websites that allow users to post content, as long as the site has a mechanism in place whereby the copyright owner can request the removal of infringing content. The site must also not receive a financial benefit directly attributable to the infringing activity.
This creates an interesting problem for most sites that allow users to post music, photos or video. For instance, several content owners have sued YouTube, the video sharing site, for copyright infringement, and YouTube has claimed a 512(c) defense. Since YouTube is a subsidiary of Google, its future business plan most likely involves serving advertisements according to the kind of video that users view or search for. If the site does this, however, it could amount to a financial benefit directly attributable to the sharing of copyrighted materials.
Those cases are currently before federal district courts, and their resolution will greatly impact the services that social networks offer, as well as their business models.
Section 230
Section 230 of the Communications Decency Act immunizes website from any liability resulting from the publication of information provided by another. This usually arises in the context of defamation, but several courts have expanded it to cover other sorts of claims as well.
Thus, if a user posts defamatory or otherwise illegal content, Section 230 shields the social network provider from any liability arising out of the publication. Websites that, in whole or in part, create or develop contested information, on the other hand, are deemed "content providers" that do not benefit from the protections of Section 230.
A recent 9th Circuit opinion has called the section's broad coverage into question, and created uncertainty for social networking sites that have relied on Section 230 to protect them from claims relating to the content that their users create.
That case, Fair Housing Council of San Fernando Valley v. Roommates.com, LLC, began when two fair housing groups sued the website Roommates.com, alleging that Roommates.com's roommate networking service violated the Fair Housing Act. The district court found that the website qualified for Section 230 immunity and entered judgment for the website without reaching the question of whether the site did indeed violate the FHA. On appeal, the Ninth Circuit reversed and remanded for a trial on the merits.
A divided Ninth Circuit panel found that the website created or developed information on the site in two ways: First, by creating the questions that users answered when creating their profiles. Second, by channeling or filtering the profiles according to the answers to those questions.
The court's second justification is fairly controversial, and goes against the widely established precedent granting a broad, robust privilege to interactive service providers. In essence, the panel's ruling holds that, by channeling information to users and providing search capabilities, Roommates.com has added an additional layer of information, "meta-information" you could say, that it is at least partly responsible for creating or developing.
The effects of this new "channeling" test could be devastating for social networking sites, many of which operate in similar ways to Roommates.com. Sites could now find themselves open to liability for information posted by third-parties, and this could result in a reduction of the number of speech-related services available online - exactly the opposite of what Congress intended when passing Section 230 in the first place.
http://articles.technology.findlaw.com/2007/Sep/18/10966.html
SECURITY ISSUES:-
Integrity: Illegal modification, replacemnt, deletion of data, Destruction of application, Denial of service.
Confidentiality: Eavesdropping, sniffing Illegal monitoring
Authentication: The security threat that could occur is transaction spoffing.
Digital dossier aggregation : by using digital dossier aggregation third parties can be able to download and save the profiles on SNSs.
secondary data collection : in addition to the information given in the profile SN members also reveal the information such as sent messages, profile visitors etc with in the network.such data can be used for financial gains.
Face recognition :digital photographs uploaded by the user in their profiles form the important part of the profile which enables them to link with other profiles.
CBIR:a new technology content- based image retrieval is used to match the specific features of the image with large databases inorder to locate users.
Linkability from image meta data :unwanted linkage to personal information in increasing because other users who are not the owners of a profile are allowed to tag images with metadata on SNSs profiles.
Difficulty of complete account deletion: it is difficult to delete the accounts completely from SNSs because secondary information linked to their accounts can not be removed .
SNS spam: because of several SNS specific features spam is generated .
Cross site scripting(xss) viruses and worms:third party applications pose threat to SNS by XSS attacks.
Aggregators:'SNS portals' combine with other SNSs whick increase the risk by giving read/write access to other SNS accounts.
Spear phishing using SNSs and SN specific phishing:self created profiles are responsible for highly targeted phishing attacks and also to social engineering techniques which result in the injection of phishing links automatically.
Infiltration of networks:restricted information to a group of friends must be the defence mechanism for privacy protection on SNS s but this is not effective as it is very easy to become friend or invite a friend using false identity .
Profile-squatting and reputation slander through ID theft: duplicate profiles of celebrities or particular companies can be created in order to damage their reputation and create troubles.
Stalking: malicious person repeatedly threatens the user through email,chat, messaging on SNS. this kind of behaviour is increasing on internet which is also called cyberstalking.
Bullying:cyberbullying is a way of harassing the victims intentionally through repeated acts and cause embarrassment and humiliation .
Corporate espionage: corporate and IT companies are at risk because of the increasing social engineering attacks .
Recommandations :-
It is better to use the existing network,the following are the recommendations which could improve the social networking .
Intigrity : Serial number control,time stamping,MAC CODE,Digital Signature.
Confidentiality : Data encryption methods, Digital Envelope
Authentication : User ID,Password, Digital Signature.
1.We need to encourage awareness- rising and education campaigns on the sensible usage of SNSs, SOCIAL NETWORKING SITES themselves should use contextual information to educate people in the 'real-time'. Additional campaigns should be taken to software developers to encourage security concerns development practices and corporate policy.
2. The social networking sites present several scenarios which are not anticipated and the current legislation especially the data protection law was created now .The review and reinterpret regulatory framework governing social networking sites must be reviewed and if necessary they should be revised.
3. A review of the practices of social networking sites (SNS) providers in Europe must act according to the existing data protection law which is recommended.
4.The social networking sites should be banned in the schools. In a co-ordinated campaigns should be conducted in a controlled and open way to educate the teachers,parents and children.
Stronger authentication is required in certain social networking sites environments. we need access controls such as authentication like basic E-mail verification through CAPTCHAs and recommendation for only networks to physical devices such as the mobile phones and other identity card readers.
we need to implement countermeasures against corporate espionage for the prevention of social engineering attacks on enterprises.
7. Maximizing the possibilities for detection and writing abuse reporting on Social networking sites and make 'Report Abuse' buttons available and should be as ubiquitous as to 'Contact Us' option on classic websites and to easily report abuses and concerns.
8. The setting should be user friendly and must be as safe as possible. The settings can be appropriate defaults.
9. Simple tools should be provided to remove the accounts completely. we have to allow users to edit their own posts on the other people's comments area or public notes.
10. we should encourage the user to use reputation mechanisms and can act as positive motivator towards nice online behaviour.
11. Automated filters and a legislative review is built into social networking sites and when ever required filtering must be done,with a view to social networking sites providers building filters into their sites.
12. The main consent required from data subjects is to include tags in images and social networking sites operators must let users privacy tools to control the tagging of the images and showing them .
13. The social networking sites operators should restrict users from spidering and bulk downloading .
14. The data must be anonymised and not displayed, or the user must be clearly informed that the results will be dispayed in search results and given the choice to opt out. operator should pay attention to search results always.
15. For addressing spam content in social networking sites similar techniques which are used for E-mail anti-spam reputation systems must be developed here as well to eliminate spam comments and traffic.
for social networking sites
16. For combating phishing on Social networking sites, which was prompted by APWG, must be adopted.
17.we should research and promote image anoymisation techniques and its best practices.
18. Research into emerging trends in social networking sites and looking for the future, more search must be carried out in these areas of social networking sites such as mobile social networking sites, convergence with virtual worlds, 3D representation and misuse by criminal groups and online presence.
http://www.enisa.europa.eu/act/res/other-areas/social-networks/security-issues-and-recommendations-for-online-social-networks
Security Policy Document
1. POLICY STATEMENT
"It shall be the responsibility of the UNIVERSITY CAMPUS to provide adequate
protection and confidentiality of all data and proprietary social networking site(SNS), whether held centrally, on local storage media, or remotely, to ensure the continued availability of data and programs to all authorised members of staff, and to ensure the integrity of all data and configuration controls."
Summary of Main Security Policies :
1. Confidentiality of all data is to be maintained through discretionary and mandatory access controls, and wherever possible these access controls should meet with security functionality.
2 Encourage awareness-raising and educational campaigns.Review and
reinterpret the regulatory framework.
3. Increase transparency of data handling practices and Promote stronger
authentication and access-control.
4. Maximise possibilities for abuse reporting and detection.
5 Providers should offer convenient means to delete data Completely, To Build in automated filters
6 Require consent from data subjects to include profile tags in images
7. we should Restrict spidering and bulk downloads
8. For addressing SNS spam & SNS Phishing.
9. Internet and other external service access is restricted to authorised personnel only.
10. Access to data on all laptop computers is to be secured through encryption or other means, to provide confidentiality of data in the event of loss or theft of equipment.
11. Only authorised and licensed software may be installed, and installation may only be performed by I.T. Department staff.
12. The use of unauthorised software is prohibited. In the event of unauthorised software being discovered it will be removed from the workstation immediately.
13. Data may only be transferred for the purposes determined in the Organisation's data-protection policy.
14. All diskette drives and removable media from external sources must be virus checked before they are used within the Organisation.
15. Passwords must consist of a mixture of at least 8 alphanumeric characters, and must be changed every 40 days and must be unique.
16. Workstation configurations may only be changed by I.T. Department staff.
17. The physical security of computer equipment will conform to recognised loss prevention guidelines.
18. To prevent the loss of availability of I.T. resources measures must be
taken to backup data, applications and the configurations of all
workstations.
19. A business continuity plan will be developed and tested on a regular
Basis
http://www.scribd.com/doc/7365581/IT-Security-Policy-Word-Template
