Services like LiveJournal and Tribe are poised to be the next big
thing on the Web in 2004, but their security and privacy practices are
more like 1997, writes Annalee Newitz.
Brad Fitzpatrick is president of LiveJournal.com, a social discovery
Web site where over 1.5 million users post diary entries they want to
share with friends. Although members post extremely sensitive
information in their journals -- everything from their plans to commit
suicide or sabotage their boss to their latest sexual adventures --
Fitzpatrick admits that security on his site isn't a priority.
On the initial login page, LiveJournal members send their passwords in
the clear. "We're hoping to change that in the next month,"
Fitzpatrick said. "But site performance is our highest priority, and
SSL is a pain."
Jack (not his real name) is an LJ user whose account was compromised.
He isn't sure how it happened, but one day he logged in and discovered
a huge portion of his journal entries had been deleted. The attacker
didn't stop there -- she or he also plundered his friends' "locked"
entries (visible only to other friends) and reposted extremely private
exchanges as public entries in Jack's journal. Although he quickly
changed his password and fixed the problem, the damage was done. "My
friends were really upset and the bad feelings persist," he said. One
friend feared that she might lose her job when a private entry about
problems with her supervisor was made public on Jack's journal. "It's
still cached on Google," he explained, "although it would probably be
hard for most people to find unless they knew all the details."
Security measures are equally weak on social discovery Web site
Tribe.net, whose member base has swollen to 65,000 since it launched
six months ago. Paul Martino, CTO of Tribe, chuckled at the idea that
his site might use SSL for member logins. "We don't need high
industrial strength encryption for that," he said. "We use standard
security techniques like unique session IDs."
As security professionals know, there are any number of ways to defeat
unique session IDs. Jeff Williams, CEO of Aspect Security, works on
Web applications security issues for large financial, health and
government institutions. He explained that Tribe.net's refusal to use
SSL means that "the session ID, which is included in the URL, will be
logged on any proxy. Or you can capture it off the wire with dsniff.
If they aren't using SSL, they are basically saying they don't value
privacy the way you value your privacy."
Cross-site scripting could be another problem. Martino says Tribe does
"tag scrubbing" to protect against people embedding hostile scripts on
their posts to the site. But security pros say an attacker might be
able to target specific members by sending a specially crafted URL
that direct them to a form with hidden tags designed to suck up their
cookies. Williams explained that "XSS is amazingly widespread. Plus,
XSS vulnerabilities are easy to discover and exploit."
The Open Web Application Security Project, where Williams also works,
ranks cross-site scripting number four on its list of the top ten web
application vulnerabilities. "We try hard to [protect against XSS
attacks], but there's always something new," said Fitzpatrick. "The
only solution would be to lose link tags, and that's not a good
solution."
Security consultant and Nmap author Fyodor speculated that social
discovery sites are also vulnerable to a class of attack that is
familiar to anyone who uses eBay: "You can trick a user into divulging
their username/password by sending them to a fake login page you
control. For example, you could send an email, forged as coming from
Tribe, which says they need to agree to a new ToS or their account
will be deactivated. Then you give them a URL that is cloaked to
appear authoritative for Tribe but really could be modified to go to
the attacker's password capture page."
What makes these attacks novel in the context of a social discovery
site isn't how they are deployed, but why. What does an attacker have
to gain by spoofing the identity of a member of Tribe or LinkedIn?
What kinds of damage can be done by hacking into a LiveJournal
account? The answer has to do with the public's growing dependence on
social reputation systems.
As we come closer to quantifying reputation, the identities we use in
online communities begin to have real-world value. A top-ranked member
of a network like eBay might be able to sell more items than her
peers. A high-karma user on a site devoted to legal issues could have
a tremendous influence over public policy. According to social
networks analyst Clay Shirky, identity spoofing is possibly the
greatest threat to social discovery networks. "When your reputation is
valuable, it becomes worth exploiting. It makes a stolen identity a
more valuable commodity."
LiveJournal's abuse manager Mark Ferrell said he receives at least
five reports of ID hijacking per day.
By impersonating a highly-reputable person, an attacker might gain
access to that person's social network, business contacts and private
life. Spammers might launch highly personalized campaigns. And sexual
predators could use their victims' friend lists to find more people to
harass.
The Social Defense Model
But social discovery site owners and users say they have foolproof
protection against identity spoofing: the communities themselves. Call
it the social defense model. These sites are using the connections
between members to defend against technical and social attacks.
The more articulated a social network gets, the harder it is to
pretend to be a member of it for personal gain. Online communities can
launch counter-attacks that resemble virtual community policing. When
a spammer created a fake profile on Tribe and used it to post junk
messages, reports Tribe moderator Liz Warner, "People used social
pressure to quash [it]." After seeing the first junk post, Tribe
members quickly alerted moderators, who deleted the spammer.
© 2008; SpywareUninstaller.com Group Project; All Rights Reserved.