Presentation Title Attacking the Privacy of Social Network Users
Social networks are some of the largest and fastest growing online services today. Facebook, for example, has been ranked as the second most visited site and has been reporting growth rates as high as 3% per week, with more than 500 million registered users. The amount of personal information stored on these networking sites calls for appropriate security precautions that are often inadequate or poorly implemented. Indeed, our research team recently discovered different vulnerabilities, shared among various social networking sites. that permit to access personal sensitive information for running spear phishing, targeted spamming or drive-by-download attacks.
In this talk, I present several novel attacks that target the privacy of social network users. For example, in the automated querying attack, someone can rapidly map million of registered users to their personal e-mail, which is normally considered private information and not directly revealed by the social network. In another attack, by leveraging the recommendation system, e.g. the Facebook’s friends-finder functionality, the attacker can easily collect thousands of friendships and get access to a large amount of personal data that normally is protected.
To prove that these attacks constitute a real threat for social network users, we implemented and ran automated systems against ten different vulnerable sites, such as Facebook, Twitter and LinkedIN. The problems we identified have been acknowledged by some of the networking sites, which have adopted our countermeasures.
Finally, I will introduce Safebook, a decentralized authenticated social network that our lab recently designed with the scope of preserving the privacy of online users.
About Marco Balduzzi
Marco ‘embyte’ Balduzzi holds an MSc. in computer engineering and has been involved in IT-Security for more then 8 years with international experiences in both industrial and academic fields. He worked as security consultant and engineer for different companies in Milan, Munich and Sophia-Antipolis, in south France, before joining EURECOM and the International Secure Systems Lab as Ph.D. researcher.
He has presented at well-known and high-profile conferences (Blackhat, OWASP AppSec, NDSS) and currently speaks five different languages. Being a Free Software sympathizer, in the year 2K, he cofounded the Bergamo Linux User Group and the University Laboratory of Applied Computing. In former times, he was an active member of several open-source projects and Italian hacking groups.