The role of security within social networks

Last week researchers unveiled a “dating database” consisting of 250,000 users. This was not just any ordinary dating site where one registers to and agrees to post their information. Rather, the dating profiles were based on public information that the researchers gathered from Facebook profiles.

Many people at this point cried out “Privacy!”. However, let us take a step back and remind ourselves that it is these users who were not concerned to publically publish their data in the first place! By consenting to Facebook’s term of services, they are actually agreeing to relinquish their information to a public website.

With this in mind, it may be safe to say that if a user indicates their religion, or ethnicity, on Facebook they do so because they want other users to know this information and are willing—even implicitly—to take the chance that a (hypothetical) racial classification application will have access to it as well. It may also be safe to say that people who post a named defamation of their boss on their wall—or their friend’s wall —are willing to take the chance that their boss may see the post. That is the essence, or rather lack thereof, of privacy.

In terms of social networks, it is security which we need to be wary of. Security controls the way in which people use the information of others. It is a way to ensure that people cannot invoke functionality on behalf of other users, and that delinquents cannot use the system to distribute malware. It is a way to make it difficult to hack into someone’s account using a brute-force attack. Security enables us to integrate social networking applications into our business environment without affecting the integrity and confidentiality of business data.

In today’s social networking platform, security is the threat. Web 2.0 vulnerabilities are quickly translating into massive worm out breaks. One such example is the notorious Koobface worm which is still propagating even though researchers have been attempting to contain it for the last few years. Even basic best practices, such as the use of SSL for authentication purposes, are not closely followed.

Nevertheless, we are starting to feel the winds of change. Recently, Facebook made changes to account SECURITY to reduce account hijacking incidents. Just a few weeks ago a new authorization scheme was put in place that requires one to identify their friends in case of an alleged account take-over.

As social networks attempt to increase their user base, penetrate the business environment, and roll out new services (such as Facebook’s new webmail) we should expect social platforms to invest more resources in improving the SECURITY posture of the platform. These measures will provide improved protection against application layer attacks, stronger authentication and account control features, and better malware detection systems.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Amichai Shulman is Co-Founder and CTO of Imperva, where he heads Imperva's internationally recognised research organisation focused on security and compliance. Prior to Imperva, Amichai was founder and CTO of Edvice Security Services, a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation. Amichai served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has B.Sc and Masters Degrees in Computer Science from the Technion, Israel Institute of Technology.