Introduction
Online Social Networks are a eternal presence in today's individual and professional lives of a huge section of the population, with direct penalties to offline events. Developed on a foundation of users connected to additional users with mutual interests or have common characteristics private trajectories online social networks and the associated applications obtain an extraordinary volume of personal data. Naturally, serious confidentiality and safety risks emerge, putting themselves with two main types of attacks: attacks that may and will exploit the implied trust entrenched in confirmed social relationships; and attacks that collect user's private information for ill-intended usage. I will provide an summary of the privacy and security issues that developed in OSN’s. I will present a list of privacy and security attacks in OSN’s,
In most recent years, Online Social Networks have become an significant part of everyday life for many including myself . We as users build explicit networks to signify their social relationships, both existing and new. Most Users frequently upload and share an excess amount of data linked to their personal lives. The hypothetical confidentiality risks of such behavior are frequently misjudged or ignored. For instance, users frequently is intimate information to a much larger audience than it was intended for. Users might even post information about others exclusive of their consent. A lack of knowledge and awareness in users, also proper tools and policy of the OSN’s, effect the situation. This paper purposes Is to provide awareness into such privacy issues and looks at OSN’s on the web.
Fraud
New research exposes that identity theft effects lots of individuals a year, which cost the victims numerous hours and cash in identity recovery and repair. What may cause this online theft and fraud? It’s a mixture of influences: 1. A absence of user information regarding to protect their identity online growing too comfortable with, and trusting in, social network providers . Social media sites make income with directed advertising, based on the personal data . By encouraging registered users to offer as much information on them self as much as possible. With low government supervision, the industry standards or incentives which are made to educate users on security, privacy and identity protection, in turn the users are open to identity theft and fraud. Also, these OSN’s have a ton of private user data, and are likely susceptible to outside (or inside) attacks. On the advertising front, google just patented a algorithm to scale individual’s influence with in OSN’s. Once revealed, it will likely inspire much more involvement by the active users in order to increase their influence score.
With the amplified universal use of social media, there are much more chances than previously to take identities or perform fraud online. For example, status updates posted on Twitter, Facebook and many extra social media sites can be used by offenders. Lets say if you say that you’re out of town on holiday, you’ve now opened yourself for break-in. So if you state that you’re gone on business for a weekend, you will leave your household open to assault or robbery. When it comes to stalking, or robbery an identity, use of photo- and video-sharing sites like Flickr and YouTube may offer greater insights into you, your family and friends, your house, favorite hobbies and interests.
Social networking sites have the highest potential for exploitation. Everybody knows they should not share their social security number or driver’s license, or comparable sensitive data that can be used against you in a variation of mischievous ways. These profile sections can be used to take or misappropriate your identity:
• Full name (particularly your middle name)
• Date of birth (often required)
• Home town
• Relationship status
• School locations and graduation dates
• Pet names
• Other affiliations, interests and hobbies
Phishing
Phishing is nothing other than the old confidence scam, only today the dishonesty begins online. Preying on individual’s feelings is as primitive approach. By attracting the victims with greed (awards and winning phishing emails) or fear (your-account-will-be-blocked phishing scams), phishing targets on trust in more ways than one.
Following the global trends online threats, the RSA Anti-Fraud Command Center continues to see sizable spreads in phishing attacks, with a 19% increase in the first half of 2012. In its place of going away, phishing is tougher in digits and developing in more losses. And while this threat is more well-known than ever to online users, it still seems to work.
Evil Twin attacks
An Evil Twin hotspot mimics a legitimate hotspot in just about every way including the legitimate SSID (wireless network name), but the Evil Twin's intentions are more sinister in nature.
Hackers and/or cybercriminals create Evil Twin hotspots to allow them to both eavesdrop on network traffic and insert themselves into the data conversation between their victims and the servers that the victims access while connected to the Evil Twin hotspot.
By imitating a legitimate hotspot and tricking users into connecting to it, a hacker or cybercriminal can then steal account names and passwords and redirect victims to malware sites, phishing sites, etc. The perpetrators can also view the contents of files that the victims download or upload while they are connected to the Evil Twin access point.
Victims that connect to Evil Twin hotspots don't even know that they are connecting to a rogue access point because the perpetrators use the SSID(network name) of the legitimate access point.
The whole experience is transparent to the victim. Most of the time the hacker allows the victims to reach their intended Internet destinations while they secretly eavesdrop on the network traffic so that they can steal the information from the victims as the victims attempt to login to their e-mail, provide credit card numbers while shopping online, etc.
To protect financial account passwords and email addresses, you can establish a virtual private network (VPN) or create end-to-end encryption. Virtual private networks only allow authorized users to access the wireless network. End-to-end encryption makes it almost impossible for phony wireless access points to gain access to your mobile computing device. You can also monitor Radio Frequency (RF) airwaves and compare the data gathered with the authorized list of routers and switches. Firewalls have no role in preventing the establishment of phony wireless access points.
Wireless network users have enough to worry about whenever they access Internet hotspots. They need to consider hackers that loom inside of the same wireless Internet hotspot where they enjoy their morning cup of Joe. Typical wireless hackers work off the same wireless network by penetrating firewalls and installing malware. You should do whatever it takes to prevent hackers from establishing the evil twin of wireless access points. Failing to do so can cause you to lose your identity, which means emptied bank and credit card accounts, as well as depleted government accounts such as Social Security and Medicare.
Trojans
A Trojan refers to a program that appears as something you may think is safe, but hidden inside is usually something harmful, probably a worm or a virus. The lure of Trojans is that you may download a game or a picture, thinking it's harmless, but once you execute this file (run it), the worm or virus gets to work. Sometimes they will only do things to annoy you, but usually a worm or virus will cause damage to your system.
Trojans are malicious files that pretend to be something else (eg. A game for example) to get you to run it.
To avoid Trojans, don't open attachments in emails from people you don't know, be careful of what you download from the internet (And try to download from trusted sites such as download.com or softpedia.com).
Email Based Attacks
Truly these malware email attacks are the foundation for many bad things around but have in mind that this kind of attack has been around for approximately a decade and careless businesses do use their email address since years. So, those PC’s should have been filled up with malware if they have opened every e-mail attachment and followed every link over the years.
HTTP Session Hijacking
Http Session hijacking is a type of security attack on any of the end user session that is operating on a internet network connection. Occasionally this process of hijacking is similarly referred as cookie hijacking, when the hacker gets access to the session key and executes the process of spoofing consistently. This is the most everyday method of session hijacking which involves the TCP/IP session hijacking or also identified as IP spoofing. In the process, the hacker uses the source routed IP packets, and then insets the commands in to the active communication. As we all know that, in TCP/IP session the verification is the preliminary activity of beginning the communication. So now in session hijacking the hackers get their entry through the verifying process of TCP session and so continuing the process of spoofing. The attacker effortlessly get in to the system and accordingly the sessions can be hijacked at this point .Theses types of attacks can also lead to crashing the system or go against the network connectivity and force heavy packet loss.
Active Session Hijacking:
In active session hijacking, a authenticated session is going to be hijacked. In this technique, the user now remains logged in the active session of their social profile / account. The attackers now try to takeover the network cookies and so hijack this active session. But then the original user can no longer login into their profile and is disconnected from the server itself.
Passive Session Hijacking:
In this technique of hijacking, the attacker does not hack any active session. They just follow a different method to get to the info of the login credentials of the end user. When the end user types their login credentials on the system and attempts to get access to their profile on the network, the hacker then takes the login credentials and them will hack the user’s account.
TCP Session Hijacking:
TCP Session Hijacking is one of the initial techniques of session hijacking. TCP session hijacking mostly happens between the server and the client machine. Opposite of the SQL injection technique of hacking, with this technique no malicious codes are inputted into the network interface at all. But the hacker generates completely new sessions and interjects the session into the application level. The attacker gets the complete entry into the session by hijacking the original sessions from the system (network)level, and they will get the all the information of the user.
Example of Session Hijacking:
The method of session hijacking is transmitted over the network connection, the hackers will request your session ID and execute their task the ID. The session ID is moved via cookies. Consequently, the hacker will get the access of the cookies, they the hackers will replace their own cookie with yours and the session will be hijacked. Through the usage of XSS attacks, they can get access of end user’s cookie info. Then the session hijacking can begin on the active sessions.
Conclusion
The problems that are on social network sites regarding security and privacy issues, can simply be fixed if the users be more cautious to what they share and how much they share With the growing of social networks, it has become much tougher to protect the site users because the responsibilities of security programmers has become gradually spread out. For example, in social networking web sites like Facebook, Myspace and similar networking web sites , most people will share information about their lives with groups of friends online . But the down side to this concept that most people thought of is just how much of their information is available to the network which can be hacked by outsiders.
At the end of the , the only proper answer to the social network privacy and security issues is to spend less time online. So you shouldn’t post anything you wouldn’t mind telling a complete stranger, because in reality that’s the potential for access. Be careful who you add as a “friend,” because there’s simply no way of verifying a user’s actual identity online. It would compare to a rep from your company’s IT department calling to ask for your login password Most people will give it over with no proof of the IT rep actually existing. The caller might be your IT rep, or they might not. These kind of scams happens all the time.