Here is my summary of the recent ACM Social Network Systems 2009
* Security at a Large Social Network, Tao Stein (Facebook)
Tao's talk started with the "The Road to 200 Million" article from NYT. Facebook has three data centers, each in charge of a major continent: VA (asia) SC (europe), SF (us). Data consistency is hard to achieve, so Facebook only uses a single server for writing and the other servers for read only operations. Servers use 25TB of RAM for MySQL.There are obviously lots of attacks on Facebook. Their long term goal is to achieve that one identity in the system corrsponds to one real identity. In every security policy, trade-off is at site integrity and user experience: throwing in more CAPCHA will increase security, but then users experience will degrade.
The #1 problem is at account takeovers. Here are a few example attacks:
(a) photo/video scam (e.g., "This applet will show you which friends viewed your photo")
(b) 419 attack by Nigirian spammers (e.g., "I am lost in London, please send me $1000 to Western Union")
(c) koobface (a botnet that sends spam URLs)
(d) fake chain letter (e.g., "Facebook is overpopulated")
Often users use the same login credentials across multiple sites. (Yes, I do too!) So if one site gets compromised, then all are compromised. Because most sites force users to use complex password, uses end up using a common password across sites. Facebook tries a lot to educate users with sophisticated privacy setting.
(b) 419 attack by Nigirian spammers (e.g., "I am lost in London, please send me $1000 to Western Union")
(c) koobface (a botnet that sends spam URLs)
(d) fake chain letter (e.g., "Facebook is overpopulated")
Often users use the same login credentials across multiple sites. (Yes, I do too!) So if one site gets compromised, then all are compromised. Because most sites force users to use complex password, uses end up using a common password across sites. Facebook tries a lot to educate users with sophisticated privacy setting.
How is the network security different in online social network? (a) education and (b) coefficient (= strength of ties) in the social graph.
*Botnets vs. Social Networks, Elie Bursztein (Stanford)
Second talk was by Elie, who is a post-doc at Stanford. Elie gave a brief overview on his research: how to turn online social networks into a botnet. Elie found that a number of existing systems (e.g., MSN messenger) have vulnerabilities: a malicious user can send codes to turn his friends' (and their friends') host machines into a botnet.
* Eight Friends Are Enough: Social Graph Approximation via Public Listings, Joseph Bonneau (University of Cambridge)
I greatly enjoyed this talk. The talk demonstrated how revealing limited information about a social network (e.g., Facebook's public listing, which shows 8 random friends of a user) can say so much about the entire social graph structure.
Second talk was by Elie, who is a post-doc at Stanford. Elie gave a brief overview on his research: how to turn online social networks into a botnet. Elie found that a number of existing systems (e.g., MSN messenger) have vulnerabilities: a malicious user can send codes to turn his friends' (and their friends') host machines into a botnet.
* Eight Friends Are Enough: Social Graph Approximation via Public Listings, Joseph Bonneau (University of Cambridge)
I greatly enjoyed this talk. The talk demonstrated how revealing limited information about a social network (e.g., Facebook's public listing, which shows 8 random friends of a user) can say so much about the entire social graph structure.
I've heard a new term "social graph privacy". It means to prevent data aggregators from reconstructing large portions of the social graph, composed of users and their friendship links. Joseph said protecting social graph is more difficult than protecting personal data, because personal data can be managed individually by users, while information about a user's place in the social graph can be revealed by any of the user's friends. This work got popular in media. I also saw BBC interview with the authors.
2 comments:
It's very nice to see that Bonneau's paper was picked up by the media. And although the piece from the Guardian was generally well written, I hate that they have to include this alarming headlines "public profiles could be used to access private details", that's just not true.
I know, media needs a shocking title to sell their content. Have I missed out on any interesting bits from the three talks? I might take time to write about the others. If you have a summary, do send me some!
Post a Comment