Post 4 - Online Social Network Security

Security Objectives on OSNs:

Have you ever seen some pornographic post in Facebook and required you to LIKE and watch the content? Have you ever seen your photo been stolen and posted into other forum? The security in social networking is a new topic and highly concerned.


1. The conventional security objectives are as following:. From wikipedia (http://en.wikipedia.org/wiki/Security_service_%28telecommunication%29) 

Authentication

These services provide for the authentication of a communicating peer entity and the source of data as described below.

Peer entity authentication

This service, when provided by the (N)-layer, provides corroboration to the (N + 1)-entity that the peer entity is the claimed (N + 1)-entity.

Data origin authentication

This service, when provided by the (N)-layer, provides corroboration to an (N + 1)-entity that the source of the data is the claimed peer (N + 1)-entity.

Access control

This service provides protection against unauthorized use of resources accessible via OSI. These may be OSI or non-OSI resources accessed via OSI protocols. This protection service may be applied to various types of access to a resource (e.g., the use of a communications resource; the reading, the writing, or the deletion of an information resource; the execution of a processing resource) or to all accesses to a resource.

Data confidentiality

These services provide for the protection of data from unauthorized disclosure as described below

Connection confidentiality

This service provides for the confidentiality of all (N)-user-data on an (N)-connection

Connectionless confidentiality

This service provides for the confidentiality of all (N)-user-data in a single connectionless (N)-SDU

Selective field confidentiality

This service provides for the confidentiality of selected fields within the (N)-user-data on an (N)-connection or in a single connectionless (N)-SDU.

Traffic flow confidentiality

This service provides for the protection of the information which might be derived from observation of traffic flows.

Data integrity

These services counter active threats and may take one of the forms described below.

Connection integrity with recovery

This service provides for the integrity of all (N)-user-data on an (N)-connection and detects any modification, insertion, deletion or replay of any data within an entire SDU sequence (with recovery attempted).

Connection integrity without recovery

As for the previous one but with no recovery attempted.

Selective field connection integrity

This service provides for the integrity of selected fields within the (N)-user data of an (N)-SDU transferred over a connection and takes the form of determination of whether the selected fields have been modified, inserted, deleted or replayed.

Connectionless integrity

This service, when provided by the (N)-layer, provides integrity assurance to the requesting (N + 1)-entity. This service provides for the integrity of a single connectionless SDU and may take the form of determination of whether a received SDU has been modified. Additionally, a limited form of detection of replay may be provided.

Selective field connectionless integrity

This service provides for the integrity of selected fields within a single connectionless SDU and takes the form of determination of whether the selected fields have been modified.

Non-repudiation

This service may take one or both of two forms.

Non-repudiation with proof of origin

The recipient of data is provided with proof of the origin of data. This will protect against any attempt by the sender to falsely deny sending the data or its contents.

Non-repudiation with proof of delivery

The sender of data is provided with proof of delivery of data. This will protect against any subsequent attempt by the recipient to falsely deny receiving the data or its contents.

2. Three main security objectives are identified in the context of OSNs (From lecture notes week 10 slides 6-10)

• Privacy
• user profile privacy
• communication privacy
• message confidentiality
• information disclosure
• all information on all users and their actions has to be hidden from any other party internal or external to the system
• access to information on a user may only be granted by the user directly
• Integrity 
• the user's identity and data must be protected against unauthorized modification and tampering
• The authentication has to ensure the existence of real persons behind registered OSN members
• Availability
• Data published  by users has to be continuously available since it may be used for business or careers
• Apart from availability of data access, mess exchange among members are to be ensured.

3. The difference between conventional online networks and the OSNs (From lecture notes week 10 slides 34-66)

As online social network is the new trend and it contains a huge amount of personal data, the interested parties would like to exploit the security hole in the social platforms. The following are some of the examples that happen in the social network case.

• Spam on online social networks
• Phishing on OSNs
• sybil attack
• malware attacks
• Koobface
• Likejacking on Facebook
• CSRF
• XSS
• Persistent
• Non-Persistent