Enable HTTPS on Facebook!

Posted: June 7th, 2011 | Author: | Filed under: fitm, personal, random, security | Tags: , , , , , , , , , , , , , , , | No Comments »

A couple of month passed since Facebook introduced full SSL support. This optional feature lets you browse Facebook via a secure connection (https) whenever possible. Facebook via https is now available to all users and why are so few people using it? I suppose because the option is disabled per default. -> Enable this option!

SOPHOS How-To enable the Facebook HTTPS option.
They also provide a video How-To:

Using Facebook without a secure communication puts your account data at high risk. First Firesheep and now Faceniff offer script-kiddie tools to hijack Facebook accounts over wireless. Research we conducted shows that unencrypted Facebook sessions are low-hanging fruits for large scale spam attacks. We published our first findings in 2010 (technical report), a revised version has been published in the current issue of IEEE’s Internet Computing.

Friend-in-the-middle (FiTM) attacks

In our article we present friend-in-the-middle attacks that extract social networking data in an automated fashion. The harvesting of data is possible because people do not use a secure connection with Facebook. We show that the extracted social data can be exploited for large-scale context-aware spam and social-phishing attacks. Our attack simulations on Facebook showed that an attacker could easily spam a high number of users with context-aware spam (e.g. spam that appears to be coming from a friend) in a short period of time (Over 300,000 spammed users with 4,000 uncrypted Facebook sessions we observed over two weeks).

Download the preprint: FITM_InternetComputing_preprint.pdf

More information on Friend-in-the-Middle Attacks can be also found here: http://www.sba-research.org/2011/02/02/ieee-internet-computing-special-issue-on-security-and-privacy-in-social-networks/

Technical Report: Friend-in-the-Middle (FITM) Attacks

Posted: July 14th, 2010 | Author: | Filed under: fitm, research, security | Tags: , , , , , , | 1 Comment »

Abstract. In the ongoing arms race between spammers and the multi-million dollar anti-spam industry, the number of unsolicited e-mail messages (better known as “spam”) and phishing has increased heavily in the last decade. In this paper, we show that our novel friend-in-the-middle attack on social networking sites (SNSs) can be used to harvest social data in an automated fashion. This social data can then be exploited for large-scale attacks such as context-aware spam and social-phishing. We prove the feasibility of our attack exemplarily on Facebook and identify possible consequences based on a mathematical model and simulations. Alarmingly, all major SNSs are vulnerable to our attack as they fail to secure the network layer appropriately.



FITM Attacks (Image by http://www.flickr.com/photos/donsolo/)