Perez Richard - Seven deadliest social networks attacks

Syngress is an imprint of Elsevier.
30 Corporate Drive, Suite 400, Burlington, MA 01803, USA

This book is printed on acid-free paper.

2010 Elsevier Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publishers permissions policies, and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our Web site: www.elsevier.com/permissions .

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

Library of Congress Cataloging-in-Publication Data
Application submitted

British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library.

ISBN: 978-1-59749-545-5

Printed in the United States of America
10 11 12 13 5 4 3 2 1

Elsevier Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively Makers) of this book (the Work) do not guarantee or warrant the results to be obtained from the Work.

For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights; e-mail:

For information on all Syngress publications, visit our Web site at www.syngress.com

Typeset by: diacriTech, Chennai, India

Lead Author
Carl Timm is the Regional Director of Security for Savvis Communications. As Regional Director of Security, Mr. Timm is responsible for assisting companies with creating and implementing robust security programs. Mr. Timm has worked in the Information Security area for over 16 years providing security and IT governance consulting services for Fortune 500 companies. Mr. Timm is also an industry-recognized author, having written several books on the topics of security and networking. Mr. Timm holds multiple industry certifications including the CCIE, CISSP, and PMP.

Contributing Author
Richard Perez (CISSP#121490, CCNP, MCSE, SCSA, CCSE, CNE-3, ITIL) is a senior security, risk and architecture practice manager for Savvis, Inc. He currently provides strategic and technical consulting to clients in the Midwestern United States. His specialties include network and system security, enterprise architecture, business continuity, and disaster recovery.

Richard holds a Bachelors degree in Computer Science, a Masters degree in Information Technology, and is presently completing his Doctorate in Computer Science. He is a member of the Association for Computing Machinery (ACM), (ISC)2, and InfraGard. Richard currently resides in the Northwest suburbs of Chicago, IL with his wife Kelly and his four sons, Tyler, Stuart, Seth, and Caden.

Technical Editor
Adam Ely (CISSP, NSA IAM, MCSE) is Director of Corporate Security for TiVo, where he is responsible for IT security and corporate security policies. Adam has held positions with The Walt Disney Company where he was Manager, Information Security Operations for the Walt Disney Interactive Media Group and Senior Manager, Technology for a Walt Disney acquired business. In addition, Adam was a consultant with Alvarez & Marsal where he led security engagements for clients. Adams background focuses on application and infrastructure security. Adam has published numerous application vulnerabilities, application security roadmaps, and other articles.

INFORMATION IN THIS CHAPTER

What is a social network? Some of you know this already. If you dont, you are about to find out. This book is going to take you through the seven deadliest social networking attacks. Kinda scary sounding, isnt it? Enough with the hubbub. Before we start attacking the social networks, we should probably understand what allows them to run.

So, what is the basis behind a social network? It is something called Web 2.0. Maybe you have heard of it, maybe you havent it doesnt matter. What is Web 2.0? So glad you asked that question.

Well, we know what the Web is: it is the World Wide Web. This is a place where we can find anything we want. However, what the heck is Web 2.0? You have heard about it on the Web and you have heard about it from your friends, but you still dont know. Is it the second coming of the Web? No. Is it a new version of the Internet? You are still way off. You probably wont be happy with this explanation keep in mind, neither were we when we found out.

Right now, you are probably tired of this long drawn-out intro to Web 2.0. However, its like that suspense movie you love so much: it takes a while to get to the point; it is something called dramatic effect. Enough of that. Web 2.0 is a term that was coined by a single person talking to a single company. A man by the name of Tim OReilly was discussing the Internet with Dale Dougherty. They had noted that far from having crashed, the Web was more important than ever, with exciting new applications and sites popping up with surprising regularity. Whats more, the companies that had survived the collapse seemed to have some things in common. Could it be that the dot-com collapse marked some kind of turning point for the Web, such that a call to action such as Web 2.0 might make sense? We agreed it did, and so the Web 2.0 conference was born. Dont you like history? Hope so!!

You really have to keep in mind that the list went on and on and on. This is only a brief list. By now you have to be asking yourself, What makes something 1.0 and something 2.0? This is a very valid question. We are asking ourselves the same question Not really.

So what are the differences, you ask? Well, lets find out. Take a look at .

What does this all mean to us, you may ask? It makes our lives easier; however, it also makes our lives more complicated. What does that mean? It means that at the cost of having a more enjoyable browsing life, the ease of use, we become victim to the information shared. By this time, you are probably ready for a bit more insight. That is exactly what you are going to receive. At this time, it is time to focus on the social networking sites, which is based upon Web 2.0.

Social networks are sites that have exploded into the tech scene with a considerable amount of popularity and fanfare. At first, many people (including myself) felt that social networking was nothing more than a fad. However, in 2006, advertising on U.S.-based social networking sites such as MySpace and Facebook accumulated over $350 million dollars (US). Facebook appears to be leading the charge as one of the hottest growing social networks. With an active user count of over 60 million subscribers and with more than 13 thousand applications at its disposal, there is a wide expanse to express ideas, collaborate, and collect information. Facebook as of this writing stands as the fourth largest Web site in the world, having grown 157% (trailing only Google, Microsoft, and Yahoo). Twitter, between the years of 2008 and 2009, grew by 1,928% in the United States alone. Growth within the social networking segment as derived from Forrester Research LinkedIn currently has an active user count that now exceeds 30 million users globally in a span of five years.