Workshop On Social Networking (WOSN) 2010

Filed Under: Data loss, Privacy, Social networks

Workshop On Social Networking logo

This week I attended the Usenix Annual Technical Conference in Boston. The first day of the conference I attended the 3rd annual Workshop On Social Networking. It was interesting spending the day with academics who have an entirely different perspective regarding security and privacy than much of the industry itself. I am only going to cover the highlights related to security and privacy from the sessions I attended.

The first paper of the morning was "Ghostbusting Facebook: Detecting and Characterizing Phantom Profiles in Online Social Gaming Applications" by Atif Nazir, Saqib Raza, Chen-Nee Chuah, and Burkhard Schipper. The presentation studied how phantom profile sand fake accounts can be statistically determined through analysis of human behavior versus behavior that is intended only to benefit a human. They showed how "bots" or fake accounts are often used as a way to cheat in online social network games and presented methods to sort out the fakes from real players. Considering the number of fake accounts on social networks that are often used to spam, phish, and spread malware, further development of this research could help create algorithms to detect malicious accounts.

Photo of Craig Willis presenting at WOSN 2010

Later in the morning Craig E. Willis from Worcester Polytechnic Institute presented a paper co-authored with Balachander Krishnamurthy of AT&T Labs titled "Privacy Leakage in Mobile Online Social Networks". They studied 20 popular mobile online social networks (mOSNs) to see what information they were inadvertently leaking in addition to data leakage specific to mobile access. Unfortunately their study showed that all mOSNs were leaking data and that much of that information could not be restricted by users.

The next paper was "Don't Tread on Me: Moderating Access to OSN Data with SpikeStrip" by Christo Wilson, Alessandra Sala, Joseph Bonneau, Robert Zablit and Ben Y. Zhao. They explained how current methods of stopping bots from scraping data from social networks are ineffective and proposed a new method called SpikeStrip. SpikeStrip uses cryptographic tokens in URLs on a per-user basis to enforce rate limiting and prevent abuse of publicly available data. They suggest that using SpikeStrip would significantly reduce abuse if implemented by social network providers.

The last paper with privacy implications was "Prediction Promotes Privacy in Dynamic Social Networks" by Smriti Bhagat, Graham Cormode, Balachander Krishnamurthy, and Divesh Srivastava. The goal of this research was to determine how the richly detailed information contained within social networking sites can be used by researchers without compromising users' privacy. They explored different models for sanitizing the data to provide a realistic representation of users' behavior while protecting their identities.

The last paper made me sad because the researchers are far more concerned with the privacy and identity of social network users than both the providers of these services and many of the people who use them. I encourage social media companies to look at this research and use methods like those proposed to share data with their partners.

, ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.