Recently, a security flaw in an important social network site exposed sensitive data belonging to millions of users. This fact raised more concern about how safe is user data inside the cloud. Day after day we are invited to join useful services available over the internet: services that make our lives more efficient, inter-connected, and close to our interests. But at what cost? Many of these services are free so it seems that there is no money flowing from our pockets. We are not paying for these services with money, instead, we are paying with a new kind of currency: Our digital identities.
For the most important internet companies our digital identity is the new golden egg. It is through our identity that is possible to sell ads for any kind of product or service. It turns out that our identity is directly connected with the profit of these companies. But did you know that if your identity is so valuable to a company it may be of even more value to a criminal?
For that reason there are many fraudsters crawling social network sites trying to find flaws to collect user's data. Why is so hard to these sites keep our information safe?
- Cascaded Permissions;
- Continuous Development;
- Lack of a security data-type;
- Lack of device identification.
Cascade permissions occur when a permission given to a single connection (e.g. a friend in a network) is also given to all connections of your connections (e.g. friends of friends). This situation can be achieved as a system resource or as an undesired resource logic.
Social network systems are always evolving. Like an organism, these systems periodically enable that new resources appear, as well as, outdated and unusable characteristics, can be disabled, over the time. This kind of behavior is sustained by a huge effort of continuous development. Often, features that should not exist anymore will appear with certain combinations of factors. Specially in networks with high level of user adoption and a massive amount of new memberships, the quality assurance to avoid this kind of problem, is even harder.
Lack of a security data-type:
Did you ask yourself how you identity information is stored inside the databases of social network systems? Do the owners of these sites explain how identity data is stored? It is hard to answer these questions. What we know as common sense is that our passwords are stored as hashes. But is there any kind of cryptography of our pictures, messages, etc? Is there any kind of data-type such as an xml that a query can only be done through PKI implementation? Actually, what happens today is: The user accepts the terms of how the social network works without any kind of warranty that its data will not leak. Unfortunately there is no open standard or ontology which could govern how personal data can be stored and distributed.
Lack of device identification:
As human beings, everyone can choose which is the preferred place to do something. A preferred place to talk, to listen, to read, to write, to see and to be seen. Also, everyone should have freedom to choose which tool to be used to talk, to listen, to read, to write, to see and to be seen. However, computers do not offer this choice. Theoretically every computer can be used to perform personal operations and transactions. By default there are no limits that avoid some transactions to be done in certain computers. If this reality was different we could assign specific machines to be allowed to do specific tasks. Like password update or profile changes, document reading or money transactions.
What happened in this security issue that led to expose the user data can be found in the above four items previously described. A logic that was not expected remained active due a mistake which was not caught in any quality process, in part because a continuous development increased the amount of quality tests significantly. Also, since the user data is stored as a common data-type without any kind of opt-in encryption process, any occurrence of data leakage, results in a full visibility of private information. Although beyond these facts, for social network applications, any computer is able to show any data from anyone. There is no certification process which could prevent a specific data to be displayed in a uncertified computer.
At this point, it is possible to present Intel IPT (Identity Protection Technology). This technology is embedded inside Intel Core processors, which implements the EPID (Enhanced Privacy ID) algorithm, a direct anonymous attestation (DAA) which is intended for device authentication. In other words, IPT can be used to make an attestation of a secure computer which can be used to manipulate certain types of data by certain types of applications. But on theother hand, even with this technology available, only Intel trusted partners are entitled to develop security systems that take advantage of IPT. On February 25, 2013, at an RSA Conference held in San Francisco, InfoSERVER / TIX11 was the first company in the world to provide a complete solution which protect both authentication and transactions over the web, for sites and systems like social networks. Indeed, two fully functional websites were demonstrated inside Intel's booth in the same event. On that occasion some user data could be only displayed in Ultrabooks while the same data could not be shown on any other computer. This kind of approach could prevent the malicious use of the data leaked with this flaw, and even prevent it from occurring.