Thorsten Strufe

All your contacts are belong to us: automated identity theft attacks on social networks

Social networking sites have been increasingly gaining popularity. Well-known sites such as Facebook have been reporting growth rates as high as 3% per week. Many social networking sites have millions of registered users who use these sites to share photographs, contact long-lost friends, establish new business contacts and to keep in touch. In this paper, we investigate how easy it would be for a potential attacker to launch automated crawling and identity theft attacks against a number of popular social networking sites in order to gain access to a large volume of personal user information. The first attack we present is the automated identity theft of existing user profiles and sending of friend requests to the contacts of the cloned victim. The hope, from the attackers point of view, is that the contacted users simply trust and accept the friend request. By establishing a friendship relationship with the contacts of a victim, the attacker is able to access the sensitive personal information provided by them. In the second, more advanced attack we present, we show that it is effective and feasible to launch an automated, cross-site profile cloning attack. In this attack, we are able to automatically create a forged profile in a network where the victim is not registered yet and contact the victims friends who are registered on both networks. Our experimental results with real users show that the automated attacks we present are effective and feasible in practice.

Privacy preserving social networking through decentralization

The recent surge in popularity of on-line social network applications raises serious concerns about the security and privacy of their users. Beyond usual vulnerabilities that threaten any distributed application over Internet, on-line social networks raise specific privacy concerns due their inherent handling of personal data. In this paper we point to the centralized architecture of existing on-line social networks as the key privacy issue and suggest a solution that aims at avoiding any centralized control. Our solution is an on-line social network based on a peer-to-peer architecture. Thanks to its fully distributed nature, the peer-to-peer architecture inherently avoids centralized control by any potentially malicious service provider. In order to cope with the lack of trust and lack of cooperation that are akin to peer-to-peer systems and to assure basic privacy among the users of the social network, our solution leverages the trust relationships that are part of the social network application itself. Privacy in basic data access and exchange operations within the social network is achieved thanks to a simple anonymization technique based on multi-hop routing among nodes that trust each other in the social network. Similarly cooperation among peer nodes is enforced based on hop-by-hop trust relationships derived from the social network.

A recommendation system for spots in location-based online social networks

Centralized Online Social Network services (OSN) are collecting immense amounts of data, containing a wealth of information about preferences of their users. Its exploitation for the benefit of the users, even though quite promising, has not seriously been tackled, yet. For this purpose, we propose a personalized recommender for places in location-based OSNs, based on the check-ins of the entire user base. Following a brief analysis, we first propose an interpretation of the data available to OSN providers and an recommendation scheme based on regularized matrix factorization. To evaluate our approach we acquire a large sample of a real data set by crawling Gowalla, one of the most popular location-based OSNs. An exhaustive experimental evaluation then confirms the feasability of using Collaborative Filtering techniques to make personalized recommendation of potentially interesting spots.

Safebook: Feasibility of transitive cooperation for privacy on a decentralized social network

Social networking services (SNS), which provide the application with the most probably highest growth rates in the Internet today, raise serious security concerns, especially with respect to the privacy of their users. Multiple studies have shown the vulnerability of these services to breaches of privacy and to impersonation attacks mounted by third parties, however the centralized storage at the providers of SNS represents an additional quite significant weakness that so far has not satisfyingly been addressed. In this paper we show the feasibility of “Safebook”, our proposal for the provision of a competitive social networking service, which solves these vulnerabilities by its decentralized design, leveraging on the real life relationships of its users and means of cryptography.

A survey on decentralized Online Social Networks

Because of growing popularity of Online Social Networks (OSNs) and huge amount of sensitive shared data, preserving privacy is becoming a major issue for OSN users. While most OSNs rely on a centralized architecture, with an omnipotent Service Provider, several decentralized architectures have recently been proposed for decentralized OSNs (DOSNs). In this work, we present a survey of existing proposals. We propose a classification of previous work under two dimensions: (i) types of approaches with respect to resource provisioning devices and (ii) adopted strategies for three main technical issues for DOSN (decentralizing storage of content, access control and interaction/signaling). We point out advantages and limitations of each approach and conclude with a discussion on the impact of DOSNs on users, OSN providers and other stakeholders.

Optimally DoS Resistant P2P Topologies for Live Multimedia Streaming

Using a peer-to-peer approach for live multimedia streaming applications offers the promise to obtain a highly scalable, decentralized, and robust distribution service. When constructing streaming topologies, however, specific care has to be taken in order to ensure that quality of service requirements in terms of delay, jitter, packet loss, and stability against deliberate denial of service attacks are met. In this paper, we concentrate on the latter requirement of stability against denial-of-service attacks. We present an analytical model to assess the stability of overlay streaming topologies and describe attack strategies. Building on this, we describe topologies, which are optimally stable toward perfect attacks based on global knowledge, and give a mathematical proof of their optimality. The formal construction and analysis of these topologies using global knowledge lead us to strategies for distributed procedures, which are able to construct resilient topologies in scenarios, where global knowledge can not be gathered. Experimental results show that the topologies created in such a real-world scenario are close to optimally stable toward perfect denial of service attacks.

Churn in Social Networks

In the past, churn has been identified as an issue across most industry sectors. In its most general sense it refers to the rate of loss of customers from a company’s customer base. There is a simple reason for the attention churn attracts: churning customers mean a loss of revenue. Emerging from business spaces like telecommunications (telcom) and broadcast providers, where churn is a major issue, it is also regarded as a crucial problem in many other businesses, such as online games creators, but also online social networks and discussion sites. Companies aim at identifying the risk of churn in its early stages, as it is usually much cheaper to retain a customer than to try to win him or her back. If this risk can be accurately predicted, marketing departments can target customers efficiently with tailored incentives to prevent them from leaving.

kTC - Robust and Adaptive Wireless Ad-Hoc Topology Control

Topology control for Wireless Sensor Networks (WSN) is a frequently tackled challenge, for which no satisfying general solution for realistic deployments has been found to the current day. Aiding to minimize unnecessary transmissions, it nevertheless represents a crucial function of WSN, in the light of their pursuit of efficiency. kTC is a new WSN topology control that unlike prior art neither relies on location information, nor on complex geometric structures, which could leave doubts about a practical feasibility. Even though location-free approaches have been proposed to circumvent systematic problems, they do not address issues like robustness and adaptability satisfyingly, which may lead to disconnection in real world deployments. kTC is a location-free approach that adapts topologies dynamically in face of changing environmental influences. It is based on a local, pattern-based heuristic, and transmitting only two messages per node to construct the topology it is highly scalable. The graphs kTC creates are symmetric, connected, and planar; they have bounded degree and nodes are θ-separated. Simulative evaluations indicate that kTC outperforms known topology control schemes. A preliminary deployment on a sensor testbed corroborates the obtained results and acts as proof of concept for kTC.

An efficient distributed privacy-preserving recommendation system

Implementing a recommendation system on the data of mobile social networks exploits knowledge about behavior and preferences of its users and hence raises serious privacy concerns. Leveraging the wealth of aggregated information in these services promises an immense benefit by allowing suggestions for presumably appreciated, yet previously unseen restaurants, sights, and further types of locations. Privacy preserving recommenders based on homomorphic encryption have been proposed, which have a systematic draw-back: while recommender systems often store their information as real values, all homomorphic encryption schemes used today process only data from other algebraic structures, e.g., the ring of integers modulo some integer n. Therefore, we present a novel distributed recommender and a homomorphic encryption scheme, which works directly on real numbers and which possesses some remarkable properties: it is conceptually simple, efficient, and provably secure.

Cryptographic treatment of private user profiles

The publication of private data in user profiles in a both secure and private way is a rising problem and of special interest in, e.g., online social networks that become more and more popular. Current approaches, especially for decentralized networks, often do not address this issue or impose large storage overhead. In this paper, we present a cryptographic approach to Private Profile Management that is seen as a building block for applications in which users maintain their own profiles, publish and retrieve data, and authorize other users to access different portions of data in their profiles. In this course, we provide: (i) formalization of confidentiality and unlinkability as two main security and privacy goals for the data which is kept in profiles and users who are authorized to retrieve this data, and (ii) specification, analysis, and comparison of two private profile management schemes based on different encryption techniques.