It has really become a great platform to catch up with friends. Orkut helped me get back in touch with one of my good old friend who moved out of my school after fifth std. As a coin has 2 sides so does social networking. I have used only Orkut and thought of sharing some of the concerns I have.
I was very uncomfortable after seeing that the scraps (scraps are short messages you can leave with for another orkut member)are public. If someone wants to profile on you, they could go through the trail of scraps to know the relationship you maintain with your friends (yeah.. itz crazy rite).
User profile is public. why would I want to share my interests, my favorite movies, my hobbies etc in public ? This data will help a lot to launch social engineering attack. For example, in some of the sites, the FYP (Forgot Your Password) asks for a security question and answer. Most of these security questions (i dont understand why they call it as a security question) are standard like "First School you studied in", "Name of your pet", "favorite passtime" etc. Most of the answers could be found from a well documented user profile in orkut. I dont have statistics but my gut feeling says that most of your passwords are atleast remotely linked to something you have on your profile (when i had my profile, atleast one of my password was linked to the data on my profile). For eg, your password might be linked to your passion or your favorite movie or one of the community you are a part of. So things are made easy for a cracker, he just have to try out all possible or widely used passwords relating to watever data you have on your profile.
Although social networking is on the uphill, it surely seems to aid social engineering. Alrite, with this problem in hand, the solution I could see is whitelisting. Provide power to the user to manage who could access(read / write
No comments:
Post a Comment