Social Networks Security
The growing ubiquity of cell phones has contributed tremendously to social networking sites. People between the ages of 14 to 60 years have been found to be very active on social media. But what is this that attracts such large swathes to social networking tools as compared to traditional websites? Of course the answer lies in the content of the sites and how it has been achieved structurally.
So therein lays the big question? This paper will shed more light on the working of ‘H’, a presumptive study that will be dealt with in detail. It is important to note that ‘H’ is developed using open source software just like most social media sites. H has been written in C++, PHP (HHVM) and the D language.
‘H’ compiles into 1.5 GB (Gigabyte) binary blob which is then distributed to servers using a custom Bit torrent based release system. A combination platform based on Hbase is used to store data across distributed machines. A tailing architecture stores news events in log files which are subsequently. The user interface is then able to pull these events from storage and displayed. ‘H’ handles requests as AJAX behavior. The requests are written to a log file using Scribe.
AJAX is a group of interrelated web techniques techniques used on the client side to create asynchronous web applications .With Ajax, Web applications can send data to and retrieve from a server asynchronously (in the background) without interfering with the display and behavior of the existing page. Data can be retrieved using the XMLHttpRequest object.
Data is read form the log files using Ptail; tails log files and pulls them out. Data is processed in batches to lessen the number of times needed to read and write under high demand periods.
The output is in PHP format. The backend is written in Java and Thrift is used as the messaging format so PHP programs can query Java services. Caching solutions are used to make the web pages display more quickly. The data is then sent to MapReduce servers so it can be queried via Hive.
The average ‘H’ user has only one client. With this the user can make the following requests to the H servers;
- Login; The user keys in an email or other user name and password to authenticate.
- Search other user; another user can be searched from another users interface.
- Create and submit a story or status
- Comment on another users status
- Post a graphic image, video or other document
- Share another users’ posting
- Play a game
A user request is processed along the same lines of client-server architecture. This is a network setup where each computer/node in the structure is either a server or a client. Clients are workstations on which users run applications. Clients request for resources such as files and shared devices from servers. Servers are super computers that host resources required by clients.
The following flow chart demonstrates a simplified version of the flow of information on ‘H’ when a user makes a request from a client work station:
The client computer makes a request when a user on ‘H’ wishes to make a move like searching another user. The request is made on a web client on the client. The client sends a request to application server.
The application server routes request to the database server. Using the AJAX process described above, the server retrieves the information bit relating to the request and tails it. This is relayed to the application server for onward routing to the client side. Here several other techniques are employed. Within a short moment depending on the speeds of connectivity a client is enjoying, the client is able to view the result of his request.
It will be noted significantly ‘H’ is a large social media site. The operations, requests and other processes cannot be hosted on one server. Servers supporting busy social media sites are able to handle multiple requests; sometimes from even the same user. You can be able to have all these processes hosted on one server. The upside is the merits of cost efficiency, space utilization and ability to monitor these processes from one screen at once.
However, in large scale operations, servers are specialized. A server supports a particular process or just a thread in the whole line of computing. ‘H’ employs a more specialized approach. ‘H’ has developed a network centre with 24 servers. Some of these servers are dedicated to particulars processes while a number host simultaneous processes or threads supporting a particular segment on the user’s interface.
For a long time most users on ‘H’ had only one column. However subsequently another column has been added to handle other interfaces on the user’s end. ‘H’ employs Users Ultra to create fields in a user’s column. With this tool you can create as many fields as you wish by using the Fields Customizer Tool. There is also the added feature of ‘reCaptcha.’
User Ultra is very simple use and modules can are customizable even if the user does know how to code. The tool can handle one time and recurrent payments. Hence the columns in ‘H’ have the following capabilities; priority support, display fields by User Role Only. You can Select Roles that can see it and make fields Editable by User Role Only. You can Select Roles that can edit it.
The system can integrate with third-party plugins, add medallions and fulfillments and create unlimited widgets. The tool can also manage membership Packages & registration form with Roles. Users can select a role when registering enabling set custom role on registration and set custom role for social media registration.
The tool also provides for managing the user online/offline Status on the user’s column. You also are able to add the following features; social connect buttons, ability to support several sites and module user management especially when a user creates a page that will be accessed by several other users. Here the user can then be able to send activation links, deny/approve users, upgrade and downgrade user’s membership and more.
‘H’s columns also have minor tweaks support. SMTP and Mandrill emails. The user can access front end publisher with multiple images, ability to customize user’s profiles.
This defines the abilities defined in the main user column. The secondary column hosts other feature especially spaces for external adverts, chatting with other users, playing online games and notifications.
The vulnerabilities and strengths of the system are as common as any other web system. We can classify this depending on where occurrence of the problem may occur. These are lapses at the client side or the server side.
Let’s us delve in detail at the security situation at the client side. Some of the processes occur at the browser hence increasing the chance of an attack. Most browsers include sandbox which is a shell or firewall built around a piece of software that keeps it segregated from the rest of the operating systems. Sandbox should actually prevent the browser from running other programs, reading the contents of computers RAM or opening other files. However in actual application, Sandbox does the opposite. From your interface on ‘H’, hackers can access your local resources especially when a user accepts cookies and other marauding applications on his interface. Browsers also maintain a history of user’s recent activity; malicious people can use this to gain entry into a user’s profile.
Many browsers also offer to store login credentials where login is required. Unless the users delete the browsing history, this can be accessed by hackers. A breach can occur at the browsers end when the password is not encrypted and or hidden when being keyed in (Garfinkel and Spafford). Perhaps again somebody standing behind can make together the password form studying your fingerprints movement.
The user’s email is used to authenticate during the first instance of login. What if a person has unauthorized access to your email account? ‘H’ secures this by providing an authentication link that is active for only 24 hours. The challenge here arises if a person were to have access to your account within that time frame.
Client side challenges are usually more likely than server side challenges. Most users use PC/mobile devices that are usually on very weak networks, in terms security. Such actions like turning off firewalls or operating PCs without active and updated anti-virus software is equally dangerous as it means you are operating on a porous region.
Server side attacks are minor but most lethal as the breach is at the source. An attack on the server is essentially also camouflaged as a client request hence the server will just as normally respond to it. Servers can be compromised in the following ways: running unnecessary services on the server. ‘H’ can reduce this by running only relevant services on particular. A program listening on a particular process can access requests through the services and use this to gain entry to the server. Remote access of servers is equally dangerous. All servers have an internet access; security to them can be enhanced by employing internet tunneling and encryption. Other risks to server security include testing on the server environment. Incomplete programs end becoming security breaches. ‘H’ servers run both the content and web application. Separation is important to disable unauthorized access.
Permissions and privileges are awarded to users depending on request. This if unregulated could turn into Trojan horse like entries. ‘H’ should also ensure that all unused patches are removed and security tool s provided is enhanced and used adequately.
‘H’ is an application used by very many users. The design of implementation and actual implementations should reflect this need.
Garfinkel, Simson and Gene Spafford. Web Security, Privacy & Commerce. Sobastopol: OREILLY, 1997.