ArticlePDF Available

ONLINE WORKSHOP ON PRIVACY USING SOCIAL LAB, A SOCIAL ENGINEERING WARGAME

Authors:
INTED 2013
Valencia, Spain, March 5th, 2013
Jon Núñez, Pablo Garaizar, Deusto Institute of Technology, University of Deusto
Ulf-Dietrich Reips, University of Deusto, Ikerbasque, Basque Foundation for Science
ONLINE WORKSHOP ON
PRIVACY USING
A SOCIAL ENGINEERING
WARGAME
Social networking is the new
emailing
texting
IMing
blogging
photo sharing
...
(see Meeker, Devitt, & Wu, 2010)
Social networking seems to be easy...
CC-by-nc-sa joeshlabotnik, http://www.flickr.com/photos/joeshlabotnik/7405703154
...but plenty of unforeseen problems.
Learning about privacy is hard.
(see Fischer-Hübner & Lindskog, 2001; Cranor, Hong, & Reiter, 2007; Ovaska & Räihä, 2009; Edbrooke & Ambrose, 2012)
Privacy concerns are boring
CC-by-nc-nd jamelah, http://www.flickr.com/photos/jamelah/583341746
It's not easy to balance the trade-off
between security and usability
© FOX Broadcasting Company
Most of the materials are children-oriented
http://mediasmarts.ca
Social Lab tackles some of these problems
providing a social engineering wargame
Social engineering
The art of manipulating people into performing actions or divulging confidential information.
© Universal Studios
It works because
there is no patch for human stupidity
CC-by batrace, http://www.flickr.com/photos/batrace/41672951
Purpose of the game
Learn some of the techniques
used by social hackers
Prevent these kind of attacks
in real social networks
© Columbia Pictures
Wargames
Security challenges in which players must
exploit a vulnerability in an application or gain access to a system.
www.overthewire.org, www.try2hack.nl, www.hackthissite.org, www.smashthestack.org, www.bright-shadows.net
Wargames
“hacker sandboxes”
CC-by-nc-sa trommetter, http://www.flickr.com/photos/trommetter/128400664
Social engineering wargame
A privacy challenge in which players must gain access
to user profiles in a "social sandbox" (a fake social network)
http://en.sociallab.es
How to play Social Lab
1. Sign up
http://en.sociallab.es/signup
2. Sign in
http://en.sociallab.es/sigin
3. Solve social challenges
http://en.sociallab.es/profile/messages
All the challenges are automated profiles with fake
personal information...
(disclaimer: no privacy was harmed in the making of this site)
… but real interactions between players are also
possible
(and can affect the results of the game)
Each time a friendship request is made,
Social Lab checks if it involves an automated profile and
if that is the case, it schedules a task
http://en.sociallab.es/profile/request/id/2
Currently, Social Lab provides a
10-level wargame of increasing difficulty
CC-by-nc-nd -lif-, http://www.flickr.com/photos/-lif-/3485405777
CC-by-sa mightyohm, http://www.flickr.com/photos/mightyohm/3986677172
Using Social Lab's challenges we designed an
online workshop on privacy
Hosted at Udemy
http://udemy.com/social-lab
Slideshows
http://udemy.com/social-lab
Tutorials
http://udemy.com/social-lab
Assesments
(Buchanan, Paine, Joinson, & Reips, 2006)
http://udemy.com/social-lab
Currently we offer:
http://www.sociallab.es
Info about the project:
http://www.sociallab.es
Demo servers:
English version: http://en.sociallab.es
Spanish version: http://es.sociallab.es
German version: http://de.sociallab.es
Basque version: http://eu.sociallab.es
Social Lab's code:
https://github.com/txipi/Social-Lab
A free online workshop on
privacy using Social Lab:
Slideshows
Tutorials
Assessments
www.sociallab.es
References
Leiner, B.M.; Cerf, V.G.; Clark, D.D.; Kahn, R.E.; Kleinrock, L.; Lynch, D.C.; Postel, J; Roberts, L.G.;
Wolff, S.S. (1997). The past and future history of the Internet. Communications of the ACM. Volume 40
Issue 2, pp. 102-108.
Gross, R.; Acquisti, A.. (2005). Information Revelation and Privacy in Online Social Networks. School of
Computer Science & School of Public Policy and Management, Carnegie Mellon University.
Dhamija, R.; Tygar, J.D.; Hearst, M. (2006). Why Phishing Works. Harvard University – UC Berkeley, pp.
1-8.
Festl, R.; Quandt, T. (2012). Social Relations and Cyberbullying: The Influence of Individual and Structural
Attributes on Victimization and Perpetration via the Internet. (Human Communication Research) University
Hohenheim – University of Münster.
Donegan, R. (2012). Bullying and Cyberbullying: History, Statistics, Law, Prevention and Analysis. Elon
University, pp. 36-39.
Gottschalk, P. (2011). A Dark Side of Computing and Information Sciences: Characteristics of Online
Groomers. BI Norwegian Business School. Journal of Emerging Trends in Computing and Information
Sciences, pp. 447-451.
References
Nooriafshar, M. The Evolution of Learning Methods and Facilities with a view to Internationalising
Education. Faculty of Business, University of Southern Queensland, pp. 4-5.
Plautus (195 BC). Asinaria.
Mackness, J., M.; Williams, R. (2010). The ideals and reality of participating in a MOOC. Proceedings of
the 7th International Conference on Networked Learning, University of Lancaster, Lancaster, pp.
266-275.
Buchanan, T., Paine, C., Joinson, A. N., & Reips, U. D. (2006). Development of measures of online privacy
concern and protection for use on the Internet. Journal of the American Society for Information Science
and Technology, 58(2), 157-165.
References
Meeker, M., Devitt, S. & Wu, L. (2010, June 7), Internet Trends, Morgan Stanley Research. Retrieved from:
http://www.slideshare.net/CMSummit/ms-internet-trends060710final
Johnson, M. (2011). Winning the Cyber Security Game. MediaSmarts, Media Awareness Network.
Retrieved from: http://cira.ca/assets/Documents/Publications/WinningCyberSecurityGameLesson.pdf
Johnson, M. (2011). Privacy Pirates: An Interactive Unit on Online Privacy. MediaSmarts, Media Awareness
Network. Retrieved from: http://mediasmarts.ca/blog/privacy-pirates-interactive-unit-online-privacy
Johnson, M. (2011). From Passport to MyWorld: Media Awareness Network extends digital literacy skills
to secondary students. MediaSmarts, Media Awareness Network. Retrieved from:
http://mediasmarts.ca/blog/passport-myworld-media-awareness-network-extends-digital-literacy-skills-secondary-students
Data from the first 100 users
181 friendship requests
between players
(26 accepted, 7 rejected, 148 pending)
101 status updates
629 messages
between players
(13 public, 616 private)
Distribution of achieved challenges:
All rights of images are reserved by the
original owners*, the rest of the
content is licensed under a Creative
Commons by-sa 3.0 license
* see references in each slide
... This study examines the use, in an online course in MOOC format, of a simulated social network called "Social Lab" as an educational tool to improve teachers' digital competence in the area of safe and responsible use of technology. Although previous studies have described how Social Lab has been used to provide a social engineering wargame for learning about privacy [48]- [50], this is the first study to report an evaluation of the usefulness of Social Lab as an educational tool. ...
Article
There is a worrying gap between the digital competence that teachers must have to effectively develop their students’ digital competence and the one they actually have, especially in the area related to the safe and responsible use of technology. Further investigation is needed on the use of training activities, methods and tools aimed at enhancing this competence. This article examines, in the context of an online course in MOOC format, the usefulness of Social Lab, a simulated social network, as an educational tool to improve the digital competence of teachers in the area of safe and responsible use of technology.
... The Social Lab privacy wargame can be used individually via the Internet or within a training program or workshop about social networking where a teacher provides instructions or hints on how to advance in the game to complete it during the workshop (Nuñez, Garaizar, & Reips, 2013). Table 3 shows the set of social bots required to create the 10 levels of the example wargame. ...
Article
Full-text available
Social networking has surpassed e-mail and instant messaging as the dominant form of online communication (Meeker, Devitt, & Wu, 2010). Currently, all large social networks are proprietary, making it difficult to impossible for researchers to make changes to such networks for the purpose of study design and access to user-generated data from the networks. To address this issue, the authors have developed and present Social Lab, an Internet-based free and open-source social network software system available from http://www.sociallab.es . Having full availability of navigation and communication data in Social Lab allows researchers to investigate behavior in social media on an individual and group level. Automated artificial users ("bots") are available to the researcher to simulate and stimulate social networking situations. These bots respond dynamically to situations as they unfold. The bots can easily be configured with scripts and can be used to experimentally manipulate social networking situations in Social Lab. Examples for setting up, configuring, and using Social Lab as a tool for research in social media are provided.
Article
Full-text available
Current research indicates that an alarming number of students are affected by cyberbullying. However, most of the empirical research has focused on psychological explanations of the phenomenon. In an explorative survey study based on the reconstruction of 2 complete school networks (NP = 408), we expand the explanation strategies of cyberbullying to higher levels of social abstraction. Using statistical and structural analysis, and visual inspection of network environments, we compare explanations on individual and structural levels. In line with previous research, the findings support traditional explanations via sociodemographic and personality factors. However, the findings also reveal network positioning to be a comparably strong predictor for cyberbullying. Therefore, we argue that without taking structural factors into account, individual explanations will remain insufficient.
Conference Paper
Full-text available
'CCK08' was a unique event on Connectivism and Connective Knowledge within a MOOC (Massive Open Online Course) in 2008. It was a course and a network about the emergent practices and the theory of Connectivism, proposed by George Siemens as a new learning theory for a digital age. It was convened and led by Stephen Downes and George Siemens through the University of Manitoba, Canada. Although the event was not formally advertised, more than 2000 participants from all over the world registered for the course, with 24 of these enrolled for credit. The course presented a unique opportunity to discover more about how people learn in large open networks, which offer extensive diversity, connectivity and opportunities for sharing knowledge. Learners are increasingly exercising autonomy regarding where, when, how, what and with whom to learn. To do this, they often select technologies independent of those offered by traditional courses. In CCK08 this autonomy was encouraged and learning on the course was distributed across a variety of platforms. This paper explores the perspectives of some of the participants on their learning experiences in the course, in relation to the characteristics of connectivism outlined by Downes, i.e. autonomy, diversity, openness and connectedness/interactivity. The findings are based on an online survey which was emailed to all active participants and email interview data from self-selected interviewees. The research found that autonomy, diversity, openness and connectedness/interactivity are indeed characteristics of a MOOC, but that they present paradoxes which are difficult to resolve in an online course. The more autonomous, diverse and open the course, and the more connected the learners, the more the potential for their learning to be limited by the lack of structure, support and moderation normally associated with an online course, and the more they seek to engage in traditional groups as opposed to an open network. These responses constrain the possibility of having the positive experiences of autonomy, diversity, openness and connectedness/interactivity normally expected of an online network. The research suggests that the question of whether a large open online network can be fused with a course has yet to be resolved. Further research studies with larger samples are needed, as is an investigation into the ethical considerations which may need to be taken into account when testing new theory and practice on course participants.
Article
Full-text available
As the Internet grows in importance, concerns about online privacy have arisen. The authors describe the development and validation of three short Internet- administered scales measuring privacy-related attitudes (Privacy Concern) and behaviors (General Caution and Technical Protection). In Study 1, 515 people completed an 82-item questionnaire from which the three scales were derived. In Study 2, scale validity was examined by comparing scores of individuals drawn from groups con- sidered likely to differ in privacy-protective behaviors. In Study 3, correlations between the scores on the current scales and two established measures of privacy concern were examined. The authors conclude that these scales are reliable and valid instruments suitable for administration via the Internet, and present them for use in online privacy research.
Article
The European Online Grooming Project from 2009 to 2011 involved researchers from Norway, Italy, Belgium and the UK. The project had three separate but interlinked phases. The first was a scooping project. The second and third phases involved interviews with convicted online groomers across Europe and dissemination activity respectively. The key features of grooming behavior the study identified do not apply to all groomers in all contacts they have with young people. These features of online grooming include factors that help maintain the behavior such as the online environment, dissonance and offenders perceptions of young people and their behavior. The research also identified salient behaviors in the grooming process such as: scanning the online environment for potential people to contact, the identity adopted by the groomer (be it their own or another); the nature of contact with the young person; the different ways in which the online groomer can intensify the process of grooming and the diverse range of outcomes toward the end of the process. In particular, it is clear from the research that not all episodes of online grooming result in a physical meeting. The first 'type' of groomer identified is the distorted attachment offender. Men in this group had offence supportive beliefs that involved seeing contact with the young person as a 'relationship'. The second type is the adaptable online groomer. This group of men had offence supportive beliefs that involved their own needs and seeing the victim as mature and capable. Finally, the hyper-sexualized group of men was characterized by extensive indecent image collections of children and significant online contact with other sexual offenders or offender groups.
Article
The main purpose of this paper is to demonstrate the role of innovative approaches to education with a view to its internationalisation. The paper provides an overview of how learning has evolved and progressed over the years and then it presents and discusses the impact of facilities and institutes, equipment and technologies on learning over the centuries. An innovative way of capturing, storing and transferring knowledge is put forward. Discussions on past and present learning means and methods intend to encourage us to think about the future of education. The paper investigates ways of crossing the language barriers and internationalising
Conference Paper
To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. We then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent. We found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. We also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed.
Conference Paper
Participation in social networking sites has dramatically increased in recent years. Services such as Friendster, Tribe, or the Facebook allow millions of individuals to create online profiles and share personal information with vast networks of friends - and, often, unknown numbers of strangers. In this paper we study patterns of information revelation in online social networks and their privacy implications. We analyze the online behavior of more than 4,000 Carnegie Mellon University students who have joined a popular social networking site catered to colleges. We evaluate the amount of information they disclose and study their usage of the site's privacy settings. We highlight potential attacks on various aspects of their privacy, and we show that only a minimal percentage of users changes the highly permeable privacy preferences.
From Passport to MyWorld: Media Awareness Network extends digital literacy skills to secondary students. MediaSmarts, Media Awareness Network
  • M Johnson
• Johnson, M. (2011). Winning the Cyber Security Game. MediaSmarts, Media Awareness Network. Retrieved from: http://cira.ca/assets/Documents/Publications/WinningCyberSecurityGameLesson.pdf • Johnson, M. (2011). Privacy Pirates: An Interactive Unit on Online Privacy. MediaSmarts, Media Awareness Network. Retrieved from: http://mediasmarts.ca/blog/privacy-pirates-interactive-unit-online-privacy • Johnson, M. (2011). From Passport to MyWorld: Media Awareness Network extends digital literacy skills to secondary students. MediaSmarts, Media Awareness Network. Retrieved from: http://mediasmarts.ca/blog/passport-myworld-media-awareness-network-extends-digital-literacy-skills-secondary-students