That video or picture you “liked” on social media of a cute dog, your favourite team or political candidate can actually be altered in a cyberattack to something completely different, detrimental and potentially criminal, according to cybersecurity researchers at Ben-Gurion University of the Negev (BGU).
The researchers looked at seven online platforms and identified similar serious weaknesses in the management of the posting systems of Facebook, Twitter and LinkedIn. Twitter does not permit changes to posts and, normally, Facebook and LinkedIn indicate a post has been edited. But this new attack overrides that.
“Imagine watching and ‘liking’ a cute kitty video in your Facebook feed and a day later a friend calls to find out why you ‘liked’ a video of an ISIS execution,” says Dr. Rami Puzis, a researcher in the BGU Department of Software and Information Systems Engineering.
“You log back on and find that indeed there’s a ‘like’ there. The repercussions from indicating support by liking something you would never do (Biden vs. Trump, Yankees vs. Red Sox, ISIS vs. USA) from employers, friends, family, or government enforcement unaware of this social media scam can wreak havoc in just minutes.”
In this new study, published on arXiv.org, the researchers explain how they penetrated individual profiles and groups in several experiments and how the Online Social Network (OSN) attack, dubbed “Chameleon,” can be executed. The attack involves maliciously changing the way content is displayed publicly without any indication whatsoever that it was changed until you log back on and see. The post still retains the same likes and comments.
Click here for Facebook demo. The picture and video of the candidate change every time you click on it or refresh the page within 30 to 60 seconds.
“Adversaries can misuse Chameleon posts to launch multiple types of social network scams,” says Dr. Puzis. “First and foremost, social network Chameleons can be used for shaming or incrimination, as well as to facilitate the creation and management of fake profiles in social networks.”
“They can also be used to evade censorship and monitoring, in which a disguised post reveals its true self after being approved by a moderator. Chameleon posts can also be used to unfairly collect social capital (posts, likes, links, etc.) by first disguising itself as popular content and then revealing its true self and retaining the collected interactions.”
Facebook and LinkedIn partially mitigate the problem of modifications made to posts after their publication by displaying an indication that a post was edited. Other OSNs, such as Twitter or Instagram, do not allow published posts to be edited. Nevertheless, the major OSNs (Facebook, Twitter and LinkedIn) allow publishing redirect links, and they support link preview updates. This allows for changing the way a post is displayed without any indication that the target content of the URLs has been changed.
In Chameleon, first, the attacker collects information about the victim, an individual. The attacker creates Chameleon posts or profiles that contain the redirect links and attracts the victim’s attention to the Chameleon posts and profiles, in a manner similar to phishing attacks. The Chameleon content builds trust within the OSN, collects social capital and interacts
with the victims. This phase is very important for the success of targeted and untargeted Chameleon attacks. It is similar to a general cloaking attack on the Web, but the trust of users in the OSN lowers the attack barrier.
BGU researchers have notified LinkedIn, Twitter and Facebook about the identified misuse. Facebook and Twitter run open bug-bounty programs, which often pay significant sums for disclosing vulnerabilities with the purpose of bettering their systems and eliminating system bugs and malfunctions. LinkedIn has a closed team of white-hat hackers, but also accepts reports from outsiders without paying bounties.
Despite this significant issue, with wide-ranging consequences in a well-targeted attack, the responses from all three social networks are concerning, as far as protecting billions of platform users worldwide.
“Facebook responded that the reported issue ‘appears to describe a phishing attack against Facebook users and infrastructure’ and that ‘such issues do not qualify under our bug bounty program.’
Twitter acknowledged the problem and stated in an email, “This behavior has been reported to us previously. While it may not be ideal, at this time, we do not believe this poses more of a risk than the ability to tweet a URL of any kind since the content of any web page may also change without warning.” Twitter relies on URL blacklisting implemented within their URL shortener to identify potentially harmful links and “warn users if they are navigating to a known malicious URL.”
The LinkedIn support team were willing to investigate this issue. After receiving further requested details they started their investigation on Dec 14, 2019. “We are waiting for updates any day now,” Dr. Puzis says.
To mitigate these issues, the BGU team recommends practitioners and researchers immediately identify potential Chameleon profiles throughout the OSNs, as well as develop and incorporate redirect reputation mechanisms into machine learning methods for identifying social network misuse. They should also include the Chameleon attack in security awareness programs alongside phishing scams and related scams.
“On social media today, people make judgments in seconds, so this is an issue that requires solving, especially before the upcoming U.S. election,” says Dr. Puzis.
The BGU researchers will present the Chameleon attack paper at The Web Conference in Taipei, Taiwan on April 20-24.
Note: The Facebook demo will stop working when Facebook fixes the problem or, more likely, when the account that operates the demo is locked. In that case, a new demo will be provided.
The BGU researchers from the Department of Software and Information Systems Engineering who also participated in this study are: Aviad Elyashar, Sagi Uziel and Abigail Paradise.
Alexa can now read all messages
For the first time, an Alexa skill is available that makes it possible to listen to any kind of message while driving
For the first time, Alexa users can now hear all their messages and email read aloud.
Amazon’s Alexa has become a household name. The world’s most popular virtual assistant is getting smarter every day and now, with Amazon Echo Auto, it’s in cars too.
“In today’s highly connected world, messaging in the form of emails, texts, Facebook Messenger, WhatsApp and work channels like Slack, are integral to our daily routine,” says Barrie Arnold, chief revenue officer at ping. “However, distracted driving is responsible for more than 25% of car crashes and thousands of preventable fatalities every year.”
ping, a specialist in voice technology founded by Arnold and South African Garin Toren, has developed a new Alexa skill as a companion to its patented smartphone app, that enables any message type to be read aloud. Designed for safety, productivity and convenience, “pingloud” is the first skill of its kind for keeping users connected when they need a hand or an extra pair of eyes.
“The ping Alexa skill is specifically designed to help drivers stay off their phones while giving them exactly what they want – access to their messages.” says Toren, ping CEO.
Opening up Alexa to developers has resulted in an explosion of new skills available either for free or for a fee that unlocks premium services or features. These tools magnify the usefulness of Alexa devices beyond common tasks like asking for the weather, playing music or requesting help on a homework assignment. According to App Annie, the most downloaded apps in 2019 were Facebook Messenger, Facebook’s main app and WhatsApp, highlighting the importance of messaging.
“The ping Android app is available worldwide from the Google Pay Store, reading all messages out loud in 30 languages,” says Toren. “The iOS version is in global beta testing with the US launch coming very soon.”
Once you’ve signed up for ping, it takes a few seconds to link with Alexa, enabling all messages and emails to be read aloud by a smart speaker or Echo Auto device. Simply say, “Hey Alexa, open pingloud.” ping links an account to a voice profile so unauthorised users with access to the same Alexa cannot ask for the authorised user’s messages.
All major message types are supported, including Texts/SMS, WhatsApp, Facebook Messenger, WeChat, Snapchat, Slack, Telegram, Twitter DM’s, Instagram, and all email types. Promotional and social emails are not read by default.
*For more information, visit www.pingloud.com
Coronavirus to hit 5G
Global 5G smartphone shipments are expected to reach 199 million units in 2020, after disruption caused by the coronavirus scare put a cap on sales forecasts, according to the latest research from Strategy Analytics.
Ken Hyers, Director at Strategy Analytics, said, “Global 5G smartphone shipments will grow more than tenfold from 19 million units in 2019 to 199 million in 2020. The 5G segment will be the fastest-growing part of the worldwide smartphone industry this year. Consumers want faster 5G smartphones to surf richer content, such as video or games. We forecast 5G penetration to rise from 1 percent of all smartphones shipped globally in 2019 to 15 percent of total in 2020.”
Ville-Petteri Ukonaho, Associate Director at Strategy Analytics, added, “China, United States, South Korea, Japan and Germany are by far the largest 5G smartphone markets this year. The big-five countries together will make up 9 in 10 of all 5G smartphones sold worldwide in 2020. However, other important regions, like India and Indonesia, are lagging way behind and will not be offering mass-market 5G for at least another year or two.”
Neil Mawston, Executive Director at Strategy Analytics, added, “The global 5G smartphone industry is growing quickly, but the ongoing coronavirus scare and subsequent economic slowdown will put a cap on overall 5G demand this year. The COVID-19 outbreak is currently restricting smartphone production in Asia, disrupting supply chains, and deterring consumers from visiting retail stores to buy new 5G devices in some parts of China. The first half of 2020 will be much weaker than expected for the 5G industry, but we expect a strong bounce-back in the second half of the year if the coronavirus spread is brought under control.”
Exhibit 1: Global 5G Smartphone Shipments Forecast in 2020 1
|Global Smartphone Shipments (Millions of Units)||2019||2020|
|Rest of Market||1394||1165|
|Global Smartphone Shipments (% of Total)||2019||2020|
|Rest of Market||99%||85%|
Source: Strategy Analytics
The full report, Global Handset Sales for 88 Countries & 19 Technologies, is published by the Strategy Analytics Emerging Device Technologies (EDT) service, details of which can be found here: https://tinyurl.com/wep83gc.