That video or picture you “liked” on social media of a cute dog, your favourite team or political candidate can actually be altered in a cyberattack to something completely different, detrimental and potentially criminal, according to cybersecurity researchers at Ben-Gurion University of the Negev (BGU).
The researchers looked at seven online platforms and identified similar serious weaknesses in the management of the posting systems of Facebook, Twitter and LinkedIn. Twitter does not permit changes to posts and, normally, Facebook and LinkedIn indicate a post has been edited. But this new attack overrides that.
“Imagine watching and ‘liking’ a cute kitty video in your Facebook feed and a day later a friend calls to find out why you ‘liked’ a video of an ISIS execution,” says Dr. Rami Puzis, a researcher in the BGU Department of Software and Information Systems Engineering.
“You log back on and find that indeed there’s a ‘like’ there. The repercussions from indicating support by liking something you would never do (Biden vs. Trump, Yankees vs. Red Sox, ISIS vs. USA) from employers, friends, family, or government enforcement unaware of this social media scam can wreak havoc in just minutes.”
In this new study, published on arXiv.org, the researchers explain how they penetrated individual profiles and groups in several experiments and how the Online Social Network (OSN) attack, dubbed “Chameleon,” can be executed. The attack involves maliciously changing the way content is displayed publicly without any indication whatsoever that it was changed until you log back on and see. The post still retains the same likes and comments.
Click here for Facebook demo. The picture and video of the candidate change every time you click on it or refresh the page within 30 to 60 seconds.
“Adversaries can misuse Chameleon posts to launch multiple types of social network scams,” says Dr. Puzis. “First and foremost, social network Chameleons can be used for shaming or incrimination, as well as to facilitate the creation and management of fake profiles in social networks.”
“They can also be used to evade censorship and monitoring, in which a disguised post reveals its true self after being approved by a moderator. Chameleon posts can also be used to unfairly collect social capital (posts, likes, links, etc.) by first disguising itself as popular content and then revealing its true self and retaining the collected interactions.”
Facebook and LinkedIn partially mitigate the problem of modifications made to posts after their publication by displaying an indication that a post was edited. Other OSNs, such as Twitter or Instagram, do not allow published posts to be edited. Nevertheless, the major OSNs (Facebook, Twitter and LinkedIn) allow publishing redirect links, and they support link preview updates. This allows for changing the way a post is displayed without any indication that the target content of the URLs has been changed.
In Chameleon, first, the attacker collects information about the victim, an individual. The attacker creates Chameleon posts or profiles that contain the redirect links and attracts the victim’s attention to the Chameleon posts and profiles, in a manner similar to phishing attacks. The Chameleon content builds trust within the OSN, collects social capital and interacts
with the victims. This phase is very important for the success of targeted and untargeted Chameleon attacks. It is similar to a general cloaking attack on the Web, but the trust of users in the OSN lowers the attack barrier.
BGU researchers have notified LinkedIn, Twitter and Facebook about the identified misuse. Facebook and Twitter run open bug-bounty programs, which often pay significant sums for disclosing vulnerabilities with the purpose of bettering their systems and eliminating system bugs and malfunctions. LinkedIn has a closed team of white-hat hackers, but also accepts reports from outsiders without paying bounties.
Despite this significant issue, with wide-ranging consequences in a well-targeted attack, the responses from all three social networks are concerning, as far as protecting billions of platform users worldwide.
“Facebook responded that the reported issue ‘appears to describe a phishing attack against Facebook users and infrastructure’ and that ‘such issues do not qualify under our bug bounty program.’
Twitter acknowledged the problem and stated in an email, “This behavior has been reported to us previously. While it may not be ideal, at this time, we do not believe this poses more of a risk than the ability to tweet a URL of any kind since the content of any web page may also change without warning.” Twitter relies on URL blacklisting implemented within their URL shortener to identify potentially harmful links and “warn users if they are navigating to a known malicious URL.”
The LinkedIn support team were willing to investigate this issue. After receiving further requested details they started their investigation on Dec 14, 2019. “We are waiting for updates any day now,” Dr. Puzis says.
To mitigate these issues, the BGU team recommends practitioners and researchers immediately identify potential Chameleon profiles throughout the OSNs, as well as develop and incorporate redirect reputation mechanisms into machine learning methods for identifying social network misuse. They should also include the Chameleon attack in security awareness programs alongside phishing scams and related scams.
“On social media today, people make judgments in seconds, so this is an issue that requires solving, especially before the upcoming U.S. election,” says Dr. Puzis.
The BGU researchers will present the Chameleon attack paper at The Web Conference in Taipei, Taiwan on April 20-24.
Note: The Facebook demo will stop working when Facebook fixes the problem or, more likely, when the account that operates the demo is locked. In that case, a new demo will be provided.
The BGU researchers from the Department of Software and Information Systems Engineering who also participated in this study are: Aviad Elyashar, Sagi Uziel and Abigail Paradise.
SA’s Internet goes down again
South Africa is about to experience a small repeat of the lower speeds and loss of Internet connectivity suffered in January, thanks to a new undersea cable break, writes BRYAN TURNER
Internet service provider Afrihost has notified customers that there are major outages across all South African Internet Service Providers (ISPs), as a result of a break in the WACS undersea cable between Portugal and England
The cause of the cable break along the cable is unclear. it marks the second major breakage event along the West African Internet sea cables this year, and comes at the worst possible time: as South Africans grow heavily dependent on their Internet connections during the COVID-19 lockdown.
As a result of the break, the use of international websites and services, which include VPNs (virtual private networks), may result in latency – decreased speeds and response times.
WACS runs from Yzerfontein in the Western Cape, up the West Coast of Africa, and terminates in the United Kingdom. It makes a stop in Portugal before it reaches the UK, and the breakage is reportedly somewhere between these two countries.
The cable is owned in portions by several companies, and the portion where the breakage has occurred belongs to Tata Communications.
The alternate routes are:
- SAT3, which runs from Melkbosstrand also in the Western Cape, up the West Coast and terminates in Portugal and Spain. This cable runs nearly parallel to WACS and has less Internet capacity than WACS.
- ACE (Africa Coast to Europe), which also runs up the West Coast.
- The SEACOM cable runs from South Africa, up the East Coast of Africa, terminating in both London and Dubai.
- The EASSy cable also runs from South Africa, up the East Coast, terminating in Sudan, from where it connects to other cables.
The routes most ISPs in South Africa use are WACS and SAT3, due to cost reasons.
The impact will not be as severe as in January, though. All international traffic is being redirected via alternative cable routes. This may be a viable method for connecting users to the Internet but might not be suitable for latency-sensitive applications like International video conferencing.
SA cellphones to be tracked to fight coronavirus
Several countries are tracking cellphones to understand who may have been exposed to coronavirus-infected people. South Africa is about to follow suit, writes BRYAN TURNER
From Israel to South Korea, governments and cell networks have been implementing measures to trace the cellphones of coronavirus-infected citizens, and who they’ve been around. The mechanisms countries have used have varied.
In Iran, citizens were encouraged to download an app that claimed to diagnose COVID-19 with a series of yes or no questions. The app also tracked real-time location with a very high level of accuracy, provided by the GPS sensor.
In Germany, all cellphones on Deutsche Telekom are being tracked through cell tower connections, providing a much coarser location, but a less invasive method of tracking. The data is being handled by the Robert Koch Institute, the German version of the US Centers for Disease Control and Prevention.
In Taiwan, those quarantined at home are tracked via an “electronic fence”, which determines if users leave their homes.
In South Africa, preparations have started to track cellphones based on cell tower connections. The choice of this method is understandable, as many South Africans may either feel an app is too intrusive to have installed, or may not have the data to install the app. This method also allows more cellphones, including basic feature phones, to be tracked.
This means that users can be tracked on a fairly anonymised basis, because these locations can be accurate to about 2 square kilometers. Clearly, this method of tracking is not meant to monitor individual movements, but rather gain a sense of who’s been around which general area.
This data could be used to find lockdown violators, if one considers that a phone connecting in Hillbrow for the first 11 days of lockdown, and then connecting in Morningside for the next 5, likely indicates a person has moved for an extended period of time.
Communications minister Stella Ndabeni-Abrahams said that South African network providers have agreed to provide government with location data to help fight COVID-19.
Details on how the data will be used, and what it will used to determine, are still unclear.