Vulnerabilities / Threats

10:30 AM
Tamer Hassan
Tamer Hassan
Connect Directly
E-Mail vvv

Why Information Integrity Attacks Pose New Security Challenges

To fight information integrity attacks like the ones recently perpetrated by bots on the FCC's website, we need to change our stance and look for the adversaries hiding in plain sight.

In December 2017, people looking through the Federal Communications Commission's net neutrality comment form witnessed a miracle — the dead returning to life.

Or that's how it looked, anyway. In reality, cybercriminals used a botnet to post what an analysis by the New York State Justice Department estimated to be over 2 million identical comments under the names and street addresses of real people. In a strange twist, frustrated users quickly took to Twitter to report that some of these names belonged to their deceased family members and friends.

Though this instance of fraud may seem like a one-off, I believe we're only seeing the beginning of this kind of threat. We're likely to see more and more efforts to obscure or influence public opinion like this in the near future, and it will become more difficult to separate the bots from real users.

Source: White Ops
Source: White Ops

A Threat to Us All
In this instance, cybercriminals are using a tactic called skewing — deploying huge botnets to flood a comments section — to, well, "skew" public opinion. The bot comments not only drowned out real users but could also have shifted the sentiment of the public conversation about net neutrality. Though the FCC says it didn't pay much attention to the comments, the implications of the attack are more pressing than the attack itself. Identity fraud was used to influence a vote in Congress that would determine the fate of one of the most important Internet laws in our society — who knows what else these botnets could be used for?

It used to be that bots were easy to detect and stop because they behaved in ways that clearly broke the rules set by websites for users. In many cases, bots would try to inject code on the website they were invading, an action that is clearly not allowed and therefore subjects the account to banning or suspension by moderators.

The tricky thing about today's bots is that, on paper, they follow all the rules. They can register a real email address to create an account, confirm a password, and even pass CAPTCHA tests to "prove" that they're human users at a 70% success rate. At White Ops, we see that 75% of malicious bots are actually operating off of real humans' machines. They hide in the background, mimic behaviors and browsing times, and use their hosts' cookies and browsing history. That makes it an awful lot harder to identify bots, block them, and prevent them from tipping the scales of public opinion.

The only reason the fraudulent FCC comments were detected in the first place was because the botnet's operators made the mistake of impersonating deceased human users. On the whole, the botnet appears to have been fairly rudimentary, not very likely the work of sophisticated cybercriminals. Otherwise, this threat may have gone completely undetected among the form letters and authentic traffic, which raises a frightening question: how many of these attacks have already happened right under our noses?

While the damage done by cybercrimes, such as breaking into and stealing from someone's online bank account, can be disastrous, the implications of this kind of "zombie" network go far deeper. Cybercriminals most likely utilized similar botnets on both sides of the 2016 presidential election, and their effect on its results are ultimately impossible to quantify.

If left unchecked, these bots will steadily erode human users' trust in anything they see on the Web. Given how easy it is to impersonate human behaviors, how popular will the most popular stories in your feed be, really? Does the song that's topping the charts of your favorite streaming service or the latest viral video really have that many plays? Is the metric that's guiding your company's decisions based in anything real or the work of some unseen manipulator hiding in the shadows?

Make no mistake — the stakes here are high. In many ways, the Internet is ruled by algorithms and machine learning that curate what makes it to the top of the charts on a minute-by-minute basis. The ability to manipulate those rankings can have real value. It’s gaining that kind of visibility that fuels the multibillion dollar advertising industry that we know today.

In the near future, wars over public opinion could be determined by who has the most convincing bots, not the most convincing argument.

Stemming the Tide of Bot Traffic
The fraud campaign to take down net neutrality seems to be the work of amateurs, yet it still very well could have influenced a major congressional vote. Cybercriminals are installing malware on our computers and using them to do practically anything they want. We don't necessarily know what else hackers have accomplished using our names and addresses.

There's always a way to identify and stop new automated threats, no matter how large and untraceable they may seem. But it can't happen until cybersecurity professionals everywhere recognize the potential severity of this problem, not just for specific entities on the Internet, but for our ability to trust anything that we find online.

Some commentators have said the end of net neutrality heralds the death of the Internet — but ironically enough, it may be the wake-up call that inspires us to save it.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Prior to co-founding White Ops, Tamer Hassan was the founder and CEO of Compel Data Technologies Inc., a software development and consulting company focused on big data and business intelligence solutions. In the years prior to entering the technology sector, Tamer was a ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/28/2018 | 8:13:08 PM
Bot vs. AI
If bots strated this much trouble wait and see when AI comes into the game.
User Rank: Ninja
4/28/2018 | 8:09:57 PM
In the near future, wars over public opinion could be determined by who has the most convincing bots, not the most convincing argument. Ths is really true and at the same time is really scary.
User Rank: Ninja
4/28/2018 | 8:07:36 PM
There are good and bad use of bots obviously. This is one reason why we need to put technology in use of good,
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-08-14
An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...
PUBLISHED: 2018-08-14
An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera G5 firmware 1.87.00. A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST r...
PUBLISHED: 2018-08-14
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
PUBLISHED: 2018-08-14
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...
PUBLISHED: 2018-08-14
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.