Profile Poisoning the Next Frontier for Hackers

Google and Facebook already know everything about you – your interests, friends, tastes and even your movements. That’s already a privacy nightmare, but researchers at the Georgia Institute of Technology’s Information Security Center (GTISC) think it could soon be a security nightmare, also.

Automated information systems already determine what version of the news most of us see. But researchers at Georgia Tech warn that the power of such systems to shape what each of us see online could soon become a powerful tool in the hands of sophisticated attackers, who might look for ways to manipulate victims’ online profile to steer them to certain sites, according to the report “Emerging Cyber Threats Reports 2013.”

Researchers at Georgia Tech said attacks that manipulate a victim’s search history, part of their online profile, using cross-site request forgery are already technically feasible. In practice, they would allow for a kind of super-search engine poisoning that was divorced from the particular computer or web browser the victim was using.

“If you compromise a computer, the victim can always switch to a clean machine and your attack is over,” said Wenke Lee, a professor at Georgia Tech’s College of Computing and director of the GTISC in the report. “If you compromise a user’s search history and hence his online profile, the victim gets the malicious search results no matter where he logs in from.”

But search history poisoning is just one manifestation of the security risks that come with greater and greater reliance on automated information gathering. Lee and his colleagues found that algorithms used by social networks like Twitter and Facebook to identify “popular” content can easily be gamed by legitimate and illegitimate users who colluded to amplify selected messages across social networks – making them appear more trendy and popular than they are.

And, automated systems that personalize each user’s experience – showing two different Google or Facebook users a slightly different mix of news and search results – increasingly blinker our view of the online world and creating “filter bubbles” that promote the largest sites, while demoting smaller sources of information.

“While personalization can deliver the most relevant local news to a user, it also results in a lack of diversity and a local bias,” the researchers found. “Depending on the country, 20 to 30 percent of the new sources accounted for 70 to 80 percent of the articles,” the report said.

The report, released at the Georgia Tech Cyber Security Summit on November 14, identified other security trends that are likely to make news in 2013. Among them:

  • The integrity of the technology supply chain will become a more pressing issue, as companies struggle to identify and thwart security threats and compromises that originate at their suppliers.
  • Mobile malware will continue to plague mobile device users, especially on platforms like Google’s Android. Well-policed mobile application stores will help tamp down malicious code outbreaks in developed markets like the U.S. However, infrequent patching by handset makers and carriers means most mobile devices will continue to be vulnerable to attacks against known vulnerabilities.
  • Malware creators will become more adept at shielding their creations from automated malware analysis systems. Malware targeted both the Apple OS X operating system and mobile device platforms will become more common.

Georgia Tech’s report is the product of the University’s various information security labs, including GTISC and the Georgia Tech Research Institute. You can download the full report here. (PDF)

The integrity of a user’s online profile is an increasing concern for regulators on both sides of the Atlantic. On Friday, a federal judge in San Francisco formally approved a $22.5 million settlement between the U.S. Federal Trade Commission (FTC) and Google for that company’s practice of misleading users of the Safari web browser about how it would track their movements online.  The FTC has been pressuring firms like Google and Facebook to be more transparent in telling their users how and when they are tracking their activities online. In September, Facebook agreed to stop using facial recognition technology to track users. A similar complaint has been lodged with the FTC. At the same time, the EU is weighing revisions to its Data Protection rules that would strengthen protections for individuals living in EU countries.


Comments are closed.