Attackers to Exploit Search Personalization, Supply Chains

Information systems and algorithms designed to personalize online search results will give attackers the ability to influence the information available to their victims in the coming years. Researchers, in turn, must seek ways to fortify these systems against malicious manipulation, according to the Emerging Cyber Threats Report 2013 [PDF], a report released ahead of yesterday’s Georgia Tech Cyber Security Summit 2012.

Information systems and algorithms designed to personalize online search results will give attackers the ability to influence the information available to their victims in the coming years. Researchers, in turn, must seek ways to fortify these systems against malicious manipulation, according to the Emerging Cyber Threats Report 2013 [PDF], a report released ahead of yesterday’s Georgia Tech Cyber Security Summit 2012.

This sort of “automated censorship” is increasingly commonplace online. Ignoring criticisms of the practice that claim it promotes insularity, the report forecasts an alarming increase in the use of similar techniques to control what individuals see on the Web, whether it’s cybercriminals using black-hat search engine optimization to steal sensitive information, or authoritarian regimes filtering online content to quell dissent.

The report claims researchers have managed to enumerate and modify Internet users’ search history with cross-site request forgery attacks. This strategy gives attackers the ability to alter the online profiles, which are indexed by cookies and used by search engines such as Google to personalize search results. Attackers can game personal search and filter algorithms in ways that guide users to malicious sites or away from unfavorable content. Such attacks would survive machine cleansing attempts and other defensive measures deployed by many security vendors.

“If you compromise a computer, the victim can always switch to a clean machine and your attack is over,” wrote Wrenke Lee, director of the Georgia Tech Information Security Center. “If you compromise a user’s search history and hence his online profile, the victim gets the malicious search results no matter where he logs in from.”

More broadly, Nick Feamster, associate professor at the Georgia Tech School of Computer Science, warned that attackers and even corporate marketing teams have and will continue to skew these algorithms by personally promoting or using botnets to promote certain messages or malicious content on social networks.

The report also explores the dangers of supply chain security, a growing concern in an increasingly global economy. Securing the supply chain is particularly problematic, the report said, considering how difficult and costly it is to detect and defend against firmware tampering, specifically when the hardware in question is manufactured abroad and, in some cases, subsidized by foreign governments to drive down prices against competition and increase appeal to corporate clientele.

A fix for supply chain security issues is far off considering the policy nightmare that trying to regulate the international telecommunications market presents, the researchers said. Andrew Howard, a research scientist with the Georgia Tech Research Institute knows of three methods companies are employing to combat the vulnerable supply chain: some do nothing, he said, and buy equipment only from trusted vendors. A smaller minority of companies perform random audits to check for gear that has been meddled with. Even fewer, he claims, assume that all equipment comes in the door compromised and these organizations constantly monitor their equipment. This last method, while perhaps the most secure, is unsustainable to most companies because of the resources (cost, time, technology) required to implement such policies.

Contrary to what most security shops have to say, the researchers at Georgia Tech paint a relatively pleasant picture of the mobile security landscape. They write that malicious apps and ones that undermine privacy will continue to propagate in the various app stores or markets, but they also believe that the mobile ecosystem (application marketplaces, platforms, etc.) are fairly effective at keeping devices secure in the U.S., though not necessarily in Europe, Russia, and China, the report said. However, the advent of mobile wallet technologies and poor patch management among certain vendors could present problems moving forward.

“Largely, it appears that the mechanisms in place appear to be working,” said Georgia Tech assistant professor of computer science, Patrick Traynor. “Even though malware does get into the market, people don’t seem to be downloading those apps.”

Domain generation algorithms and polymorphism, the automatic generation of code variants, will continue, and likely become more common methods of hardening botnets and evading signature recognition.

The report also highlights the adoption of digital rights management by attackers to prevent researchers from reverse engineering malware. Attackers are honing the ability to create system specific malware that prevents samples from running in virtual machines. The Gauss espionage trojan is the best example.

As cloud technology becomes more ubiquitous, the researchers claim that offsite digital storage will become both more secure and a more alluring target for attackers. Authorization will likely remain the most glaring weak point.

“Most of the time, we are not going to see many security issues because the large cloud services do a good job, but once they fail, the impact will be much, much higher, and that is the problem,” said Engin Kirda, an associate professor of computer science at Northeastern University.

As health care records continue to move online, targeting of the healthcare industry will become more pervasive, which will require that medical staffs become better educated about network security. This problem is compounded, the report claims, by a lack of security at doctor’s offices and hospitals, where disgruntled employees and even patients pose a risk as insider threats to various health care networks and facilities.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.