August 7, 2020
If you’ve retweeted or shared a provocative meme or unconfirmed information about COVID-19, you could be enabling public opinion hacking.
Public opinion hacking has hit a fever pitch and should intensify even more leading up to the November general election.
This week’s virtual Black Hat USA 2020 conference featured a keynote on how information operations are working overtime to manipulate public opinion. Renee DiResta, research manager at Stanford Internet Observatory, heads up research in this area.
Jeff Moss, Black Hat founder and director, said there’s not enough research on public opinion hacking to inform policymakers and “tell us what to do about it.”
“This one social media company thinks they found the solution,” he said. “Another one thinks they’ll label fake news. And another thinks they’ll ignore fake news and let the wisdom of the crowd tag the news and fix it for us. Everybody has a different approach. And that’s exciting because we can test a lot of hypotheses. But we don’t actually have enough academic, rigorous work being done.”
DiResta said her group studies the abuse of current information technologies with a focus on social media.
“Information operations increasingly involve the full spectrum of overt to covert propaganda, mass media as well as social media, agent influence activities, and at times network penetration,” she said.
Information Operation Tactics
Misinformation is in the news a lot lately, particularly related to COVID-19, DiResta said. It’s information that’s inadvertently wrong and “people are sharing it because they want to inform their communities, she said.
Disinformation is deliberately misleading, she said. So the person who’s sharing it has the intent to influence and deceive.
“They know the information is wrong,” DiResta said. “They know that it’s misleading or maligned, or not coming from the source they’re claiming it comes from. But they’re sharing it anyway.”
Propaganda is information with an agenda, she said. The specifics of the agenda vary, but the intent is to persuade someone or distract them, or make them take an action or feel a certain way, she said.
And finally there are agents of influence, or people who work to influence an audience, DiResta said.
“And unbeknownst to that audience, they’re beholden to somebody else,” she said. “They’re operating in service to a powerful figure.”
Russia Is ‘Best in Class’
Russia, at the moment, is the “best in class” for information operations, DiResta said. The country has demonstrated not only full-spectrum propaganda, but far more sophisticated activities related to agents of influence, media manipulation and network infiltration, she said.
“Russia has been able to not only hack public opinion by working the social ecosystem, but hacking public opinion by hacking public officials and institutions, and using the information it obtains in information operations deployed on broadcast and social media,” she said.
Much of Russia’s efforts focus on getting unwilling participates to help spread their communications, DiResta said.
In terms of the general election, several tactics will accelerate in the next few months, she said. Those include hack-and-leak operations, possible voting machine hacking, the infiltration of groups and the amplification of narratives, she said.
“Even if not a single vote is changed, releasing the information claiming that you have successfully hacked a machine will cause havoc, DiResta said.
Ultimately the goal will be to undermine confidence in the legitimacy of the election, she said.
“When we talk about information operations, it’s important to note that these personas and their materials resonate because of underlying, existing societal divides,” DiResti said. “You can’t hack a social system if …
… a social system is resistant to the hack.”
Companies Are Targets, Too
Public opinion hacking can also target businesses, she said.
“If you’re a CiSO … in a multinational company with global lines of business and you’re competing with other governments and other countries, reputational attacks on companies are just as easy to execute,” DiResti said. “Companies that take a strong stand on divisive social issues may also find themselves embroiled in social media chatter that isn’t necessarily what it seems to be.”
It falls on CISOs to try to understand when these attacks focus on corporations and how they should respond and think about them, she said.
“We need to be doing more red-teaming,” DiResti said. “We need to be thinking about social and media ecosystems as a system, proactively envisioning what kinds of manipulation are possible. With each emerging app, with each new feature and each new policy, the rules of the game change slightly. And we need to be thinking proactively about how those changes impact the kinds of information operations that we’ll see next.”
When it comes to public opinion hacking, information security professionals and information operation researchers need to communicate more, she said. The goal should be understanding how social network manipulation intersects with network infiltration to predict and mitigate these attacks, she said.
Pandemic Prompts Surge in Counter IR
Also at Black Hat, VMware Carbon Black released its latest global incident response (IR) report. The pandemic continues to create a larger surface area for cyberattacks, it said.
Among the findings:
Security teams are struggling to keep up with the surge in attacks. Some 53% of IR professionals encountered/observed an increase in cyberattacks exploiting COVID-19. Remote access inefficiencies, VPN vulnerabilities and staff shortages are the most daunting endpoint security challenges.
One third of respondents encountered instances of attempted counter IR in the 90 days before the survey. That’s up 10% from the previous report. Log destruction and diversion are the most common forms of counter IR. That signals attackers’ increasingly punitive nature and the rise of destructive attacks.
More than one half of attacks have been on the financial sector. That’s followed by health care, professional services and retail. Fifty-nine percent of those surveyed said attackers’ end goal was financial gain, by far the leading motivation.
One in three attacks shows signs of lateral movement. This movement is facilitated in new ways like unsigned certificates, or SaaS applications like Google Drive and Dropbox.
More than one half of respondents saw attacks from China, followed by North America and Russia.
Greg Foss is senior cybersecurity strategist at VMware Carbon Black. He said counter IR has become a popular tactic. It allows attackers to cover their tracks, and actively take steps to remain silent and make investigations difficult.
VMware Carbon Black’s Greg Foss
“Counter IR attacks include everything from wiping the logs on the local system, disabling security tooling that may detect and prevent their malware, establishing multiple command and control channels for redundancy, and more,” he said. “This is why it is imperative for organizations to take a holistic approach to their security posture, through a layered security strategy.”
Implementing security information and event management (SIEM) to capture and aggregate logs makes it difficult for an attacker to hide evidence of their intrusion, Foss said.
“While malicious actors may be able to delete the local system logs, these logs should have already been replicated across to another system where they can be preserved and leveraged for investigation into the intrusion,” he said. “Counter IR is not a new tactic. Attackers have been covering their tracks since hacking into corporations became a possibility.”
The model has changed for a significant number of MSSPs, depending on how the organization was structured for remote work before the pandemic, Foss said.
“This means the onboarding of new security tooling, changing of processes, scrambling to cover known gaps in coverage, and generally adapting to …
… the new needs of the organizations they are working to protect,” he said. “Security is a team sport, all of us are in this together.”
The threat landscape is constantly evolving and “we are all much more secure today than we were 10 years ago,” Foss said.
“In general, organizations are much more aware of the threats, and the tooling has increased significantly to help combat evolving threats,” he said. “That said, attackers are also stepping up their game. The ever-escalating game of cat and mouse will continue, which ultimately does result in better security.”
Android Phones Everywhere Can Spy on Users
Security researchers at Check Point Software Technologies have found hundreds of vulnerable code sections in a chip found in over 40% of the world’s cellphones.
Qualcomm manufactures the chip, known as Digital Signal Processor (DSP). It can be found in nearly every Android phone on the planet. That includes high-end phones from Google, Samsung, LG, Xiaomi, OnePlus and more.
Check Point is presenting the research at Def Con 2020, held in conjunction with Black Hat. The researchers outlined the significant security risks of more than 400 vulnerabilities found in Qualcomm’s DSP. Those include:
Attackers can turn your phone into a perfect spying tool, without any user interaction required. Leaked information includes photos, videos, call recording, real-time microphone data, GPS and location data, and more.
Attackers can render your mobile phone constantly unresponsive. All information stored on the phone can be permanently unavailable.
Malware and other malicious code can completely hide a hacker’s activities and become unremovable.
Ekram Ahmed, a Check Point spokesperson, said the vulnerabilities can affect both individuals and businesses.
Check Point’s Ekram Ahmed
“The vulnerabilities affect all Android phones,” he said. “So, if an employee has an Android phone, they can become a spying vector on the business.”
There’s nothing individuals and organizations can do on their own to protect themselves from these vulnerabilities, Ekram said.
“People must wait for their vendor to apply the fixes,” he said. “However, a mobile protection solution can help alert you on shady activity, at a minimum.”
Although Qualcomm has fixed the issue, that’s not the end of the story, said Yaniv Balmas, head of cyber research at Check Point.
Check Point’s Yaniv Balmas
“Hundreds of millions of phone are exposed to this security risk,” he said. “You can be spied on. You can lose all your data. Our research shows the complex ecosystem in the mobile world. With a long supply chain integrated into each and every phone, it is not trivial to find deeply hidden issues in mobile phones, but it’s also not trivial to fix them. Luckily this time, we were able to spot these issues. But we assume it will take months or even years to completely mitigate it. If such vulnerabilities will be found and used by malicious actors, it will find millions of mobile phone users with almost no way to protect themselves for a very long time.”
It is now up to the vendors like Google, Samsung and Xiaomi to integrate the patches into their entire phone lines, Balmas said. That includes phones both in manufacturing and in the market, he said.
“Our estimations is that it will take a while for all the vendors to integrate the patches into all their phones,” he said. “For now, consumers must wait for the relevant vendors to also implement fixes. Check Point offers protection for these vulnerabilities with our mobile protection solution.”
About the Author(s)
You May Also Like
AWS re:Invent Partner, Vendor News: Cisco, Salesforce, MoreDec 01, 2023
People on the Move: Comcast, Cisco, NICE, TPx, Barracuda, MoreNov 29, 2023
AWS re:Invent 2023 Partner News: Marketplace, Salesforce, Certs, MoreNov 29, 2023
AWS re:Invent Expo: VMware, Snyk, HPE, More Showcase Cloud, Security, AINov 28, 2023